Poorly chosen low- and no-code platforms can bring a number of security vulnerabilities. Let’s look at some key challenges and how they can be avoided.
Join the DZone community and get the full member experience. This is an article from DZone’s 2022 Low Code and No Code Trend Report. For more:
Many companies are looking to low-code and no-code platforms to build apps in the visual environment. They provide the opportunity for faster app development and reduce the dependence on highly skilled developers. Companies may hire less experienced or only minimally trained staff (I’ll call them citizen developers) to meet service gaps and to respond to skills shortages, ensuring their larger dev team can focus on more advanced projects. Poorly chosen low-code and no-code platforms and poorly managed projects and teams can bring with them a number of security vulnerabilities that, if not addressed, leave companies (and potentially their customers) in a world of pain. Let’s take a look at some of the key challenges and risks and how they can be avoided. Low-code and no-code tasks expand the developer pool. This can make it hard for team leaders to keep track of what is being built and with what resources. Inexperienced or citizen developers may be using insecure software or practices without the knowledge of the security or IT team. For example, a lack of knowledge of authentication may lead to the use of HTTP instead of HTTPs. Risks also include storing data insecurely, like on a personal device instead of within the company-vetted cloud. Low-code and no-code applications may be poorly tracked, updated, and even overlooked in efforts like business continuity planning. They may be perceived as low-priority and left without ownership if staff members leave or if the citizen developers go back to their original tasks. As there is a lack of standards across platforms, it may be harder to replace developers with specific knowledge. More chaotic companies may not even know how many of such apps are live, much less continuously monitor them for security vulnerabilities. While developers and developer marketing media may perceive low-code and no-code providers as the next big thing, business owners and decision-makers may not be familiar with them or consider such services to not be suited to “real-world” applications.
