A Leadership Guide to Mitigating Security Risks with Low Code Platforms
The low code market continues to grow, finding more and more adoption for more diverse and serious applications among businesses and independent software vendors (ISVs).
The lingering issue of application code security ensues, as stories of security breaches continue to pour in and remote teams around the world embrace low code for faster application delivery. Even as Gartner predicted As 65% of applications will be built using the low-code paradigm by 2024, it’s important to understand the security implications that come with it and to discuss how we can mitigate any potential risks.
Most low-code platforms allow non-technical users to build applications quickly and provide built-in security for various aspects of the application, such as APIs, data access, web interfaces, deployment, etc. for professional developers, with platform-level customization capabilities. That said, no platform can claim to be the silver bullet when it comes to abolishing all security risks.
Business leaders need to assess the internal and external risks that arise and ensure that certain safeguards are applied to secure low-code applications. Let’s discuss some of them in detail.
An API-first strategy is becoming more and more common in organizations today to expose services, data, etc. But do all of them pursue API security in the same spirit? According to a Salt Security report, 27% of organizations running production APIs have no API security policy. Web and mobile applications built using low-code APIs can potentially become an attack vector, if the underlying APIs are not secure enough.
It is important to review APIs for security, usually through penetration testing or analysis tools before integrating them into low-code applications. Using an OAuth-based API token exchange with an appropriate refresh mechanism for the tokens can ensure that they are not compromised. Additionally, applications can hide APIs by creating a proxy with an additional authentication layer to minimize the API attack vector.
Technology leaders need to take a close look at accessing business-critical data exposed through low-code applications from a security and governance perspective. Low-code platforms allow roles to be created with a specific set of permissions to view or modify this data, and development teams should be careful about configuring them correctly when developing the application. Data compromises typically arise when developers inadvertently extend permissions for a specific role by exposing additional data or providing elevated access.
To avoid these situations, IT security teams typically implement organization-wide authentication providers or single sign-on (SSO) that define roles and permissions across the organization. Low Code applications must integrate seamlessly with these systems and use the security and governance policies already in place.
The API Security State report says 82% of organizations don’t know which APIs expose personal information or other sensitive data. When using such APIs in low code applications, additional review process is required from internal security teams and consent must be obtained from application users to share information.
Access to applications outside the firewall
With the new standards of COVID-19[female[feminine to make remote working possible, many organizations are pushing their applications and APIs off the network. This will create the need for additional security for low code applications to operate outside of bounds, thus protecting against malicious attacks. Low-code platforms should provide a secure framework for building web and mobile applications, mitigating the top 10 OWASP vulnerabilities.
Proprietary code with hidden vulnerabilities
In this item, Chris Wysopal, CTO of Veracode, brought up the crucial talking point of many low-code platforms generating lots of proprietary software that is somewhat opaque, which makes security a challenge. Although a few platforms generate traditional code, it is a mixture of proprietary code and libraries that makes it difficult to perform static analysis.
A low-code platform with open standards-based code with well-known open source libraries, allows most static analysis tools to audit for known vulnerabilities and detect them early on. In addition to this, it is advisable to run a dynamic scan on the applications to identify vulnerabilities that might arise during runtime.
Move safety to the left
In line with the latest trend in DevSecOps, it is desirable to shift security to the left to introduce the necessary verification and auditing steps early in the development of the application. DevOps leaders should consider platforms that provide the ability to integrate with static analysis tools from the moment developers make their first registration.
This will help eliminate vulnerabilities in the early stages of development and prevent serious security holes appearing in post-production.
Build a culture of self-service and ownership
Finally, low code development teams must be sufficiently aware of potential threats and security risks. Security training on application security best practices should be mandatory, and the overall development culture should empower and encourage developers to take responsibility for building secure applications.
Low-code platforms can help development teams thrive in this self-service culture, with tools that can help them generate secure code, align with existing development methodologies and practices, to abstract repetitive work and focus on adding business value.
Weak code security shouldn’t be a risk, if done right.