Many organizations now rely on low-code/no-code app development platforms to cost-effectively meet various application needs across various aspects of business operations. A recent survey revealed that 47% of organizations are already using these technologies, while 20% of those who are not using them have expressed the intention to use the technology in the next 12 months.
The low-code/no-code trend is changing the way organizations build apps for their needs.
Businesses can use low-code/no-code development platforms to create apps that digitize and automate manual and paper-based processes. They can be used in developing customer interaction tools. They can build apps that facilitate data sharing with business partners.
This is because low/no-code technology puts the power in the hands of business users, who are the best people to decide what the company needs to build next. Now they have the power to build it themselves.
As with every major wave of technology, change can also bring new risks, and low-code/no-code technology is no exception. The security risks of citizen development are real and can offset the benefits.
Related: The Evolution of Low-Code/No-Code Development
Here is a rundown of various points that highlight the potential risk of low-code/no-code app development and its resulting applications.
The Shared Responsibility of Application Security
Like public cloud, no-code/low-code platforms make application development and automation (for different users and different use cases) easier and faster, but again it has security costs included.
LCNC platforms are in charge of ensuring that their platforms cannot be hacked. The problem organizations face is around the way pro and citizen developers use those platforms and the way they build/implement applications and automation. It is also about the business logic implemented.
When a pro or a citizen developer creates an app that exposes an organization to security or compliance risks, such as an app that exposes admin credentials to any user, or an automation that transfers sensitive data to an uncontrolled location, or an app that exposes PII. — it is the organization’s responsibility to monitor such threats and drive remediation.
Lack of Visibility Leads to Impossible Management
One of the issues with no-code/low-code development is the fact that security teams lack visibility. As a cloud security expert Chris Hughes explanation, “You are using the software and therefore do not know about the source code, associated vulnerabilities or the potential level of testing and rigor the platform has undergone.” This is because the platforms remove the “code,” leaving you to disable traditional methods that rely on inventory and code scanning.
Related: Low-Code Developers Report Higher Levels of Job Satisfaction
No-code/low-code platforms are everywhere; From SaaS solutions already available to the business such as from Microsoft, Salesforce, or ServiceNow, to platforms like Zapier that are used directly by the business. Security teams are left without the ability to know what is being used, who is doing it, whether business-critical applications are being built using such tools, and whether they involve sensitive data.
How can security teams secure and manage what they can’t see?
To address this challenge of lack of visibility and management difficulty, the most viable solution is to choose a low-code/no-code platform that includes features that support visibility, such as the ability to integrate with existing security controls or third-party cloud-based security validation tools. Integration with security solutions or platforms is essential to have the ability to monitor the low-code apps being deployed, particularly the data they generate, process, store, and transmit.
Shadow IT is huge
At the rate low-code/no-code apps are being developed, especially in large and complex organizations, organizations shouldn’t be surprised to see their IT shadow get bigger and bigger. A study of Everest group indicates that shadow IT accounts for 50% or more of IT expenditure. This does not bode well for cybersecurity, especially in Gartner’s view prediction that around 30% of security breaches are related to shadow IT.
Related: First No-Code Day Highlights Growing Application Sector
To emphasize, shadow IT is about the use of IT systems, from hardware to software, without the explicit or implicit approval of the IT department. This is what usually happens when developing and using low-code/no-code applications. It is not appropriate to isolate low-code/no-code from the problem of shadow IT.
Shadow IT is bad for organizations for a number of reasons. Interestingly, this results in the following:
- The inability to know and monitor IT assets indicates a failure to see the big picture. This prevents organizations from knowing clearly what they have and what they need to protect.
- Shadow IT makes it difficult to identify threats and effectively predict, stop, or mitigate them. Apps that are part of shadow IT can be the source of data leaks, but IT departments or cybersecurity teams may struggle to identify them and address the problem accordingly.
- Having more software usually means more points of failure. There are cases when low-code/no-code apps are no longer monitored because they are thought to be trivial or benign, which only lead to vulnerabilities because they leak data or allow script injection.
- Also, shadow IT is an uncontrollable factor in organizational processes. Low-code/no-code apps under the veil of shadow cannot be made by IT to align with an organization’s security posture and cannot be easily traced and fixed if they create security problems. The only way to stop them is to bring the shadow parts of IT into the light, which means they have to stop being shadow IT.
Many IT experts echo the idea that shadow IT is not the problem itself, but a symptom. This will not exist if employees are getting the IT resources they need from an organization’s known IT setup and resources. Low-code/no-code apps don’t need to be part of shadow IT, with proper security management and validation.
Lack of Cybersecurity Expertise
Users don’t need deep technical knowledge to know how to use low-code/no-code development platforms, let alone cybersecurity savviness to ensure they don’t develop and deploy apps that could create of security vulnerabilities or conflicts with their organizations’ security posture.
This is obviously an inherent security risk for any organization. Anyone can now build apps through intuitive interfaces, but almost all of them don’t have any clue about the potential risks. Teaching and learning the fundamentals of secure app development won’t be easy.
The OWASP Top 10 Low-Code/No-Code Security Risks capture the various risks that can be attributed to low-code/no-code users’ lack of cybersecurity knowledge. There is a possibility of creating apps with insecure authentication, data leakage issues, over-sharing of apps and components, data and secret handling failures, misconfiguration, dependency injection risks, unmanaged custom mode, and vulnerabilities that allow privilege escalation.
Ordinary users probably haven’t heard about these security risks. They probably won’t know the steps needed to prevent them. Although app development platforms include wizards that offer reminders of security concerns, many users likely have no idea what exactly they mean.
In Conclusion
However, the problem of security risks in low-code/no-code app development is not something that organizations can do nothing about. Many platforms are starting to become more aware of the security implications. Leading platforms are now designed with cybersecurity in mind.
The problems described here are by no means implicit deterrents for those who want to try low-code app development platforms. The risks are real, but they are not without corresponding effective solutions. With the right cybersecurity knowledge and security validation tools, organizations can benefit from low-code/no-code apps and app development without security issues.
Ben Kliger is the CEO and Co-Founder of Zenity.