Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

1/8/2020
01:20 PM
Curtis Franklin Jr.
Curtis Franklin Jr.
Edge Articles
50%
50%

In App Development, Does No-Code Mean No Security?

No-code and low-code development platforms are part of application development, but there are keys to making sure that they don't leave security behind with traditional coding.

(image by gaihong, via Adobe Stock)
(image by gaihong, via Adobe Stock)

The new trend in enterprise application development: creating new applications without writing code. "Low-code" or "no-code" development platforms offer the promise of rapid application development — often by business-unit or subject-matter experts — without the overhead of traditional development by traditional developers.

The question is whether no-code also means no security.

From content management systems like WordPress to enterprise application builders like Appian, no/low-code platforms are intended to allow developers to focus on the application logic while the details of device, delivery network, and user interfaces are left to the platform. "Low-code and no-code development models are powerful and democratize development for non-technical users to easily build powerful workflows," says Vinay Mamidi, senior director of project management at Virsec. "But there’s always a gotcha -- while trained developers may have varying levels of skill in security, no-code developers are generally oblivious to security best practices or risks."

Does training matter?

While business unit developers may not have the security expertise of trained enterprise software developers, the operating assumption is that the platforms themselves build security into the final product. "The onus moves onto the framework from the [platform] developers, so [the platform users] don't have to understand secure coding," explains Jason Kent, hacker in residence at Cequent. "But that assumes that the framework is written securely."

That assumption can be a good one, if the framework is being used the way it was intended.

Ali Golshan, CTO and co-founder at StackRox, feels that smaller companies with limited development staff and lines of business creating applications that are not enterprise-critical are good use cases, because, "…there's a huge step up [in security] because there is a common denominator as far as security best practices and implementations that framework providers build into their own SDLC [software development lifecycle]."

The common denominator in security can include some of the basic functions that should be part of secure application development but are often overlooked. "[No-code development] also has the advantage of raising the security barrier since most lower-level vulnerabilities, stemming from the lack of input validation and code integrity checks, are taken care of by the platform," says Mounir Hahad, head of Juniper Threat Labs at Juniper Networks.

But those things don't take responsibility for security away from the application development team.

Best no-code practices

"In no way does this solve the general problem of securing an application," Hahad says, continuing, "Patching for vulnerable subsystems and third-party code still needs to be done, for example."

The same characteristics that make no-code development so productive for some organizations can bring challenges when it comes to security. "With no-code platforms, enterprises quickly lose visibility over critical processes and data usage, and users can easily build business logic that exposes sensitive or regulated information," says Mamidi. He says that organizations using no-code development must make specific plans for security (and regulatory compliance) from the beginning of the process.

"Enterprises must find ways to audit processes and vendors, and maintain reasonable security oversight, even if that makes the process a bit less convenient," Mamidi says.

As part of the audit and security process, Golshan points out that knowing what's actually going on within the application is important.

"You want to deploy your application on top of a cloud native environment where there is some notion of deep logging," he says, explaining that tracing and building support for microservices environments is critical.

Partnerships matter

To keep "no-code" from becoming synonymous with "shadow IT," a deep partnership between the team building the applications and the organization's security team is important. "There's a lot of resistance on the security side and developer side to make that that first step, but it's critical. It's critical for organizations to encourage that," says Matt Keil, director of product marketing at Cequence.

Keil says that the introduction of no-code development can actually be the impetus for starting the critical conversation between security and the developers. "I think the right approach is to engage with the business group in a conversation. Don't act like 'Doctor No' that's just going to continue to foster the divide between security and the development team," he continues.

Among the areas that Golshan feels should be considered are those that control who (and what) has access to the application. "I think one of the areas that low-code/ No-code has the potential to really improve is how it handles access management, authentication, and authorization," he says.

And for all of the areas that should be considered, experts point back to the documents produced by NIST as useful frameworks for organizations to lean on. While some consider the NIST documents as being useful primarily for government organizations, the principles can be valuable for any organization, especially those looking to develop in a new methodology.

Ultimately, though, the best chance for success may be to have someone who makes sure the organization doesn't forget security. "The most successful organizations that I see have an application security architect — somebody with a foot in security and a foot in development," says Kent. "They can more easily identify and define the kinds of controls that you need to make low code,/no code environments secure and still collaborative."

Related content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RuskinF
50%
50%
RuskinF,
User Rank: Apprentice
1/10/2020 | 4:40:01 AM
Re: Pending Review
No code means no security. It is true. Like the Office products launched by Microsoft. In the 2019 version, only one user is expected to use the service, hence no code is written to provide security.

But, one needs to understand that Office 365 products are provided with security features. For example, install Office 365 ProPlus and understand how Microsoft cares about the security of your data.

The same goes with Office 365 Business Premium benefits. The security and other pros outweigh the cons.

 

Regards.
anuragp
50%
50%
anuragp,
User Rank: Apprentice
1/9/2020 | 4:10:06 PM
Low Code providing opportunity to secure applications
Low code provides a great opportunity to by default secure application as the application is generated. Manual errors in programming/app building can be the most common problems regarding security problems. A good low code tool protects for XSS attacks, CORS misconfigurations, XSRF and other such attacks by default. As most of the code is generated, components can be pretested with advanced vulnerability tools. A good low code tool also builds on the learnings that are gathered from different customers using the tools. Financial organizations, healthcare organizations, insurance organizations etc.. do heavy penetration testing of the applications and everytime they find anything, the fixes can be immediately provided by a good low code platform. An analogy is that cloud is more secure than on premise as it learns from the mistakes of huge number of users.
   OVER THE EDGE
An Identity Management Spin on Shaggy's Hit Song

Source: Emirates NBD

What security-related videos have made you laugh? Let us know! Send them to [email protected].

The Edge Cartoon Caption Contest: Latest Winners, New Toon 'Like a Boss'
Flash Poll