Four security issues of low code and no code development

Delegate broader IT Creating applications with the business community to drive business value is clearly attractive . in other words , Using low code and no code platforms is not without security issues . Just like any other software product , The rigor of the development platform and its related code is a problem that can not be ignored .

What is low code / No code development ?

Codeless tools and platforms use drag and drop interfaces to allow non programmers such as business analysts to create or modify applications . In some cases , Coding may be required ( Low code ) To integrate with other applications 、 Generate reports or modify the user interface . This usually uses SQL or Python And other high-level programming languages .

Low code / Examples of codeless platforms include Salesforce Lightning、FileMaker、Microsoft PowerApps and Google App Maker. Here are the four most important security issues that you should pay attention to when using this kind of platform .

(1) Low code / Low visibility of codeless applications

Using an externally developed platform always brings visibility issues . Many people use these software , But do not know the source code 、 Potential testing and rigor experienced by the relevant vulnerability or platform .

This can be done by applying to the supplier for a software BOM (SBOM) And so on . This will provide insight into the software components it contains and their associated vulnerabilities . Use the latest Linux Basic research shows that ,78% The business plan for 2022 Use software BOM (SBOM). For all that , Software bill of materials (SBOM) The use of is still developing , There is still a lot of room for the industry to develop and standardize the practice 、 Processes and tools .

(2) Unsafe code

Consistent with the visibility issue is the possibility of unsafe code . Low code and no code platforms still have code . They just abstract the code , And allow end users to use pre - provided code functions . This is good , Because it eliminates the need for non developers to write their own code . When the code used is unsafe , And inferring between the enterprise and the application through low code and no code platforms , There will be problems .

One way to solve this problem is to work with platform vendors , Require the security scanning results of the code used in the platform . Static and dynamic application security testing (SAST/DAST) And other scanning results can provide consumers with a certain degree of assurance , That is, they don't just copy unsafe code . The idea of creating code outside of enterprise control is not a new concept , And it is very common in the use of open source software ,98% The above enterprises use open source software , And software supply chain threats associated with other repositories are common , For example, code for infrastructure (IaC) Templates .

Another aspect to consider is , Many low code and no code platforms are based on SaaS Delivered by . This enables enterprises to apply for industry certification from suppliers , for example ISO、SOC2、FedRAMP And other certifications . This is for the operation of the enterprise and applies to SaaS Applications / The security control of the platform itself provides a further guarantee .

SaaS There are many security risks in the application itself , Requires proper governance and strict security . If there is no SaaS Applications and platforms are properly reviewed , It may expose its business to unnecessary risks .

(3) Out of control shadow IT

Low code and no code platforms allow for rapid application creation , Even those without a development background , It can also cause shadows IT Flooding . shadow IT Occurs when business units and employees create applications and use them inside or outside the enterprise . These applications may contain enterprise and customer sensitive or regulated data , If these applications are compromised in a data breach , It may have a series of impacts on the enterprise .

(4) Business interruption

From a business continuity perspective , If the platform is interrupted , Low code and codeless platforms delivered as services can disrupt business . For enterprises , For business critical applications ( Including low code and no code platforms ) Establish service level agreements (SLA) It's very important .

Reduce low code / Tips for risk free code development

Whatever technology is involved , Common security best practices can mitigate development risks , These include ：

• Buy software and platforms from trusted suppliers with a good reputation in the industry .
• Ensure that these suppliers have third-party certification , To represent their internal safety practices and processes .
• Consider low code and no code platforms in the enterprise's application and software inventory , And applications created by using them .
• Maintain good access control ; Know who is accessing the platform and what activities they are allowed to perform .
• Implement safe data practices , To understand where key data is located , And whether applications created using low code and no code platforms contain sensitive data .
• Understand managed low code / Location of codeless platforms . Whether these platforms are hosted in AWS、Google or Microsoft Azure And other super large-scale global cloud service providers ? Or whether they are hosted in an on premises Data Center , Limited to no physical and logical access control ?

It is also important to consider the safety culture of the enterprise . Although platform users may not be industry developers or security experts , But they should understand the security implications of low - and no - Code platforms and applications being used and created . As they say , More power comes with more responsibility , This applies to both low code and no code platforms .