The low-no-code series – Secure Code Warrior: Don’t just build it, understand it

The Computer Weekly Developer Network gets high-brow on low-code and no-code (LC/NC) technologies in an analysis series designed to uncover some of the nuances and particularities of this approach to software application development.

Looking at the core mechanics of the applications, suites, platforms and services in this space, we seek to understand not just how apps are being built this way, but also… what shape, form, function and status these apps exist as… and what the implications are for enterprise software built this way, once it exists in live production environments.

This post is written by Matias Madou, CTO and co-founder of  Secure Code Warrior – a company known for its developer security skills platform that sims to provide skills-based pathways and contextual tools for developers to write secure, quality code and fix common security bugs in real-time.

Madou writes as follows…

When adoption of low-code/no-code (LC/NC) platforms first took off in the 1990s, with the growing popularity of ‘drag and drop’ applications, it soon tailed off again, largely because the technology wasn’t ready. Security was among the main concerns: specifically, the idea that builders with a non-technical background would be creating and deploying the applications. 

The technology has been upgraded since the 1990s, of course, but the concept hasn’t changed – suggesting this sector could open the door to vulnerabilities. Yet, despite this, analysts expect the rollout of these platforms to grow significantly. 

Why is this? The worsening global shortage of developers is key. The adoption of digital tools was already rising fast pre-Covid and the pandemic accelerated it. Unfortunately, skills development and recruitment can’t keep up with this growing demand.

Instrumental gap plugging 

LC/NC platforms may be instrumental in plugging this gap. They are suitable for use by citizen developers and are capable of relieving pressure on overstretched IT and engineering teams. If they can help plug a small part of the developer shortage, that’s a positive for society’s digital transformation. 

However, the wide adoption of LC/NC platforms presents legitimate security concerns. To mitigate the risks of a vulnerability, security needs to be baked into every line of code. One of the main issues with LC/NC platforms is that the end-user cannot guarantee the quality of the code under the hood, or whether it’s been written with security in mind from the start of production.

But here’s the catch: LC/NC platforms provide the user with a host of benefits in terms of speed, simplicity and productivity because they take the complexity out of software design. The benefits are clear, so the practice is here to stay. This in itself lies at the heart of the security issues. These platforms are used by millions of applications, and a simple mistake is easily replicated. The consequences can be devastating, and it’s this lack of visibility into core security practices in the build that lead to increased risk in the software supply chain.

This isn’t to say that there isn’t a place in the industry for LC/NC frameworks, but there needs to be an onus on both creators and users of the platforms to ensure standards are met when it comes to the code being secure by design.

Don’t just make, understand first

Users cannot blindly trust frameworks and assume by default that everything will work. From a security perspective, it’s essential users understand how the framework was designed and how it’s intended to work, as there may be consequences of oversimplification. To anyone considering making use of LC/NC platforms, we’d recommend the extra time saved on creating the applications is used to check any potential security misconfigurations that can lead to data exposure, no matter how insignificant the data may seem. Reinforcing good security practices – no matter how software is created – is an essential step in quality assurance.

The main security concern of LC/NC is low visibility. For example, enterprises will often not have visibility of the code and security controls that are in place by the LC/NC vendors, meaning they need to rely on the security tools they already have.

Matias Madou: For critical IT, anything short of certification and verified skills is cavalier at best.

Another concern is access control. At the implementation stage, this is vital in ensuring best practice is maintained. To make it simpler for the user, LC/NC platforms typically only allow access to what’s needed, but it’s important that the specifics are known and that end-users are actively learning these foundational security concepts as they create. 

Though LC/NC platforms may be able to plug the developer shortage in the short term, they’ll never replace professional developers. While the platforms are growing in popularity, they are no substitute for the full-scale, powerful capabilities in traditional software development. It’s creating a new market rather than taking over the existing developer market.

Combatting cavalier certification 

It’s been suggested that regulation or certification might need to be introduced to limit who can use these platforms, and how. Essentially, it comes down to the use of the application. 

For example, if it’s going to be used in an airplane, then anything short of certification and verified skills is cavalier at best. If it’s a phone application to play Tetris, then it’s obviously less important. It is uncertain how much value a specific qualification or certification would have in solving the problem. The most important thing is for the LC/NC platforms and the end-user to be confident that the code on which their applications and businesses are founded, are built securely from the ground up.