Low Code / No Code however, doesn’t necessarily translate to low/no risk. Business technologists, who typically do not have a background in software development or data engineering, are unlikely to understand the security implications of the solutions they can now deliver, and the potential cyber risks they may expose the business to in doing so.
Low Code and No Code development platforms is a rapidly emerging market within the technology sphere at present, with growth predictions from Gartner of around 20% in 2023. This growth is anticipated to be largely driven by both enterprise-wide hyper-automation use cases as well as business technologists seeking to deliver technical solutions outside of the typical organisational IT framework (a new evolution of shadow IT).
Why Does Low/No Code Present Security Risks? – That’s the Vendors Responsibility… Isn’t It?
Much like Cloud Computing environments, and in particular PaaS and IaaS, the provider is responsible for security up to a certain point. It is still, however, the responsibility of the customer to ensure the necessary security protections are configured for the platforms they create. This is known as the Shared Responsibility Model. In the Cloud model, the service provider will secure the underlying infrastructure, data storage, and access management to the components that the customer does not manage themselves. The customer, however, is still responsible for the components they configure as part of the platform that they build. Seeking compensation from Amazon when you’ve just opened up anonymous access to an S3 data bucket containing customer information is unlikely to get very far!
The Shared Responsibility Model has become an established framework used in Cloud outsourcing agreements. The model describes the security responsibilities each party will own as part of the agreement, usually dependent on the type of service procured and the way in which the provider has implemented it. Typically, the customer will be responsible for ensuring the service meets their security needs, and deciding what data they choose to store within it. Most importantly, the customer is responsible for the secure configuration of the services they use.
In the same vein, the Shared Responsibility Model is progressively being seen as applicable to low/no code environments, with the customer bearing some of the responsibility to ensure they are not presenting vulnerabilities in the configuration or ‘code’ of the applications and services they create. Whilst the underlying infrastructure and some integral key security features to mitigate common security risks of the low/no code platform are likely to be included by the vendor, it is still the responsibility of the customer configuring their own applications to ensure the necessary security controls and mitigations are in place.
This responsibility increases further when customisation or changes to the generated code are made to achieve a specific outcome. Deviations from the standard OOTB (Out of the Box) behaviour introduce an increased potential for security oversights and unforeseen vulnerabilities. This is further exacerbated when the application needs to connect to external services or data points to meet its objectives.
The risk of introducing flaws in business logic or insecure connections increases substantially, which, when coupled with a lack of technical knowledge and experience, can lead to introducing unintentional security vulnerabilities which have not been assessed or quantified.
Currently, the Shared Responsibility Model is not typically included in commercial agreements with low/no code service providers, but organisations and their procurement teams should approach these agreements through a similar lens as those with Public Cloud providers. A clear and agreed understanding of where responsibilities lie is an important consideration. Understanding this delineation of responsibilities will help businesses to form their own internal policies for low/no code implementation and improve their resilience to potential unforeseen cyber threats.
What are the Security Risks Associated with Low Code Applications?
Organisations and business leaders seeking to implement low/no code solutions should familiarise themselves with some of the common identified risks associated with these platforms. By understanding some of the potential pitfalls of utilising these technologies, businesses can better protect themselves from unintentionally introducing security vulnerabilities when leveraging the convenience and efficiency low/no code platforms can provide.
One of the key considerations is the quality of the code being produced behind the scenes, whether this is visible to the end user or not. Security vulnerabilities are easily introduced through code that does not meet well-established secure coding standards. The quality of the code generated from these platforms can vary widely, and whilst the majority will seek to follow best practice, the customer is often unable to validate this or is not sufficiently trained to identify such vulnerabilities. Worse still, traditional analysis tools such as SAST (Static Application Security Testing) may not be able to analyse the customised code generated from these platforms due to accessibility, leaving a big unknown as to the overall security of the application and the data being processed through it. Customers of low/no code platforms would do well to seek guidance from the provider on how they can mitigate these risks and adhere to security best practices.
Further to the code quality issue, organisations should seek to perform similar due diligence exercises on the low/no code platform provider as they would any other vendor. This step can often be overlooked in the realms of shadow IT, where business leaders either knowingly, or otherwise, accept the operational risk of introducing such applications. Organisations need to validate that the provider employs best security practices within the provisioned environment, such as logical separation of data, encryption of data in transit and at rest, and the implementation of sufficient security controls to protect their systems and their customers data. Businesses who impose these requirements through robust policies and colleague awareness, coupled with technical controls such as CASB (Cloud Access Security Broker), may benefit from limiting the potential impact of procuring poorly considered shadow IT systems and services.
For the more cyber-savvy individuals and security teams, a great place to understand some of the specific risks of low/no code platforms in more detail is through OWASP (owasp.org). At the time of writing (January 2023) OWASP listed the following top ten security risks associated with low/no code implementations:
- Account Impersonation
- Authorization Misuse
- Data Leakage and Unexpected Consequences
- Authentication and Secure Communication Failures
- Security Misconfiguration
- Injection Handling Failures
- Vulnerable and Untrusted Components
- Data and Secret Handling Failures
- Asset Management Failures
- Security Logging and Monitoring Failures
OWASP provides a description for each security risk, including specific examples and suggestions of how to prevent or limit the likelihood of exposure to the risk. This can be a valuable resource to better understand the risks low/no code platforms present, and conversely assist organisations to identify suitable controls to mitigate against these and quantify residual risk.
Whilst low/no code environments are capable of offering low cost, efficient, and effective solutions to business, organisations would be wise to approach this form of application development using similar security policies and principles employed for traditionally coded applications. This should include necessary due diligence when procuring the services, as well as secure coding practices and regular application security testing once in use. Businesses that assume that low/no code means low/no risk, do so at their peril!