Low-code development platforms have changed the way people create custom business solutions, including apps, workflows, and copilots. These tools empower citizen developers and create a more agile environment for app development. Adding AI to the mix has only enhanced this capability. The fact that there aren’t enough people at an organization that have the skills (and time) to build the number of apps, automations and so on that are needed to drive innovation forward has given rise to the low-code/no-code paradigm. Now, without needing formal technical training, citizen developers can leverage user-friendly platforms and Generative AI to create, innovate and deploy AI-driven solutions.
But how secure is this practice? The reality is that it’s introducing a host of new risks. Here’s the good news: you don’t have to choose between security and the efficiency that business-led innovation provides.
A shift beyond the traditional purview
IT and security teams are used to focusing their efforts on scanning and looking for vulnerabilities written into code. They’ve centered on making sure developers are building secure software, assuring the software is secure and then – once it’s in production – monitoring it for deviations or for anything suspicious after the fact.
With the rise of low code and no code, more people than ever are building applications and using automation to create applications – outside the traditional development process. These are often employees with little to no software development background, and these apps are being created outside of security’s purview.
This creates a situation where IT is no longer building everything for the organization, and the security team lacks visibility. In a large organization, you might get a few hundred apps built in a year through professional development; with low/no code, you could get far more than that. That’s a lot of potential apps that could go unnoticed or unmonitored by security teams.
A wealth of new risks
Some of the potential security concerns associated with low-code/no-code development include:
- Not in IT’s purview – as just mentioned, citizen developers work outside the lines of IT professionals, creating a lack of visibility and shadow app development. Additionally, these tools enable an infinite number of people to create apps and automations quickly, with just a few clicks. That means there’s an untold number of apps being created at breakneck pace by an untold number of people all without IT having the full picture.
- No software development lifecycle (SDLC) – Developing software in this way means there’s no SDLC in place, which can lead to inconsistency, confusion and lack of accountability in addition to risk.
- Novice developers – These apps are often being built by people with less technical skill and experience, opening the door to mistakes and security threats. They don’t necessarily think about the security or development ramifications in the way that a professional developer or someone with more technical experience would. And if a vulnerability is found in a specific component that is embedded into a large number of apps, it has the potential to be exploited across multiple instances
- Bad identity practices – Identity management can also be an issue. If you want to empower a business user to build an application, the number one thing that might stop them is a lack of permissions. Often, this can be circumvented, and what happens is that you might have a user using someone else’s identity. In this case, there is no way to figure out if they’ve done something wrong. If you access something you are not allowed to or you tried to do something malicious, security will come looking for the borrowed user’s identity because there’s no way to distinguish between the two.
- No code to scan – This causes a lack of transparency that can hinder troubleshooting, debugging and security analysis, as well as possible compliance and regulatory concerns.
These risks can all contribute to potential data leakage. No matter how an application is built – whether it gets built with drag-and-drop, a text-based prompt, or with code – it has an identity, it has access to data, it can perform operations, and it needs to communicate with users. Data is being moved, often between different places in the organization; this can easily break data boundaries or barriers.
Data privacy and compliance are also at stake. Sensitive data lives within these applications, but it’s being handled by business users who don’t know how (nor even think to) to properly store it. That can lead to a host of additional issues, including compliance violations.
Regaining visibility
As mentioned, one of the big challenges with low/no code is that it’s not under the purview of IT/security, which means data is traversing apps. There’s not always a clear understanding of who is really creating these apps, and there’s an overall lack of visibility into what’s really happening. And not every organization is even fully aware of what’s happening. Or they think citizen development isn’t happening in their organization, but it almost certainly is.
So, how can security leaders gain control and mitigate risk? The first step is to look into the citizen developer initiatives within your organization, find out who (if anyone) is leading these efforts and connect with them. You don’t want these teams to feel penalized or hindered; as a security leader, your goal should be to support their efforts but provide education and guidance on making the process safer.
Security must start with visibility. Key to this is creating an inventory of applications and developing an understanding of who is building what. Having this information will help ensure that if some kind of breach does occur, you’ll be able to trace the steps and figure out what happened.
Establish a framework for what secure development looks like. This includes the necessary policies and technical controls that will ensure users make the right choices. Even professional developers make mistakes when it comes to sensitive data; it’s even harder to control this with business users. But with the right controls in place, you can make it difficult to make a mistake.
Toward more secure low-code/no-code
The traditional process of manual coding has hindered innovation, especially in competitive time-to-market scenarios. With today’s low-code and no code platforms, even people without development experience can create AI-driven solutions. While this has streamlined app development, it can also jeopardize the safety and security of organizations. It doesn’t have to be a choice between citizen development and security, however; security leaders can partner with business users to find a balance for both.