Gartner estimates that by 2024, 65% of all applications will be built using low-code / no-code technology. Hmmm…. Where does security fit into that?
The Low-Code / No-Code Trend
Low-code / no-code applications are all the latest rage – just as they should. They solve a pressing need for enterprises, where each time a team wanted to create an application, it had to go through the IT or development team. HR wants to create an application for the company event with their 5000 employees? IT. Though when the IT team is focused on building applications for the business development team or supporting Sales with the deal that will “kill the quarter”, it’s easy to see how that event application moved to the back burner.
With low-code / no-code platforms the HR team can now independently build that application. Instead of waiting for scarce development resources, the platforms provide the easy drag and drop tool that allows anyone at the company, with minimal training, to create their own application. HR wants to create that event landing page? They can now easily and quickly do it themselves, including adding a field where each employee verifies their T-shirt size.
Security Issues within Low-Code / No-Code
Low-code / no code applications are now being released by the second everywhere, but… where’s the low-code / no-code in the application security program? How do you know that the app that HR created is secure or is not leaking data? For instance, even if HR does just present the shirt size, in the backend the full employee table is accessible, which might also include employee salaries. Taking it a step further, while the T-shirt size might just seem a verification field, it’s still possible to manipulate fields in the backend, including an employee salary.
Low-Code / No-Code Within the Application Security Stack
20 years ago security was never looked at in the application development and deployment process. That is, until suddenly databases were hit by SQL injection attacks and funds were lost due to business logic exploits.
It took a while for enterprises to understand that application security needs its own stack of security solutions, and it took even longer to figure out that these should cover the entire process from inception to deployment. Today application security is an integral part of every security strategy. From source code analysis during the engineering and DevOps development stages to runtime protection in the form of a Web Application Firewall (WAF).
Low-code / no-code platforms have added new actors, new processes and new tools to the application development theater. These create an entirely new and growing attack surface which, incredibly, is not covered by the current application security solution stack. Citizen developers and business developers are left on their own and security teams have limited visibility or control over these applications.
Enterprises shouldn’t wait again numerous years until solutions and processes are put in place. Rather, it’s time to recognize that application security controls and processes must be extended to include low-code / no-code application development.
This is where Nokod Security comes in. We’re set on a mission to extend application security to low-code / no-code.
Interested in hearing more? Reach out to us here