Matias Madou at Secure Code Warrior explores the security risks that surround increasingly popular Low Code No Code platforms
Low Code No Code (LCNC) is currently a divisive topic in the software industry. While it’s not exactly a new topic, recently it’s seen a resurgence, with Gartner predicting that more than 65% of app development will utilise low code application platforms by 2024.
The chances are, however, if you speak to a professional developer, they won’t necessarily have the best understanding of these environments or understand their significance.
Where did LCNC platforms come from?
The roots of LCNC platforms can be traced all the way back to the 1980s. Fast-forward ten years to the 1990s, and companies were trying to lay off software developers and replace them with drag and drop platforms. Once the initial wave of excitement wore off, however, usage dwindled. Though they had the right idea, the timing wasn’t right and the technology wasn’t ready.
While the tech has advanced and attitudes have also evolved, the concept of LCNC platforms is essentially the same, so why the rapid rise in popularity?
The pandemic changed the playing field
One side effect of the pandemic was that it spurred the acceleration of digital transformation across many sectors. This was due, (in many cases) to the almost overnight move to remote work. For example, figures from the ONS showed that in April 2020, less than half (46.6%) of people in employment did some work at home and of those who did, 86.0% did so as a result of the coronavirus (COVID-19) pandemic.
Given that digital transformation relies inherently on bringing new technologies into the workplace, whether in-house or via third parties, developers must play their part.
While this is great news for the industry as it’s creating more job opportunities and demand for developers, it’s only worsening the existing digital skills gap.
Enter the LCNC platform. One of the reasons they seem to be growing so rapidly in popularity is that they cater to not only to professional developers, but they’re also accessible for non-professional or citizen developers. And while citizen developers will never be a substitute for the professionals, LCNC software does allow for some of the pressure to be taken off security teams and help to plug the ever-growing digital skills gap.
To break this down, the phrase LCNC is actually an umbrella term. It encompasses both low code and no code platforms, which, in actual fact, refer to slightly different technologies. No code platforms are primarily used by amateur or citizen developers, and involve drag-and-drop features to build apps. Whereas low code tools go beyond the no code approach, offering rapid application development, with the option to use code or scripting.
What are the security risks, and why are they so potent?
It’s no wonder the predicted growth of LCNC platforms is so high, especially given the whole host of benefits they can provide in terms of speed, simplicity and productivity. However, despite these benefits, they present a number of legitimate security concerns.
Firstly, the platforms take the complexity out of software design, which, ironically, is actually the root of the security issues. In order to fully mitigate the risks of a vulnerability, security needs to be baked into every line of code. As developers have less visibility of the code with this kind of software, they cannot guarantee its quality.
For example, in many cases, the enterprises will not have visibility of the code and security controls that are in place by the low code no code vendors, meaning they need to rely on the security tools they already have.
Another concern is access control. At the implementation stage, access control is a vital consideration for ensuring best practice is maintained. The main issue is that software should only allow access to what is needed. If the platform doesn’t control this well enough, a LCNC platform user may not conform to best practices and out of ease of functionality, open up more access than they should.
Why is this an issue? When applications are overly communicative, especially with other applications, the attack surface grows exponentially, as does the risk of data leakage..
Where do they stand in the industry?
Despite the concerns around LCNC platforms, it doesn’t mean that there isn’t a place in the industry for coding frameworks. What it does mean is that there needs to be an onus on both the creators and the users of the platforms to ensure standards are met when it comes to security.
Users cannot blindly trust the frameworks and assume by default that everything will work. It’s essential that users understand from a security perspective how the framework was designed and how it’s intended to work as there may be consequences of oversimplification.
There’s no doubt that from an operations perspective, LCNC platforms are able to provide the end user with a whole host of benefits. However, if they are not created and used responsibly from a security perspective, then they have the potential to cause more damage than good.
Matias Madou is CTO and Co-founder of Secure Code Warrior
Main image courtesy of iStockPhoto.com