Companies continue to demand skilled software developers, with the US Bureau of Labor Statistics estimating that the profession will grow 22% over the next decade, much faster than the average 4% growth rate across the job market as a whole.
Yet the continually high demand for developers has also led to the growth of platforms to create applications in a way that minimizes coding. Low-code platforms allow plug-and-play approaches to creating ever-more-complex software systems. From Salesforce to Microsoft, and from AirTable to Zoho, a variety of companies are offering tools to easily combine databases with front-end interfaces that include visualizations.
And the pandemic has accelerated low-code growth as companies push their digital transformations, said Johan den Haan, chief technology officer of low-code platform Mendix.
"Evolving low-code ecosystems will underpin business innovation. The technology stack will expand horizontally, to have an integrated developer experience with drag-and-drop simplicity for data integration, data science insights, building AI solutions, and creating multi-experiences."
—Johan den Haan
Yet the security and resilience of low-code platforms and the resulting applications continue to be questionable. While many types of security issues—such as command injection vulnerabilities and buffer overflows—are pushed off from the developer to the low-code platforms, the users of those platforms still need to focus on security.
Here are five ways that companies can ensure that their low-code applications are secure and resilient.
1. Revamp security training for a new cadre of application creators
The creators of low-code applications are usually not typical developers, but business users who are building their own tools to satisfy a problem. Unfortunately, they have not taken a secure-coding or secure application-design course, and companies need to recognize that lack of knowledge, Sandy Carielli, principal analyst at Forrester Research, said in a post on the business intelligence firm's blog.
"Low-code developers fall into two buckets: professional developers who leverage low-code to improve speed and responsiveness and citizen developers who sit outside of IT and development. Citizen developers not only have never taken a secure development class but likely have not taken any development classes at all—therefore, common application security concepts will be even more foreign."
—Sandy Carielli
To build awareness, companies using low-code platforms need more security champions, within different populations. In addition to including security champions in any DevOps teams, where low-code and serverless technologies may be used as one component of an application, security champions need to be embedded among business users who are also low-code creators, Forrester said in a recent report.
2. Know how far low-code guard rails protect your applications
Because low-code development typically consists of picking components from a limited menu of software components created by the platform provider, or a third party, low-code creators can typically rely on the security measures enforced by the platform.
However, companies should understand the weaknesses of each platform and what is required to keep applications and data secure, said Chris Wysopal, CTO and co-founder of the application security firm Veracode.
"There are fewer degrees of freedom for developers to make mistakes on those platforms. Just as Java didn't eliminate all those vulnerabilities, I think we are going to see the same thing with no-code and low-code. In general, it helps make applications more secure, because it eliminates classes of vulnerabilities that you see in other environments, but it does not eliminate all the threats."
—Chris Wysopal
3. Platforms have different risks
While low-code platforms assume much of the software risk, companies need to be aware of the options for each platform to understand the potential attack surface area. Platforms that allow the addition of custom code, for example, introduce potential security problems along with user-defined functionality.
Low-code ecosystems that allow third-party components may allow attackers to create malicious software, said John Bratincevic, a senior analyst in Forrester Research's application development and delivery group.
"At a technical level, it is more secure, because you can't make as many technical fumbles. If the vendor doesn't allow you to write SQL, you can't introduce SQL injection, but many do allow the user to add custom features."
—John Bratincevic
Salesforce, for example, has done a good job of incorporating security guidance for developers into its documentation, after dealing with banking Trojans and several data breaches, including one caused by an API error and another by a malware attack.
4. Use the platform's security tools
Each platform offers a different set of logging and security tools. Companies should know their platform provider's approach to security and what capabilities they need to use to secure their applications.
In many ways, the security features and systems for low-code developers are more similar to those for business users than for high-code developers. AirTable, a popular low-code platform for small and medium-size businesses, recommends security measures that resemble advice for cloud users: Adopt two-factor authentication, use a password manager for complex passwords and minimize reuse, and adopt measures to automate security features such as single sign-on technology.
Other low-code security measures resemble SaaS offerings: role-based access controls, data security, and logging.
5. Resilience requires planning and design
In the end, companies need to include security in their broader planning. For low-code platforms, that means incorporating application-security testing and reporting into the development and management of low-code applications.
Scott Johnson, former general manager for Micro Focus's Fortify application security suite, wrore recently that in a truly resilient system, automation will allow developers to write and commit code, and the scans just happen. The goal should be to have code that fixes itself like a spell-checker.
"It's almost like when you hit the gas pedal on your car. There's a lot of stuff that goes on, but you don't have to know anything the engine does other than it goes. That's pretty powerful."
—Scott Johnson
Johnson shares five key focus areas for building in resilience to your software development: More testing automation, actionable results from testing, more frequent scans, breadth on coverage, and the scalability of your approach.
Build your team with the outcome in mind
Low-code will not replace traditional software development—at least, not anytime soon. However, developers are a good resource to tap to create good software practices that will result in resilient low-code applications and as mentors for promising low-code developers, said Forrester's Bratincevic. "If the platforms are aimed at business people, then it's really about being a logical thinker and being a problem solver," he said.
"Most business people are not used to translating their intentions in a concrete way. The people who are going to really be successful are those who can solve problems, think logically, and incorporate requirements—such as security—into their designs."
—John Bratincevic
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.
