App building platforms have a plethora of names: low code, no code, rapid application development software, mobile app development platform, and now multiexperience development platforms. Regardless of their name, one thing all these platform types have in common are their perceived application security
In a world where these platforms continue to grow in popularity, how can developers (and more importantly, CTOs and CIOs) manage their evolving security risks?
This article focuses on low code security.
Low-code platforms are not, by definition, insecure or risky. Many managers and developers are skeptical of app builder platforms however, due to three main perceived security risks:
- low-code platforms write unsecure code
- low-code platforms create opportunities of scale for hackers
- shadow IT - your (newly empowered) less technical users may create vulnerabilities in your software ecosystem
While each of these are valid concerns, they can be mitigated by corrective actions by both users and app building platform providers.
Let's tackle each perceived risk and its mitigation in turn.
No code is 100% secure. This includes code written by humans, bots, and others.
Your off-the-shelf software system may receive regular security patches, or have known vulnerabilities over a decade old. They can be a black box
. Your custom application developer may write secure code, but make a mistake. Your low-code platform of choice may write code with some holes, but less than can be normally expected. Even when developing a custom application in-house, security is a risk.
A core advantage of low-code is that developers can write more of the basic, recurring code faster (because bots are helping). This leaves more time for making sure:
- software architecture is moving in the right direction;
- API endpoint permissions are logical; and
- security vulnerabilities can be addressed sooner rather than later (once X, Y, Z core features have been implemented).
Furthermore, unless your app building platform has adopted a no-code approach to developing software, your developers (in-house or outsourced) can, and should, be augmenting your code base with custom code that improves functionality and security.
Some low-code platforms write insecure code, but this is not a law of nature. Many by-hand developers write insecure code. No code is 100% secure.
What business can do to keep their security up-to-date, is continuously modernise their software ecosystem (architecture, functionality, and security). To this goal, low-code is far from a hindrance, but a massive help.
If your business creates half a dozen apps using a single app building platform, then a vulnerability in one of these is likely a vulnerability in all of them. Right? And if this app building platform is used by thousands of businesses, there's a massive target on your back.
This makes using low-code seem like a risky proposition, however, with a thousand CTOs and IT departments keeping a close eye on their code, shouldn't we assume vulnerabilities will be patched at a far faster rate. Many hands make light work and many eyes make catching potential problems easier.
In any case, businesses should be continuously modernising their software ecosystem (architecture, functionality, and security). This modernisation should be accomplished using a mixture of code from your app builder platforms, combined with custom, developer-written code.
The final perceived security risk is shadow IT. Shadow IT
is any and all software purchases and activities done without your IT department's knowledge.
For example, maybe the marketing department writes articles on Google Docs before posting them. This is probably not a concern. On the other hand, what if your sales department were to keep highly personal customer information in Google Sheets? This has potential concern. When C-Suite employees start installing obscure programs like Kaspersky antivirus, it's definitely time to get concerned.
Many low-code skeptics have defaulted to thinking that a low-code platform will encourage shadow IT, and because shadow IT is a risk, low-code is a risk. This argument is underwhelming.
For starters, shadow IT existed long before low-code. The only difference is now IT departments can try and funnel people towards using a selected low-code provider that meets IT's standards and can be monitored (even if only loosely).
All good low-code platforms include features such as Codebots' Security Diagram, which makes adding and editing security simple.
Overall, mitigating your low code security risk is much easier than many low-code skeptics believe.
At the end of the day, these platforms are only growing in popularity, and developers, CTOs, CIOs, and IT departments need to ensure they're ready for evolving security risks in a world of low-code.
The good news is the common perceived risks associated with low-code are mostly the result of unbalanced weighing of the pros and cons. As always, take security seriously, but don't wrap your business in bubble wrap.