The new trend in enterprise application development: creating new applications without writing code. "Low-code" or "no-code" development platforms offer the promise of rapid application development — often by business-unit or subject-matter experts — without the overhead of traditional development by traditional developers.
The question is whether no-code also means no security.
From content management systems like WordPress to enterprise application builders like Appian, no/low-code platforms are intended to allow developers to focus on the application logic while the details of device, delivery network, and user interfaces are left to the platform. "Low-code and no-code development models are powerful and democratize development for non-technical users to easily build powerful workflows," says Vinay Mamidi, senior director of project management at Virsec. "But there’s always a gotcha -- while trained developers may have varying levels of skill in security, no-code developers are generally oblivious to security best practices or risks."
Does training matter?
While business unit developers may not have the security expertise of trained enterprise software developers, the operating assumption is that the platforms themselves build security into the final product. "The onus moves onto the framework from the [platform] developers, so [the platform users] don't have to understand secure coding," explains Jason Kent, hacker in residence at Cequent. "But that assumes that the framework is written securely."
That assumption can be a good one, if the framework is being used the way it was intended.
Ali Golshan, CTO and co-founder at StackRox, feels that smaller companies with limited development staff and lines of business creating applications that are not enterprise-critical are good use cases, because, "…there's a huge step up [in security] because there is a common denominator as far as security best practices and implementations that framework providers build into their own SDLC [software development lifecycle]."
The common denominator in security can include some of the basic functions that should be part of secure application development but are often overlooked. "[No-code development] also has the advantage of raising the security barrier since most lower-level vulnerabilities, stemming from the lack of input validation and code integrity checks, are taken care of by the platform," says Mounir Hahad, head of Juniper Threat Labs at Juniper Networks.
But those things don't take responsibility for security away from the application development team.
Best no-code practices
"In no way does this solve the general problem of securing an application," Hahad says, continuing, "Patching for vulnerable subsystems and third-party code still needs to be done, for example."
The same characteristics that make no-code development so productive for some organizations can bring challenges when it comes to security. "With no-code platforms, enterprises quickly lose visibility over critical processes and data usage, and users can easily build business logic that exposes sensitive or regulated information," says Mamidi. He says that organizations using no-code development must make specific plans for security (and regulatory compliance) from the beginning of the process.
"Enterprises must find ways to audit processes and vendors, and maintain reasonable security oversight, even if that makes the process a bit less convenient," Mamidi says.
As part of the audit and security process, Golshan points out that knowing what's actually going on within the application is important.
"You want to deploy your application on top of a cloud native environment where there is some notion of deep logging," he says, explaining that tracing and building support for microservices environments is critical.
To keep "no-code" from becoming synonymous with "shadow IT," a deep partnership between the team building the applications and the organization's security team is important. "There's a lot of resistance on the security side and developer side to make that that first step, but it's critical. It's critical for organizations to encourage that," says Matt Keil, director of product marketing at Cequence.
Keil says that the introduction of no-code development can actually be the impetus for starting the critical conversation between security and the developers. "I think the right approach is to engage with the business group in a conversation. Don't act like 'Doctor No' that's just going to continue to foster the divide between security and the development team," he continues.
Among the areas that Golshan feels should be considered are those that control who (and what) has access to the application. "I think one of the areas that low-code/ No-code has the potential to really improve is how it handles access management, authentication, and authorization," he says.
And for all of the areas that should be considered, experts point back to the documents produced by NIST as useful frameworks for organizations to lean on. While some consider the NIST documents as being useful primarily for government organizations, the principles can be valuable for any organization, especially those looking to develop in a new methodology.
Ultimately, though, the best chance for success may be to have someone who makes sure the organization doesn't forget security. "The most successful organizations that I see have an application security architect — somebody with a foot in security and a foot in development," says Kent. "They can more easily identify and define the kinds of controls that you need to make low code,/no code environments secure and still collaborative."