Low-Code, No-Code Platforms Need Oversight

More businesses are turning to no-code and low-code platforms for variety of reasons. Still, security can be a risk when you allow non-technical people to create apps.

Low-code and no-code platforms are on the rise. Largely due to the shortage of coders, these platforms enable non-technical people to create apps without knowing how to code. So, it isn’t surprising that businesses are more widely adopting these platforms. Everyone wants the next product pushed out quick and dirty, so why not let departments create their own apps? Seems simple enough, except for one glaring problem: Security. 

The security issue around low-code and no-code platforms is not necessarily due to the platforms themselves. Especially with cloud-based platforms, many have security built into them. But non-technical users do not understand how that security piece works, and they will inevitably find a way to make it insecure. No coder or developer is ever going to account for every single combination of steps a user could possibly take, it would take years to create apps that way. Businesses don’t have that kind of time and users don’t want to wait that long. Which is why there are always updates and patches to products, because someone found a way to break it and the manufacturer/developer has to fix it.

Another problem, according to Dark Reading, is that no-code developers don’t always have security knowledge either. “Low-code and no-code development models are powerful and democratize development for non-technical users to easily build powerful workflows,” says Vinay Mamidi, senior director of project management at Virsec. “But there’s always a gotcha — while trained developers may have varying levels of skill in security, no-code developers are generally oblivious to security best practices or risks.”

The most common way that low-code and no-code are used is by pulling data from an app and moving it to other systems or reports for analysis. Yes, some platforms can be used to build apps or websites, but even using those platforms to move data around for analysis can be a danger. For example, say a SaaS app has API access turned on for some official use, but someone else in the company can use that access to pull data. Even if it’s only the data they can access that comes through the API, if they put it into a low-code solution and pipe that data into their personal email, it’s now exposed. If they populate it to a misconfigured Google/Excel365 Sheet that is public, that information is now exposed. And none of that exposure has to do with the low-code platform itself.

Data exposure most often happens due to misconfigurations. When you use no-code and low-code platforms to allow people to do things they might otherwise not be able to do, you are asking a non-technical person to understand code and security. And when they don’t understand it and inevitably expose information, you might not even know because you have no governance or awareness as to what is happening.

The other consideration in these platforms is whether or not you have visibility into their inner workings. Black box development still exists in low-code platforms, which means that businesses have no idea what is under the hood or how it functions. There is no way to audit for security or to test. Cloud-based platforms are the best route to take as there is more transparency. Otherwise, businesses need to have a strategic plan in place for testing, auditing and ensuring the security of the platform.

Low-code and no-code platforms absolutely have a place in the world. Not just because there is a shortage of coders, but because not all businesses need to have a developer on staff to combine some data into a report. Still, just because these platforms are there, doesn’t mean that business leaders should use them for everything or give access to every employee. Like anything else, it must be secured. IAM controls need to be applied and there needs to be a way to verify security. These platforms will never replace developers or coders, after all, someone has to build them! Businesses should analyze the risks, costs and benefits of these platforms before diving in head first.

As always, when in doubt, consult an expert! Get the opinion of someone who knows what they are looking at, someone who can explain the ins and outs to you. It’s the best way to be certain you are going down the right path.

About the Author

Pieter VanIperen, Managing Partner of PWV Consultants, leads a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. He is a 20-year software engineering veteran, who founded or co-founder several companies. He acts as a trusted advisor and mentor to numerous early stage startups, and has held the titles of software and software security executive, consultant and professor. His expert consulting and advisory work spans several industries in finance, media, medical tech, and defense contracting. Has also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY