Skip to main content

Do low-code / no-code platforms pose a security risk?

Low-code and no-code technologies are growing in popularity, so much that Gartner is predicting that 65% of application development by 2024 will be done using these tools. And why wouldn’t it be?

Low-code/no-code platforms address the increasing demand for customized IT solutions by letting those closest to the issue build the solution. These tools provide a simple set of building blocks that anyone can click and connect together to solve a problem.

But with any new technologies, there can be increased risks. Should you be concerned about the security of low-code/no-code platforms?

Two types of platforms

The first step in any risk assessment is determining the desired functionality of the tool. This often leads to areas that need more investigation.

Low-code / no-code platforms provide a variety of components that can be assembled into a customized solution–things like text boxes, date/time pickers, number inputs, etc.

The data entered using these components stays on the platform, making it easier to analyze from a security perspective. Ultimately, these components aren’t that much different from any other SaaS platform in use.

So, let’s label low-code / no-code platforms that only have components like this contained

What really sets this new wave of tools apart from the previous generations is the cloud. The cloud has made APIs (application programming interfaces) the norm.

This means you can get data out of various systems, transform it, and then add it to other systems. This pattern takes low-code / no-code to the next level. 

Let’s imagine a scenario where your team is at an event. They’re talking to a potential customer and the conversation is going well. They then ask for a little bit of information and enter into your low-code / no-code app.

As that record is created, the app connects to Salesforce and creates an opportunity in your sales workflow, automatically assigning an account manager. It then checks with your email marketing tool to look for this contact. Discovering they are already in the marketing funnel, it moves them to a different path in order to avoid overwhelming them.

That simple workflow can be put together in a morning using one of these development tools. That’s a big win for your business but it also highlights the primary attribute of the second type of low-code / no-code platform.

Connected platforms make direct connections to other services either data input or output or both. 

Connected risks

A connected platform means that you’re now losing visibility into where your data is being stored and processed.

If you consume data from a service like Marketo in your custom app and then send that data to another outside service, what’s the risk?

You often won’t know. And that is in and of itself, the risk.

That nature of low-code / no-code means that connections to third-party services are often done with an individual’s credentials instead of a service account. This means that “Mark” has made a connection between the custom app and the other service, regardless of who’s actually using it.

This lack of granularity can mean big challenges for security. The team no longer has visibility into who is accessing that data, all access is logged under that one user…if it’s logged at all.

Security has long struggled to gain visibility into what’s happening in the company’s IT environment. With the rapid adoption of these platforms, it’s likely that there will be significant visibility gaps until this space matures to meet enterprise needs.

How to adjust 

Low code / no code is a win for the business overall and a win for the CIO because these platforms empower business teams to solve their own problems.

Security should encourage their adoption but safely. That starts with a risk assessment to determine if it’s a “connected” platform. If it is, then verify the credentials used to connect to third party services. Ideally, they are service accounts and not ordinary users.

Your next step is to research and enable any logging for the platform and its connections. It’s critical that you maintain and even expand visibility into the activities on these platforms. That visibility is likely going to be your only security control to respond to data breach or exposure issues.

With that in place, you can move on to more sophisticated security concerns. For example early work is already being done by OWASP focusing on the low-code / no-code top ten threats. This list will help focus your efforts moving forward.

The 65% of all application development that Gartner predicts will happen on these platforms in the next few years doesn’t mean a move away from traditional development. It’s a wave of new development as these platforms remove barriers allowing more people to solve their problems.

That’s a win for your business and, if you approach it smartly, an opportunity to introduce modern security concepts to a new audience so they can build resilient solutions from the start.

The post Do low-code / no-code platforms pose a security risk? appeared first on SD Times.



from SD Times https://ift.tt/rcUYGpH

Comments

Popular posts from this blog

Difference between Web Designer and Web Developer Neeraj Mishra The Crazy Programmer

Have you ever wondered about the distinctions between web developers’ and web designers’ duties and obligations? You’re not alone! Many people have trouble distinguishing between these two. Although they collaborate to publish new websites on the internet, web developers and web designers play very different roles. To put these job possibilities into perspective, consider the construction of a house. To create a vision for the house, including the visual components, the space planning and layout, the materials, and the overall appearance and sense of the space, you need an architect. That said, to translate an idea into a building, you need construction professionals to take those architectural drawings and put them into practice. Image Source In a similar vein, web development and design work together to create websites. Let’s examine the major responsibilities and distinctions between web developers and web designers. Let’s get going, shall we? What Does a Web Designer Do?

A guide to data integration tools

CData Software is a leader in data access and connectivity solutions. It specializes in the development of data drivers and data access technologies for real-time access to online or on-premise applications, databases and web APIs. The company is focused on bringing data connectivity capabilities natively into tools organizations already use. It also features ETL/ELT solutions, enterprise connectors, and data visualization. Matillion ’s data transformation software empowers customers to extract data from a wide number of sources, load it into their chosen cloud data warehouse (CDW) and transform that data from its siloed source state, into analytics-ready insights – prepared for advanced analytics, machine learning, and artificial intelligence use cases. Only Matillion is purpose-built for Snowflake, Amazon Redshift, Google BigQuery, and Microsoft Azure, enabling businesses to achieve new levels of simplicity, speed, scale, and savings. Trusted by companies of all sizes to meet

2022: The year of hybrid work

Remote work was once considered a luxury to many, but in 2020, it became a necessity for a large portion of the workforce, as the scary and unknown COVID-19 virus sickened and even took the lives of so many people around the world.  Some workers were able to thrive in a remote setting, while others felt isolated and struggled to keep up a balance between their work and home lives. Last year saw the availability of life-saving vaccines, so companies were able to start having the conversation about what to do next. Should they keep everyone remote? Should they go back to working in the office full time? Or should they do something in between? Enter hybrid work, which offers a mix of the two. A Fall 2021 study conducted by Google revealed that over 75% of survey respondents expect hybrid work to become a standard practice within their organization within the next three years.  Thus, two years after the world abruptly shifted to widespread adoption of remote work, we are declaring 20