The low-code approach is a great way to expedite software development, decrease costs, and bring non-technical users into the process. However, to make it work for your project, it’s best to be aware of the low-code security risks you may run into.
Don’t get the wrong impression, low-code tools and platforms do have built-in security features. The reason we need to talk about risks is simple: the trend of low-code development is on a steep upward trajectory. Analysts forecast a 31.3% CAGR market growth — from $12.5 billion in 2020 to $190 billion in 2030. As adoption rates grow, the apps’ vulnerabilities will undoubtedly draw more attention from cybercriminals.
Acropolium’s developers embrace the versatility and speed that the low-code/no-code architecture provides. With products in our portfolio that include online payment and social media functionality, we double down on security to protect sensitive user data.
This text summarizes our findings concerning the security of low-code development.
In a few minutes, you’ll know exactly where to look for gaps and how to mitigate security issues with low-code. Let’s get right into it.
Low-code security issues to look out for
The idea of low-code development boils down to using pre-built units in a visual environment to create software in the cloud. The simplicity of the process saves time and costs, while the diversity of components ensures broad OOTB (out-of-the-box) functionality.
With low-code platforms, companies can even build simple solutions without hiring IT pros. However, software engineers can augment the resulting product if necessary or connect external apps and services. Practical, isn’t it?
At the same time, the build-it-yourself nature of the method implies that the overall security is now dependent on all the parties and tools involved.
And this leads to several concerns:
- Lack of security training among citizen developers. Let’s be honest, not every business user understands software security — at least not at the same level a trained specialist would. So you can’t expect software created by less tech-savvy users to be free of security issues. Overlooking security settings is very common (we’ll provide an example later).
- Vulnerabilities in API integration. APIs (application programming interfaces) allow apps to exchange queries and data. Unauthorized access through compromised APIs is one of the top security risks with low-code. Organizations rarely have an API security review strategy for low-code development in place unless it’s supervised by the IT department.
- Failure to set proper roles and access rights. When new software is built without oversight by security professionals, valuable data may slip through the cracks due to flawed access controls. Data breaches become possible when users misconfigure privileges that allow employees or outside actors view, change, or download critical files.
- Use of third-party code with internal security issues. When you connect external components to your newly built application (to add menus, widgets, or new functions), you lose a lot of control. The security of that new code is completely out of your hands, and your app inherits its vulnerabilities.
- Possible flaws in vendor code. When choosing a low-code vendor, you automatically assume their code is safe. Unfortunately, it’s not always a given. Unless it’s open-source, there is no easy way to inspect the code and verify its integrity. Cybercrooks may abuse the security gaps in it — by illegally accessing your database through an SQL code injection, for instance.
The risks are real. A data leak can be the result of negligence or a simple lack of knowledge. Malicious agents can access your company’s internal resources and exfiltrate data.
Let’s illustrate our point with a real-life case.
The Microsoft Power Apps data leak
Guess what — even leading vendors like Microsoft aren’t immune to security breaches. In August 2021, researchers reported multiple data leaks on portals built with the Power Apps low-code platform. The incidents exposed a total of over 38 million personal information records and affected 47 private companies and governmental bodies. Social security numbers, names, addresses, employee IDs, Covid-19 vaccination appointment details — all became public in this massive low-code data breach.
A vulnerability in an API turned out to be the root cause. The Microsoft Power Apps platform has the option of enabling OData (Open Data Protocol) APIs to retrieve information from record lists. The database that contains the necessary tables of data has a set of permissions that need to be set up properly. Due to a misconfiguration, anonymous users could easily access private data.
A team of security experts contacted businesses before the exposure could be exploited. The list included big names like Ford and American Airlines, as well as a number of state healthcare providers.
Ironically, the original issue wasn’t a platform security flaw. It was buried in the functionality that Microsoft included in its platform by design. However, the IT teams and users failed to assess the situation and set the correct permissions, which led to the leaks. Microsoft has since made changes to those settings, enabling table permissions by default.
Security in low-code applications is a valid concern, but it’s not always the vendor’s fault. The responsibility is always shared, and there are quite a few weak links in the chain, so it’s a combination of factors.
