As more abstraction layers are added to the software development stack, developers are coding less from scratch. Low-code platforms are part of this movement, offering visual and text-driven means to stitch internal tools and workflows. In the process, low-code platforms are opening access for non-developers to solve the problems at hand. But what are some security repercussions of low-code platforms?
Depending on what data these platforms touch, ungoverned low-code use could break industry and government regulations. Without guardrails, “citizen developers” unaccustomed to programming procedures could unknowingly cause instability. Aside from user practices, insecure low-code platforms could hold broken dependencies and hit APIs that expose sensitive data.
I recently met with Kevin Garcia, Head of Product Marketing, Retool, to understand what security vulnerabilities low-code platforms pose. To Garcia, if ungoverned, low-code platforms could break data regulations and be prone to misuse. However, low-code shouldn’t mean high risk. Below, we’ll explore these potential failures and consider best practices to keep low-code platform security in check.
Low-Code Security Implications
First of all, due to data compliances, it’s often impossible for financial and healthcare businesses to leverage cloud services that store copies of customer data. “From a regulation and legal perspective, this is non-starter,” describes Garcia.
Low-code platforms are getting more usable and more adaptable. Garcia notes a big “aha” moment when users realize they can connect important data sources, such as customer information, with other environments. Yet, non-IT users may not have a good understanding of what they’re connecting to or who has access to what. “People often oversimplify how easy or not easy it is to tap into those [sources],” describes Garcia. Without intricate access control, low-code tools could easily suffer from data overexposure.
Citizen developers will likely not possess a deep understanding of how technology integrates with different data sources. Without security training, they may leave data publicly accessible or forget to enable logins for generated end applications.
As with any new technology, low-code platforms introduce a certain level of risk. “When a company is storing information for you, there is an inherent risk that that copy of information is only being secured by that provider,” said Garcia. It’s the low-code platform’s prerogative to follow good security practices around data connection, using OAuth and secure sign-on. However, this can’t always be enforced. The provider may have undocumented points of failure, such as broken API integrations or dependencies with zero-day exploits.
Tips to Retain Low-Code Security
Isolate your low-code environment from potential attack. The best way to avoid exposing sensitive data is to isolate, says Gacia. Thus, he sees many businesses operating in high-security areas opting to self-host their low-code platform. This could be done using on-premise servers or in a private cloud.
Deploying inside a protected, self-hosted space is starting to become a bigger norm across industries. Of course, there is a trade-off here, as self-hosting requires increased maintenance and troubleshooting. Plus, it could alienate external support representatives who aren’t accustomed to your hosting architecture.
Follow the principle of least privilege. A core tenant for IT security is to only allow information access to those that need it. Low-code platforms may enable access to databases, compute power, integrations, and customer records. Such components should only be made available to trusted sources.
Choose a low-code tool with flexible access control capabilities. With application development, there are “a lot of layers of hierarchy you need to navigate,” says Garcia. Imagine a company with a set of internal professional developers, citizen developers, and external contractors and clients. All will have varying levels of authority. Thus, fine-grained Role-Based Access Control (RBAC) is required to enable read/write user settings, from the app groupings to the resources level.
Train citizen developers. “You really need to think about how to empower citizen developers to build on these tools, and to control the environment such that people don’t have unfettered access,” said Garcia.
Treat low-code creations with the same security rigor as with typical app development. Hard-coded or low-coded, You’re building a software product. Just because things like build, compile, and integration are automated doesn’t mean you can forget about security. All software requires the same security standards.
Know where your data is. There’s a lot of nuance in how a low-code app will interact with data. The app could simply retrieve data, or it could have editing capabilities. The app could store data within the low-code platform or tap into an external database. If API keys are exposed, these integration points are highly vulnerable.
Understand your limitations and requirements when choosing a low-code platform. “There will always be inherent risk in moving data around with software,” says Garcia. “Know what your non-negotiables are and make them a requirement when searching for the right tool.”
Low Code Shouldn’t Mean High Risk
The interest in low-code is growing. Forbes forecasts that 75% of businesses will adopt low-code by 2024. They predict that by 2030, low-code development platforms will be responsible for $187 billion of revenue worldwide.
Simultaneously, security is a ubiquitous problem. 43% of data breaches are tied to web application vulnerabilities, found a recent report. In the rush to adopt low-code, it’s imperative for organizations to consider the security implications of new tools.
“There is risk everywhere,” reminds Garcia. It is beholden on the company to audit their development stack and the surrounding environment. As a response, infrastructure-focused tools are moving further and further toward private clouds, increased access control, and more opportunities to protect information, notes Garcia. With the proper security forethought, low-code adoption can be well-positioned to anticipate and respond to security vulnerabilities.
