What can be done to make sure your low code and no code mobile apps meet enterprise-level standards for security? Low code and no code development platforms are great tools for rapid software development, helping non-technical business experts and IT quickly write powerful, useful applications. But are no code app builders and low code development platforms secure? And what can be done to make sure they meet enterprise-level standards for security?
That’s the question posed by the article in Dark Reading, “In App Development, Does No Code Mean No Security?” The article poses the conundrum simply: “The question is whether no code also means no security.” It goes on to quote Vinay Mamidi, senior director of project management at security vendor Virsec: “While trained developers may have varying levels of skill in security, no code developers are generally oblivious to security best practices or risks.”
The reason for that, the article notes, is that no code developers haven’t been trained in security, as have more-experienced developers. Because of that, it’s vital that businesses choose low code/ no code platforms that “themselves build security into the final product,” the article says.
Mounir Hahad, head of Juniper Threat Labs at Juniper Networks believes that the right low code/ no code platform may be even more secure than other development tools. That’s because low code development platforms assume that whoever is writing applications will not have a background in security, and so take care of a lot of security issues by themselves. He notes that with these platforms, “There's a huge step up [in security] because there is a common denominator as far as security best practices and implementations that framework providers build into their own SDLC [software development lifecycle]."
That doesn’t mean, though, that IT should assume that every aspect of security will be handled by the platforms. Hahad warns, “In no way does this solve the general problem of securing an application. Patching for vulnerable subsystems and third-party code still needs to be done, for example."
Virsec’s Mamidi adds, “Enterprises must find ways to audit processes and vendors, and maintain reasonable security oversight, even if that makes the [development] process a bit less convenient.”
The same general rules of security apply whether your company uses traditional development tools or a solid low code/ no code platform. The article concludes that it’s vital for organizations to have someone focused on security. It quotes Jason Kent, hacker in residence at Cequent, saying “The most successful organizations that I see have an application security architect — somebody with a foot in security and a foot in development. They can more easily identify and define the kinds of controls that you need to make low code/ no code environments secure and still collaborative."
No code/ low code security concerns
Ensuring no code/ low code development platform security starts with understanding the various risks involved. Here are the most important things for developers to be aware of:
- Insecure code: Platform components that go developed insecurely can create serious problems later down the road. If a piece of code contains security issues or bugs, those problems will be inherited wherever in the system that code is replicated. This often happens when inexperienced developers rush to get new software up and running, without first properly analyzing the source code.
- Low visibility: For developers, the main benefit of low code/ no code platforms is not having to write and manage code when building applications. Consequently, implementing these platforms typically means placing a lot of trust with the vendor that’s supplying the code. Without inspecting the code internally or conducting a vendor security audit (which in certain cases isn’t even an option) businesses take the risk of utilizing insecure code.
- Access control and business logic flaws: With effective access control and business logic permissions, organizations can keep sensitive data from getting into the wrong hands. Solutions with flawed business logic often get deployed without being properly analyzed or tested, increasing the risk of data breaches and other issues.
As you shop around for the right no code/ low code platform, make sure to address all of the above safety concerns with each vendor. This will help you determine which solution provider is the safest, smartest match for your business.
Choosing a secure no code/ low code development platform
Build apps for free with either Alpha TransForm (for non-developers) or Alpha Anywhere (for developers) are no-code/low-code tools that include the highest levels of enterprise security. Alpha TransForm lets anyone build data collection apps with built-in dashboards. Alpha Anywhere has the unique ability to rapidly create mobile-optimized forms and field apps that can easily access and integrate with any database or web service and can exploit built-in role-based security or robust offline functionality. The products can work independently or together as a single platform and are well-suited for both IT, citizen developers and other staff. Contact Us for more information.