In recent years, low-code and no-code technologies have become increasingly popular, backed by Gartner's prediction that 65% of application development by 2024 will be powered by these revolutionary tools. They provide a simplified set of building blocks, facilitating the creation of customized IT solutions for various industries. However, as with any new technology, there are potential risks, and users may understandably have concerns about low-code and no-code platform security.
Understanding Different Types of Platforms
Before assessing the security risks, it's essential to identify the desired functionality of a low-code or no-code platform. Typically, these platforms offer a range of components, such as text boxes, date/time pickers, and number inputs, which can be arranged to craft a tailored solution. The data entered via these components remains on the platform, making security analysis more straightforward. In many ways, these components are similar to those found in conventional SaaS platforms.
Platforms with these contained components can be classified as 'contained.' The true differentiator for this new generation of tools is the cloud, which has made APIs (application programming interfaces) increasingly common. As these platforms facilitate data extraction, transformation, and integration across various systems, it takes low-code and no-code development to new heights.
Imagine a scenario where your team interacts with a potential customer at an event. After obtaining some information from the prospect and inputting it into the low-code or no-code app, the app creates a Salesforce opportunity in your sales workflow, assigns an account manager, and updates your email marketing tool. This entire process can be accomplished within a short time using these development tools, enabling seamless workflows that benefit your business.
However, connected platforms directly communicate with other services for data input, output, or both, highlighting potential risks associated with connected systems.
Connected Risks
Connected low-code and no-code platforms entail a loss of visibility into data storage and processing. When you use a connected platform to gather data from a service like Marketo and send it to another external service, the risks involved can be challenging to ascertain. Complicating matters further, connections to third-party services are often established with an individual's credentials, rather than a dedicated service account. As a result, data access could be logged under the person who set up the connection, instead of the actual user.
This lack of granularity poses significant security challenges because teams lose insight into who is accessing data. Moreover, security has long struggled to maintain visibility into a company's IT environment. Rapid adoption of low-code and no-code platforms may exacerbate these visibility gaps unless the industry matures to satisfy enterprise requirements.
Adapting to Low-Code and No-Code Security
Despite security concerns, low-code and no-code platforms offer a significant business advantage and enable teams to solve problems more efficiently. To adopt these solutions safely, users should begin with a risk assessment to determine if the platform is "connected." If connected, verify the credentials employed to link third-party services and use service accounts whenever possible.
Next, investigate the platform's logging capabilities and ensure they are enabled for both the platform and its connections. Maintaining visibility into these activities is crucial for addressing any data breach or exposure issues promptly.
Once the basics are addressed, users can focus on more advanced security concerns. For instance, organizations like OWASP have already begun to explore the top ten threats specific to low-code and no-code development. This research can help guide user efforts and security best practices moving forward.
Gartner's prediction doesn't suggest traditional development methods will be obsolete. Instead, low-code and no-code platforms eliminate barriers and enable a broader range of users to solve their challenges. Among these, AppMaster has emerged as a notable no-code platform, providing powerful tools for backend, web, and mobile application development. If approached wisely, low-code and no-code platforms offer an opportunity to introduce modern security concepts to a new generation of users, fostering resilient and secure solutions from the outset.
