Developers must consider low-code app security
Security is baked into most low-code development platforms, but developers still need to pay attention to security issues and test for vulnerabilities.
The low-code/no-code revolution that helps to fuel digital transformation at organizations by helping nonprogrammers create applications is a big win for productivity, but is it secure? That depends on how you use these tools, experts say.
The situation is complicated because low-code security is not well understood, said Sandy Carielli, an analyst at Forrester. One reason is that enterprises are adopting low-code development tools to build apps that touch sensitive corporate and customer data, she said.
Low-code platforms can be more secure than traditional applications because development across the entire lifecycle is hosted on the vendors' own secure clouds.
However, low-code platforms can be less secure when deployed in either a customer data center or on a private hosting site, because the users have more responsibility for configuring security and maintaining configurations through application changes, Carielli said.
In addition, security becomes more of a problem when developers have to do custom coding to build parts of their apps outside the native environment of the low-code platform.
Integration points also present potential openings for vulnerabilities where the low-code-built apps must integrate with external databases, applications and cloud services.
Indeed, one of the key questions with low-code platforms is flexibility vs. security.
"If developers stay within the guardrails of the low-code platform and don't customize, they have less chance of introducing flaws like SQL injection," Carielli said. "Once you start adding external customizations to low-code, or you start tweaking the generated code produced by some low-code platforms, then there is a greater risk of introducing security weaknesses."
Avoid low-code overconfidence
While low-code platforms attempt to build in security, they can also provide developers with a false sense of safety.
"Low-code development platforms offer many of the same security capabilities as other appdev platforms, and often do so in a more approachable way," said Dave Gruber, an analyst at ESG Research in Milford, Mass. "They also can help avoid some of the more common OWASP [Open Web Application Security Project] top 10 issues. But low-code apps are seldom built in isolation, often requiring the use of other external functions and services -- opening the door to the same security challenges as other app-dev platforms."
This mismatch can lead to development teams becoming looser with the discipline of application security testing programs.
Broad base of app builders
The move toward low-code development and a growing reliance on integrations with third-party services means that more people within an organization can contribute to development. This reduces the barrier to entry for creating software.
That means a broader set of people will need some level of technical security training to ensure that the code and integrations they build don't introduce vulnerabilities, said Fletcher Heisler, director of developer enablement at Veracode, a security software provider in Burlington, Mass.
"Low-code systems are supposed to help us avoid common vulnerabilities -- but then again, so are modern web frameworks, and we still see SQL injection as the No. 1 common weakness despite the protections put in place by new technologies," Heisler said.
Moreover, it is important to use traditional app security tools such as penetration testing and scanners to test for vulnerabilities, whether applications are the result of low-code or traditional development.
"Low-code or not, every platform has vulnerabilities, and as a systematic platform weakness may be there, it could expose the whole ecosystem," said Holger Mueller, an analyst at Constellation Research.
Applying these tools to all apps is essential to preventing vulnerabilities from cropping up and enhancing low-code security.
"You must determine how secure the application is that this platform is building," said Gareth Rushgrove, director of product management at Snyk, a security software maker in London. "You have to put it through the same sort of test you would do any other application."
Security automation built in
Much like antivirus software in the 1990s, security automation built into low-code platforms can similarly help organizations focus less on the security minutiae and more on building great applications.
Mike HughesSenior director, OutSystems
For example, every application built on OutSystems automatically applies more than 200 risk and security controls covering application protection, continuity and availability, data protection and infrastructure protection, as well as policies and procedures, said Mike Hughes, senior director of product evangelism at the low-code platform provider.
"The majority of low-code platforms run with an interpreter model-based approach," Hughes said. "This is basically a black box, making security of apps hard to verify." Thus OutSystems' 200 security checks.
OutSystems also generates standard application code that runs in a standard technology stack. This means the code can be further vetted with industry-standard code analysis tools.
Beware the citizen developer?
The rise of citizen developers has underpinned the movement toward low-code/no-code platform, but this population brings built-in security risks with it.
"[Low-code] sure makes things easier, but it's putting a lot of power and responsibility in the hands of non-technical folks who may not always be doing things with the express written consent of the good folks in IT," said Chris Gonsalves, an analyst at the 2112 Group. "Are vulnerabilities being introduced or compounded in low-code development? Maybe. Are policies being violated? Probably. Are we going to stop doing it? No way."
Gonsalves said he believes it's too late to un-ring the democratization of appdev bell at this point.
"We're not likely to make seasoned security professionals out of business-unit level developers," he said. "Therefore, the onus is on the CTO and the CISO to make sure the framework and the environment are screwed down tight and firmly controlled by well-crafted security policies."
Poorly executed citizen developer programs can expose enterprises to security risks, said Sheryl Koenigsberg, head of global product marketing at Mendix, a Boston-based low-code platform provider. "If people who don't have the skill set or expertise around security are suddenly unleashed to create software without guardrails, then there can be issues with everything from data security to network exposure," she said.
This issue is particularly acute when citizen developers are given the freedom to access low-code point products, or to purchase licenses outside the purview of IT.
"I'm not completely sold on low-code and no-code development being a boon to security, but it sure as heck can be a bane," Gonsalves said. "In many places, it's threatening to become the shadow IT of appdev."
For instance, a common pro developer's hand-coding mistake might allow hackers to enter malicious text in form fields, which the application will execute without anyone knowing. The developers must then apply the best practices for blocking such inputs and implement those practices by hand.
In contrast, a low-code security platform would automatically remove malicious data from those fields, so that the application builder doesn't have to worry about taking care of such issues manually, said Jason Bloomberg, an analyst at Intellyx and author of the e-book Low-Code for Dummies.
"For less experienced developers -- including citizen developers-- the ability to remove dangerous data is absolutely essential," Bloomberg said. "Even for more experienced, professional developers, automatic security and compliance controls reduce headaches as well as the possibility of a mistakenly introduced vulnerability."