4 security concerns for low-code and no-code development

Low code does not mean low risk. By allowing more people in an enterprise to develop applications, low-code development creates new vulnerabilities and can hide problems from security.

Low-code and no-code development promises to speed up the deployment of new applications and to allow non-technical users to create apps. The idea has been around for a long time. Now, new cloud-based platforms for creating mobile and web apps, as well as tools built into platforms like Microsoft's Office 365, Google's G Suite and Salesforce, are bringing app development capabilities to a growing user base.

According to research by Markets and Markets, the low-code development platform market is expected to grow from $4.3 billion in 2017 to more than $27 billion by 2022. In fact, 84% of enterprises have adopted a low-code development platform or tool, according to a Forrester survey of global IT and business decision makers released this March, and, of those, 100% have seen a positive return on their investment.

In many respects, these development platforms are more secure than the technologies they're replacing, since the cloud vendors can implement global access controls and permission while giving enterprises a single view into what all their employees are doing with the data. However, 59% of respondents to the Forrester survey cite security as the top challenge when it comes to adoption of low-code platforms.

Here are four security concerns around low-code apps that experts believe enterprises need to consider.

1. Lack of visibility

One of the biggest challenges of low-code and no-code development is that it might be difficult for enterprises to get a handle on what their employees are building. Part of it has to do with the whole problem of shadow IT, says Mounir Hahad, head of threat research at Juniper Networks. "Most shadow IT we hear about is tied to the hip with shadow development," he says. "Very often, when employees go around corporate IT to stand up a public cloud infrastructure, be it storage or compute, it is usually accompanied by some application that allows processing of data in the cloud.”

On-premises low-code platforms can pose the same kind of visibility problems for enterprises. Microsoft Excel scripts and macros, for example, are ubiquitous in enterprises, and all but ungovernable. "If you install a rapid application development tool on a desktop and build apps, IT doesn't have any visibility," says Gartner analyst Jason Wong.

Moving to the cloud can help improve visibility, he says, adding that "there is more ability to apply governance to access, and have rules-based permissions." That makes the cloud-based platforms more secure than traditional alternatives.

Wong uses the example of a business user who isn't allowed to use Salesforce app builder. "They'll go ahead and extract that data and put it into Excel," he says. "I would say that's less secure than actually building in Salesforce, where you have visibility, where you have the opportunity to know what's happening, as opposed to some Access database being spread and shared around."

2. No data oversight

The first question companies need to answer when moving to low-code and no-code platforms is whether their data will be safe. Depending on the platform, companies may choose to restrict the kind of data being shared or how it can be used. "You can set up a sandbox where the users can build whatever they want but can't access mission-critical data," says Wong. "If they need access to anything else, that could be a request to the business and to IT: 'Hey, i work in HR, but I really need this piece of customer data for my app.' Then you could get approval, and maybe only have read-only access to that data."

Many of the top-tier, enterprise-grade platforms offer a lot of opportunities for businesses to apply controls. "Just as long as they understand that they're not just opening up everything to everybody," says Wong.

The security of the underlying data is the most important concern, says Jerry Gamblin, principal security engineer at Kenna Security, more important than the code. "If you have software calculating the value of pi, that's not going to be a big deal for the company," he says. "But if you put sensitive customer data in it, that's where you have the problem. So, think about the data first."

One problem with some low-code and no-code platforms is that end users are sometimes in a position to make decisions about configurations, permissions and access controls, says Sabin Thomas, VP of engineering at Threat Stack. There are inherent risks in how customer data is siloed and partitioned in these platforms. "Achieving effective data segregation requires implementing access and role definitions, tasks that are typically outside the scope of the average citizen developer that the low-code platforms are meant to empower," he says.

Thomas adds that not all low-code platforms are equal when it comes to more fine-grained controls. Google Docs and other collaboration platforms, for example, typically have an access mechanism that controls viewing, editing and sharing data. "However, more advanced controls that allow for auditing of logins and re-shares, auto-expiring time-based access and more granular access controls is beyond base level capability," he says.

Another challenge is that some low-code platforms allow users to create applications that connect to multiple systems and data sources, says Richard Salinas, managing director for business automation at Sparkhound, a digital advisory services firm. "Every data source has its own security mechanism," he says. "For example, an app may connect to a SharePoint site with poor governance and permissions applied."

In that case, the development platform might incorrectly get the blame for the security issue. "The blame should be put on the data source and data source manager."

3. No auditing of vendor systems

In many cases, the code and security controls that low-code or no-code platform vendors put in place may not be visible to an enterprise. To find out how secure those vendors are, companies need to rely on the tools they already have in place -- third-party security audits, security and compliance certifications, service level agreements, and cybersecurity insurance.

It makes a difference if a single end user decides to use a particular platform or if an enterprise decides to adopt it company-wide. "As an individual user signing up for a SaaS service, you probably don't have the ability to call them and say, 'You need to fill out this 20-page security questionnaire'," Gamblin says. "But if you're using it for your whole company, you'll have a process."

Some low-code vendors are trying to make things more transparent. "In our case, we generate .NET code," says Mike Hughes, director of product marketing at OutSystems, a low-code development platform. "You can point software that checks security issues at that code, so you can know for sure that the code you're running is secure. A lot of our customers do that, but if it's just a black box -- then what's going on inside, who knows."

Moving to low-code and no-code development platforms that don't have this kind of transparency takes away some control from security teams, says Kelly Shortridge, VP of product strategy at Capsule8. That doesn't necessarily mean that security will suffer. "I think that if users want an application, it's better to build it using standard platforms instead of developing code themselves," she says. "If there's a vulnerability found in their components, the platform vendors would push out a patch and it would update all the applications that use those components."

Companies like Salesforce have been doing a good job with securing the data they hold, and building secure scripting tools. "If an enterprise thinks that their own code would be more robust, that's delusional," she says.

4. Business logic problems that expose data

Low-code and no-code development platforms typically include permissions and access controls by default, often inherited from the underlying data they hold for their customers. That can make it easier for both experienced developers and non-developers to quickly create secure apps.

"But the problem is that you can still make stupid mistakes," says Charles Henderson, head of the X-Force Red cybersecurity group at IBM. "CISOs initially think that since there's little to no actual code involvement, it's more secure. But never underestimate the ability to make poor security decisions on any platform."

As the platforms get more capable, people can do more and more things with them -- and the more they can undermine enterprise security. A logic problem that, for example, allows one user to see data belonging to another, or that posts sensitive information to a public location, could cause significant problems for a company.

Henderson recommends that companies apply the same level of security testing to low-code and no-code apps that they do to their traditionally developed software. "Security testing programs reach far and wide," he says. "Most enterprise firms have pretty well thought out security testing programs at this point, and often use outside firms to do the testing. But the low-code apps, often they don't get caught up in the same security testing that other applications would be subject to."

"Security folks need to take the lessons they gave to in-house developers and teach them all over again to end users who might be using low code platforms," Henderson says. "There's no filter for stupid."

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!