⚒️ What is Low Code No Code?
Software development is going through an innovative change with the emergence of low code and no code (LCNC) platforms. These platforms enable users to develop web and mobile applications without having a software development background, using drag and drop features and user friendly development UI.
LCNC platforms provide great benefits
- Faster time to market
- Huge cost savings
- Enable and empower non-IT professionals (known as citizen developers)
📢 Security Concerns for LCNC
To understand the security concerns associated with low code applications, the SecureState team hired an external development company based out of Los Angles, California to build a low code platform using Bubble.io. The application was a simplified version of SecureState’s Vulnerability Management Platform. Here are our main takeaway's after our research and security testing.
🔍 No Visibility into Internal Security
LCNC vendors do not provide transparency into their internal security program and processes to help determine their security posture. Proprietary libraries could exist with hidden vulnerabilities, but no way to test exists as its maintained by vendor.
📞 API Security
API integrations can expose sensitive data if they expose the API or generate a web application via an API
👓 No Data Oversight
Many LCNC applications involve storing or accessing of data from other systems and is often not done with proper oversight
💉 Business Logic Issues
Although there are some build in features that assist with access control and authentication, business logic problems can arise from how an application is built by the smallest detail
🚪 Access Control Issues
This is vital in the development phase as its vital that end users only have access to the data that they need to see, nothing more. Its important to have a policy to control access to data sources based on role and an enterprise wide policy.
🧑🤝🧑 Citizen Developers
An assessment of 100 developers in the LCNC space showed that 78% of developers had less than 3 years of experience in software development and 92% had no security training or background.
How to Approach Low Code/No Code Security
The main benefit when it comes to security is that much of security is taken care of by the platform provider, which leaves you responsible for a much smaller scope. Until now there have been no solutions to help secure these types of platforms, until now. SecureState provides a comprehensive approach to managed platform security through a dynamic platform that provides real time data with actionable recommendations. Our team takes a proactive approach to security testing to identify and remediate issues before exploitation, and ensuring a proper line of reactive measures for defense in depth.
⁉️ How We Do It
SecureState uses a combination of automated tools and manual testing to provide a hybrid approach that includes proactive and reactive security testing activities. Our team has decades of cybersecurity experience with some of the largest tech companies including AWS, VMware, Google and Nintendo.
Take the first step to security and schedule a call.