Low-Code Development Requires A Security Rethink
Low-code platforms speed delivery of applications, but are they secure? The answer is more complicated than I expected when I started this research project with my colleagues, John Bratincevic and John R. Rymer. We’re still gathering information, but we’ve discovered that:
- Low-code security is not well understood. Even vendors with extensive security investments acknowledged that there are a lot of outstanding questions and dependencies from customers.
- More enterprises are adopting low-code development products, however, and relying on them for applications that touch sensitive corporate and customer data.
Here are four high points of what we’ve learned so far:
Finding #1: Applications built on low-code platforms can be more secure than those built with more traditional coding methods. Low-code vendors take on major responsibilities for securing their platforms on their “own” clouds and ensuring the technical quality of applications built with their tooling. This can mitigate many security risks, particularly around issues like SQL injection and cross-site scripting. It also can reduce the scope of application security reviews (contributing to faster app delivery).
Finding #2: Low-code platforms are less secure when deployed in either a customer data center or on a private hosting site. Why? Customers have more responsibility for configuring security and maintaining configs through application changes.
Finding #3: Application-security risks rise when developers build parts of their apps outside of the native tooling of the low-code platform. For example, by building a service using custom code or coding a custom user interface, developers risk reintroducing some of the security weaknesses that low-code platforms are designed to eliminate. This risk is lower for businesspeople delivering apps (citizen developers) because they are less likely to write custom code. Also, low-code platforms aimed at citizen developers typically support less customization than the products aimed at professional developers.
Finding #4: Security risks also rise as developers integrate with external databases, applications, cloud services, etc. Integration is very common in low-code app development. A common developer mistake: forgetting to secure endpoints. Some platforms help head off endpoint-security risks better than others.
Stay tuned for the full report coming this fall. In the meantime, please contact our research associate Melissa Bongarzone (firstname.lastname@example.org) if you’d like to contribute to our research on this vital topic.