As per a 2021 report from Research And Markets, titled “Low-Code Development Platform Market Research Report – Global Industry Analysis, Trends and Growth Forecast to 2030,” the low code market platform is predicted to reach US $ 190,792.6 million with a CAGR of 31.2% during 2020-2030. This highlights the immense potential and opportunities that low-code opportunities can provide organizations to capitalize on.
Thus many organizations across the globe are pushing for what is being dubbed as citizen developer. Empowering the broader IT and business community to build applications for driving business value has an obvious appeal. But, the use of low-code, as well as no code platforms, comes with security risks. Hence, in a hurry not to miss the train of low-code development, organizations should not neglect the security concerns that are associated with it.
Here are three security concerns for using low-code and no-code development platforms that organizations should not overlook:
Less clarity into low-code/no-code applications
Utilizing a platform that was built by an external entity has visibility concerns. Organizations using the software are often not aware of the source code, associated vulnerabilities, or the level of testing and rigor the platform has undergone.
To deal with this, organizations take advantage of practices such as requesting a software bill of materials (SBOM) from the vendor. This will provide them insights into the software elements as well as the associated vulnerabilities.
Coinciding with the visibility concern in the software is the possibility of insecure code. Low-code, as well as no-code platforms, still have code that is abstracted from users to allow them to work pre-provided code functionality. While it saves the non-developers from authoring the code themselves, it starts creating an issue when the code being utilized is insecure. This only worsens as the insecure code is deduced across the organizations and applications via the low-code and no-code development.
To address this issue, organizations should collaborate with platform vendors. They should ask them for security scanning results for the no-code development platform. This will provide organizations assurance that they are not just replicating insecure code. Since many low-code and no-code platforms are delivered as software as a service (SaaS), organizations should request industry certifications such as ISO, SOC2, FedRAMP and many more to their platform vendor. This will provide assurance associated with operational and security controls applicable to the SaaS application/platform itself.
Unmanageable shadow IT
As low-code and no-code platforms allow users to create applications at a faster pace, it can also lead to out-of-control shadow IT. Shadow IT takes place when business units as well as staff build applications and expose them either internally with the enterprise or externally to the world. These low-code no-code applications can also house sensitive organizational, customer, or regulated data that could negatively impact the organization if those applications were compromised in a data breach.