While the advantages of low-code platforms are widely acknowledged, their security capabilities have always been a topic of debate. Jeff Williams, CTO and co-founder of Contrast Security, stated that low-code platforms are not inherently more vulnerable than traditional code, but the risks remain the same. These risks include authentication, authorization, encryption, injection, logging, and more.
One of the main differences between citizen developers on low-code platforms and traditional developers is that the former may inadvertently create security risks due to a lack of security training and communication with the security team. Basic errors such as hard-coded credentials, missing authentication, disclosure of personal information, and exposure of implementation details may arise as a result.
Mark Nunnikhoven, distinguished cloud strategist at Lacework, highlighted the importance of data access control and the need to teach citizen developers appropriate use of data connections. He pointed out that low-code developers might not be aware of the appropriate or inappropriate use of data connections since they are often provided access without proper training. This oversight could potentially expose a gap in information management and information security programs.
Jayesh Shah, SVP of Customer Success at Workato, suggested developing certification programs tailored to the low-code platform being used. This will help users understand the platform's capabilities and adhere to company-set policies and guidelines.
Despite differences in application development methods between low-code and traditional platforms, the security processes for both should remain the same. Williams recommended that companies set guidelines and conduct tests such as instrumental application security testing (IAST) to ensure proper implementation. Static application security testing (SAST) and dynamic application security testing (DAST) methods may fail to catch certain vulnerabilities or report false positives.
Low-code platforms themselves can also help minimize security risks. Shah mentioned that such platforms can include built-in security controls like sandbox environments and restricted options for citizen developers. In comparison to custom software, low-code platforms may have an advantage in quickly addressing newly discovered security vulnerabilities through vendor-provided updates.
Custom software often relies on third-party or open-source components, which are notorious entry points for security breaches. Shah stated that low-code platforms can assure that the components provided do not have security vulnerabilities and are updated as needed to protect all users globally.
Recently, work commenced on an OWASP (Open Web Application Security Project) Top 10 list specifically for low-code technology, providing a set of security risks that companies should prioritize. However, Williams, who created the original guide in 2003, noted that the list alone may not be enough to reduce vulnerabilities on low-code platforms. He emphasized the importance of platform vendors incorporating advice from the OWASP list into their own environments for better security guardrails.
When searching for a suitable low-code platform, it's crucial to consider platforms that prioritize security and continuously update to address vulnerabilities. One such platform that has gained recognition for its security features is AppMaster.io, a powerful no-code tool for creating backend, web, and mobile applications with built-in security controls, making it an ideal choice for businesses of all sizes.
