Many organizations now rely on low-code/no-code app development platforms to cost-efficiently address a variety of application needs in different aspects of business operations. A recent survey revealed that 47% of organizations are already using these technologies, while 20% of those who are not using them express intentions to adopt the tech in the next 12 months.
The low-code/no-code trend is changing the way organizations build apps for their needs.
Businesses can use low-code/no-code development platforms to create apps that digitalize and automate manual and paper-based processes. They can be used in developing customer engagement tools. They can build apps that make it easy to share data with business partners.
This is because low/no-code technology places the power in the hands of the business users, who are the best people to decide what the company needs to build next. Now they have the power to build it themselves.
Like with every major technology wave, innovation can also come with new risks, and low-code/no-code technology is no exception. The security risks of citizen development are real and can offset the advantages.
Here's a rundown of the different points that highlight the risk propensity of low-code/no-code app development and its resulting applications.
The Shared Responsibility of Application Security
Like the public cloud, no-code/low-code platforms make it easier and faster to develop applications and automations (for different users and different use cases), but this again comes with a security cost.
LCNC platforms are in charge of making sure that their platforms couldn't be hacked. The problem that organizations are facing is about the way pro and citizen developers are using those platforms and the way they build/implement applications and automations. It is also about the business logic that is implemented.
When a pro or a citizen developer creates an app that exposes an organization to security or compliance risks, such as an app that exposes admin credentials to any user, or an automation that moves sensitive data to an uncontrolled location, or an app that mishandles PII — it is the organization's responsibility to track such threats and drive remediation.
Lack of Visibility Leads to Impossible Governance
One of the issues with no-code/low-code development is the fact that security teams are lacking visibility. As cloud security expert Chris Hughes explains, "You're consuming the software and therefore don't know about the source code, associated vulnerabilities or potentially the level of testing and rigor the platform has undergone." This is because platforms abstract away the "code," leaving you unable to enable traditional methods that rely on inventorying and scanning the code.
No-code/low-code platforms are everywhere; From SaaS solutions that are already available in the business such as those from Microsoft, Salesforce, or ServiceNow, to platforms like Zapier that are adopted directly in the business. Security teams are left with no capability to know what is used, who the makers are, if business-critical applications are developed with such tools, and if they involve sensitive data.
How can security teams secure and govern what they don't see?
To address this challenge of lack of visibility and difficulty in governance, the most viable solution is to choose a low-code/no-code platform that comes with features that support visibility, like the ability to integrate with existing security controls or with third-party cloud-based security validation tools. Integration with security solutions or platforms is important to have the ability to keep track of the low-code apps being deployed, particularly the data they generate, process, store, and transmit.
Overwhelming Shadow IT
At the rate low-code/no-code apps are churned out, especially among large and complex organizations, organizations should not be surprised to see their shadow IT growing bigger and bigger. A study by the Everest Group indicates that shadow IT constitutes 50% or more of IT expenditure. This does not bode well for cybersecurity, especially in view of Gartner's prediction that around 30% of security breaches are attributable to shadow IT.
To emphasize, shadow IT is about the use of IT systems, from hardware to software, that do not have the explicit or clear approval of the IT department. This is what typically happens with the development and use of low-code/no-code applications. It would be inexpedient to disassociate low-code/no-code with the problem of shadow IT.
Shadow IT is not good for organizations for many reasons. Most notably, it results in the following:
- The inability to know and monitor IT assets infers the failure to see the big picture. It prevents organizations from clearly knowing what they have and what they need to protect.
- Shadow IT makes it difficult to identify threats and effectively anticipate, stop, or mitigate them. Apps that form part of shadow IT can become the origin of data leaks, but the IT departments or cybersecurity teams may have a hard time pinpointing them and addressing the problem accordingly.
- Having more software usually means more points of failure. There are cases when low-code/no-code apps are no longer monitored because they are thought of as insignificant or benign, only to end up becoming vulnerabilities because they leak data or allow script injection.
- Also, shadow IT is an uncontrollable factor in organizational processes. Low-code/no-code apps under the veil of shadow IT cannot be made to align with the security posture of an organization and cannot be easily traced and fixed if they are creating security problems. The only way to rein them in is to bring these shadow IT components to the light, which means they have to stop becoming shadow IT.
Many IT experts echo the idea that shadow IT is not the problem itself, but a symptom. It would not exist if employees were getting the IT resources they need from the known IT setup and resources of an organization. Low-code/no-code apps do not have to become part of shadow IT, with proper governance and security validation.
Lack of Cybersecurity Expertise
Users do not need profound technical know-how to figure out how to use low-code/no-code development platforms, let alone the cybersecurity savviness to make sure that they do not build and deploy apps that can create security vulnerabilities or conflicts with the security posture of their organizations.
This is clearly an inherent security risk for any organization. Anybody can now build apps through intuitive interfaces, but almost all of them do not have any clue about the potential risks. It is not going to be easy to teach and learn the foundations of secure app development.
The OWASP Top 10 Low-Code/No-Code Security Risks capture the different risks that can be attributed to the lack of the cybersecurity knowledge of low-code/no-code users. There is a tendency to create apps with insecure authentication, data leakage issues, oversharing of apps and components, data and secret handling failures, misconfiguration, dependency injection risks, unmanaged custom mode, and vulnerabilities that enable privilege escalation.
Ordinary users probably have not even heard of these security risks. It is unlikely that they would know the measures necessary to avoid these. Even if app development platforms come with wizards that offer reminders on security concerns, many users would probably be clueless about what they mean exactly.
The problem with low-code/no-code app development security risks is not something organizations are helpless with, though. Many platforms are already starting to become more conscious of the security repercussions. The leading platforms are now designed with cybersecurity in mind.
The problems described here are by no means implicit deterrents for those who want to try low-code app-building platforms. The risks are real, but they are not without the corresponding effective solutions. With the right cybersecurity knowledge and security validation tools, organizations can benefit from low-code/no-code apps and app development without security issues.
Ben Kliger is the CEO and Co-Founder of Zenity.