In June, we published a white paper on the rapidly growing movement toward low code / no code application development. We expressed our excitement about the potential to lower development costs, improve operational efficiencies, and open the door to democratized software development. But we also highlighted the additional security risks stemming from newly decentralized development processes.
Key Low Code / No Code Security Risks
- Limited visibility into low code / no code applications: “Low code / no code” refers to how much code a user needs to know to build applications on a low code / no code platform. It does not indicate how much raw source code the platform actually contains behind the scenes. Platform users’ lower visibility into this underlying source code makes it more difficult to detect vulnerabilities or to have line of sight into the security testing protocols the code has undergone.
- Insecure code: Low code / no code platforms are built from code libraries that can originate from a range of sources, including commercial third-party providers, open-source components, and cloud API services. Each of these elements in turn represents an independent stream of code which can contain its own code streams. The difficulty in seeing through these layers of code increases the risk of potential insecure code getting through and being promulgated across an organization through the broad use of the low code / no code platform.
- Shadow IT: A shadow IT application is any application that a department or end user in an organization adopts for business purposes without involving an internal IT group. Without oversight by IT professionals to ensure that rigorous security protocols are followed in code development, shadow IT could expose applications to damaging security breaches. The volume of shadow IT exploded with the widespread use of cloud-based applications and SaaS solutions. It is likely to continue to grow with the expansion of low code / no code, which makes creating applications quicker and easier while expanding the number of application builders residing outside of the IT department.
Efforts to Address Security Challenges
While low code / no code presents additional security challenges, it is heartening to see that LCAPs are taking the threat seriously and are increasingly proactive in securing code and preventing attacks.
For example, the Linux Foundation study published earlier this year revealed that 78% of organizations expect to produce or consume SBOM’s in 20221. This is a significant increase, and one that may drive a growing interest on the part of software consumers in ensuring greater transparency of components delivered by participants in a software supply chain.
Leading LCAPs are also making available security results, such as those from static and dynamic application security testing (SAST / DAST), to organizations using their platform to provide greater confidence in code security. In addition, most major platforms also offer other enterprise-grade security features, such as end-to-end encryption, multi-factor authentication, data isolation, and built-in privacy controls.
Additional Security Efforts May Be Required
Despite the actions taken by LCAPs to increase security, organizations using these platforms are well-advised to heighten their own security posture before a breach materializes. Recommended steps include:
- Using LCAP platforms only from trusted vendors with strong reputations and third-party certifications (ISO / IEC 27001, SOC 2).
- Maintaining good access control with clear line of sight to who is using the LCAPs and what activities they are performing.
- Keeping a complete low code / no code application and software inventory.
- Implementing secure data practices that document where critical data resides and what applications have access to that data.
To date, we know of no major data breach or cyberattack originating specifically from a low code / no code developed application. However, as the low code / no code trend builds, it will become increasingly important for LCAPs and end users to ensure that rigorous security protocols are in place and that preventative steps are taken to identify and mitigate potential vulnerabilities throughout the software chain.
1 “The State of Software Bill of Materials and Cybersecurity Readiness,” The Linux Foundation, February 2022