In the next chapter, we’ll give you the tools to reduce low-code security risks or avoid them altogether.
7 Ways to mitigate low-code security risks
Disclaimer: Following this chapter’s advice will yield the best results if you develop a systematic, granular approach.
Here’s the lowdown.
Always consult with your software department
However knowledgeable your app’s users may be, they’ll always be more driven by the functionality they get than concerned with security. As a result, security in low-level code enterprise applications often comes last.
“Shifting left” describes the idea of addressing concerns as early in development as possible. To achieve that, you’ll need to work closely with your tech team from the moment you decide to go low-code. You’ll surely benefit from the insights and security techniques they can offer.
Follow general security guidelines
With the help of your tech team, do everything you can to avoid being hacked. Secure ports, install a firewall, encourage employees to use MFA (multi-factor authentication). Tailor these efforts to your custom business needs, protecting your proprietary or customer data from unauthorized access.
APIs provide communication between apps, so they’re naturally a weak spot that hackers love to exploit. You can take a few precautions to prevent issues at the API level:
- Dynamically test connections with an API scanner
- Ensure proper authorization
- Secure unexpired tokens
- Prevent exposure of keys
- Monitor API updates for new vulnerabilities
- Promptly remove outdated APIs
- Put your APIs behind a firewall to minimize exposure
Remember: APIs are unique, so you’ll have to establish a procedure for vetting them.
Perform static code analysis
Use this debugging method before running new code. Here’s the gist: a special analysis tool compares the source code against a set of coding rules, highlighting inconsistencies and possible issues. Plenty of software for static code analysis is available on the market, most of them offering great accuracy and a high degree of automation. This approach can be instrumental both for finding general errors as well as specific security risks.
Audit proprietary libraries
The Microsoft case above makes it clear that huge low-code platforms are susceptible to security flaws too. Even though it’s often a complicated process, checking proprietary libraries for security vulnerabilities is always worth the effort. Of course, you won’t be able to do it without the help of software engineers.
Assess third-party vendors before signing up
Do your due diligence and find out all you can about the vendor whose tool you’re going to use before you adopt it. What’s their track record on data breaches/leaks? How often do they scan their code for security gaps? What security certificates do they hold?
Be methodical and thorough when picking a vendor. After all, your reputation is at stake here.
Implement effective data governance practices
Data governance is a holistic approach to managing data within a company, and security is its integral part. For an organization of any scale, it’s advisable to set up universal authentication practices, along with a clear set of roles and access permissions. Following these protocols will help your business use data more efficiently.
These are the most typical steps for mitigating low-code security risks we can recommend from our experience. If you want to go a step further, jump to the bonus chapter.
A few extra tips to avoid low-code security issues
These two points complement and complete our previous advice:
- Work with a trusted software partner. Many of the steps listed above are much easier to complete when you have the necessary experience, skills, and knowledge. Unless your IT team has a strong background in low-code/no-code, we recommend hiring an outside consultant at the least.
- Set up regular security workshops for your employees. Taking into account the emerging popularity of citizen development, educating your staff is a wise choice. Nipping security issues in the bud is better than dealing with the unpleasant consequences.
But tackling isolated issues isn’t enough. You should create a system where security is a long-term priority.
On a final note
Despite the possible security risks with low-code, prospects look good for the approach. Google has recently bought AppSheet, a leading no-code platform, and Gartner says 65% of all app functions will be developed with low-code by 2024. The architecture offers irrefutable benefits like accessibility, quick deployment, and a great choice of ready-made functions.
To avoid low-code security issues, we recommend developing such solutions under expert supervision. Involving IT professionals early in the process may later save your company’s or your customers’ sensitive data from unauthorized access.
Acropolium is ready to help. We’ll gladly consult you on the topic of low-code security and devise a step-by-step plan. With our guidance, you’ll be able to effectively mitigate risks and get the best out of the low-code approach. We can also develop any additional modules you may require.
Feel free to check out more cases of low-code development from our portfolio:
Reach out to us, and we’ll get started right away!