Do low-code / no-code platforms pose a security risk?

Low-code and no-code technologies are growing in popularity, so much that Gartner is predicting that 65% of application development by 2024 will be done using these tools. And why wouldn’t it be?

Low-code/no-code platforms address the increasing demand for customized IT solutions by letting those closest to the issue build the solution. These tools provide a simple set of building blocks that anyone can click and connect together to solve a problem.

But with any new technologies, there can be increased risks. Should you be concerned about the security of low-code/no-code platforms?

Two types of platforms

The first step in any risk assessment is determining the desired functionality of the tool. This often leads to areas that need more investigation.

Low-code / no-code platforms provide a variety of components that can be assembled into a customized solution–things like text boxes, date/time pickers, number inputs, etc.

The data entered using these components stays on the platform, making it easier to analyze from a security perspective. Ultimately, these components aren’t that much different from any other SaaS platform in use.

So, let’s label low-code / no-code platforms that only have components like this contained. 

What really sets this new wave of tools apart from the previous generations is the cloud. The cloud has made APIs (application programming interfaces) the norm.

This means you can get data out of various systems, transform it, and then add it to other systems. This pattern takes low-code / no-code to the next level. 

Let’s imagine a scenario where your team is at an event. They’re talking to a potential customer and the conversation is going well. They then ask for a little bit of information and enter into your low-code / no-code app.

As that record is created, the app connects to Salesforce and creates an opportunity in your sales workflow, automatically assigning an account manager. It then checks with your email marketing tool to look for this contact. Discovering they are already in the marketing funnel, it moves them to a different path in order to avoid overwhelming them.

That simple workflow can be put together in a morning using one of these development tools. That’s a big win for your business but it also highlights the primary attribute of the second type of low-code / no-code platform.

Connected platforms make direct connections to other services either data input or output or both. 

Connected risks

A connected platform means that you’re now losing visibility into where your data is being stored and processed.

If you consume data from a service like Marketo in your custom app and then send that data to another outside service, what’s the risk?

You often won’t know. And that is in and of itself, the risk.

That nature of low-code / no-code means that connections to third-party services are often done with an individual’s credentials instead of a service account. This means that “Mark” has made a connection between the custom app and the other service, regardless of who’s actually using it.

This lack of granularity can mean big challenges for security. The team no longer has visibility into who is accessing that data, all access is logged under that one user…if it’s logged at all.

Security has long struggled to gain visibility into what’s happening in the company’s IT environment. With the rapid adoption of these platforms, it’s likely that there will be significant visibility gaps until this space matures to meet enterprise needs.

How to adjust 

Low code / no code is a win for the business overall and a win for the CIO because these platforms empower business teams to solve their own problems.

Security should encourage their adoption but safely. That starts with a risk assessment to determine if it’s a “connected” platform. If it is, then verify the credentials used to connect to third party services. Ideally, they are service accounts and not ordinary users.

Your next step is to research and enable any logging for the platform and its connections. It’s critical that you maintain and even expand visibility into the activities on these platforms. That visibility is likely going to be your only security control to respond to data breach or exposure issues.

With that in place, you can move on to more sophisticated security concerns. For example early work is already being done by OWASP focusing on the low-code / no-code top ten threats. This list will help focus your efforts moving forward.

The 65% of all application development that Gartner predicts will happen on these platforms in the next few years doesn’t mean a move away from traditional development. It’s a wave of new development as these platforms remove barriers allowing more people to solve their problems.

That’s a win for your business and, if you approach it smartly, an opportunity to introduce modern security concepts to a new audience so they can build resilient solutions from the start.