Get up to speed fast on the techniques behind successful enterprise application development, QA testing and software delivery from leading practitioners.
How to improve your observability systems
What people don’t get about value stream management
Usability: Where software testing tools fall short
Meet the collaborative robots that will revolutionize testing
3 benefits of AI in functional testing
Trends and best practices for provisioning, deploying, monitoring and managing enterprise IT systems. Understand challenges and best practices for ITOM, hybrid IT, ITSM and more.
The 8 flavors of serverless: How to choose wisely
5 steps to becoming a data-sharing master
How AIOps is a game-changer for predictive analytics and CloudOps
The state of IT operations management: 6 trends to watch
4 lessons IT has learned from the pandemic
All things security for software engineering, DevOps, and IT Ops teams. Stay out front on application security, information security and data security.
3 best practices for locking down your hybrid cloud security approach
Let’s fight cybercrime like we did piracy in the 18th century
How technical debt is hurting your software team—and your app sec
Shift to cyber resilience: 7 steps to a better security approach
How cloud-native is changing the role of the CISO
TechBeacon Guides are collections of stories on topics relevant to technology practitioners.
TechBeacon Guide: The State of SecOps 2021
TechBeacon Guide: Application Security Testing
TechBeacon Guide: Data Masking for Privacy and Security
TechBeacon Guide: Cloud Security & Data Privacy
TechBeacon Guide: Unstructured Data Security
Discover and register for the best 2021 tech conferences and webinars for app dev & testing, DevOps, enterprise IT and security.
DevOps World 2021
SKILup Days: 2021 – Observability
Webinar: Threat Hunting—Stories from the Trenches
Webinar: Cybersecurity Executive Order Challenges and Strategies
Webinar: Data Privacy and CIAM—Complete Your Identity Stack
Companies continue to demand skilled software developers, with the US Bureau of Labor Statistics estimating that the profession will grow 22% over the next decade, much faster than the average 4% growth rate across the job market as a whole.
Yet the continually high demand for developers has also led to the growth of platforms to create applications in a way that minimizes coding. Low-code platforms allow plug-and-play approaches to creating ever-more-complex software systems. From Salesforce to Microsoft, and from AirTable to Zoho, a variety of companies are offering tools to easily combine databases with front-end interfaces that include visualizations.
And the pandemic has accelerated low-code growth as companies push their digital transformations, said Johan den Haan, chief technology officer of low-code platform Mendix.
“Evolving low-code ecosystems will underpin business innovation. The technology stack will expand horizontally, to have an integrated developer experience with drag-and-drop simplicity for data integration, data science insights, building AI solutions, and creating multi-experiences.”
Johan den Haan
Yet the security and resilience of low-code platforms and the resulting applications continue to be questionable. While many types of security issues—such as command injection vulnerabilities and buffer overflows—are pushed off from the developer to the low-code platforms, the users of those platforms still need to focus on security.
Here are five ways that companies can ensure that their low-code applications are secure and resilient.
The creators of low-code applications are usually not typical developers, but business users who are building their own tools to satisfy a problem. Unfortunately, they have not taken a secure-coding or secure application-design course, and companies need to recognize that lack of knowledge, Sandy Carielli, principal analyst at Forrester Research, said in a post on the business intelligence firm’s blog.
“Low-code developers fall into two buckets: professional developers who leverage low-code to improve speed and responsiveness and citizen developers who sit outside of IT and development. Citizen developers not only have never taken a secure development class but likely have not taken any development classes at all—therefore, common application security concepts will be even more foreign.”
Sandy Carielli
To build awareness, companies using low-code platforms need more security champions, within different populations. In addition to including security champions in any DevOps teams, where low-code and serverless technologies may be used as one component of an application, security champions need to be embedded among business users who are also low-code creators, Forrester said in a recent report.
Because low-code development typically consists of picking components from a limited menu of software components created by the platform provider, or a third party, low-code creators can typically rely on the security measures enforced by the platform.
However, companies should understand the weaknesses of each platform and what is required to keep applications and data secure, said Chris Wysopal, CTO and co-founder of the application security firm Veracode.
“There are fewer degrees of freedom for developers to make mistakes on those platforms. Just as Java didn’t eliminate all those vulnerabilities, I think we are going to see the same thing with no-code and low-code. In general, it helps make applications more secure, because it eliminates classes of vulnerabilities that you see in other environments, but it does not eliminate all the threats.”
Chris Wysopal
While low-code platforms assume much of the software risk, companies need to be aware of the options for each platform to understand the potential attack surface area. Platforms that allow the addition of custom code, for example, introduce potential security problems along with user-defined functionality.
Low-code ecosystems that allow third-party components may allow attackers to create malicious software, said John Bratincevic, a senior analyst in Forrester Research’s application development and delivery group.
“At a technical level, it is more secure, because you can’t make as many technical fumbles. If the vendor doesn’t allow you to write SQL, you can’t introduce SQL injection, but many do allow the user to add custom features.”
John Bratincevic
Salesforce, for example, has done a good job of incorporating security guidance for developers into its documentation, after dealing with banking Trojans and several data breaches, including one caused by an API error and another by a malware attack.
Each platform offers a different set of logging and security tools. Companies should know their platform provider’s approach to security and what capabilities they need to use to secure their applications.
In many ways, the security features and systems for low-code developers are more similar to those for business users than for high-code developers. AirTable, a popular low-code platform for small and medium-size businesses, recommends security measures that resemble advice for cloud users: Adopt two-factor authentication, use a password manager for complex passwords and minimize reuse, and adopt measures to automate security features such as single sign-on technology.
Other low-code security measures resemble SaaS offerings: role-based access controls, data security, and logging.
In the end, companies need to include security in their broader planning. For low-code platforms, that means incorporating application-security testing and reporting into the development and management of low-code applications.
Scott Johnson, former general manager for Micro Focus’s Fortify application security suite, wrore recently that in a truly resilient system, automation will allow developers to write and commit code, and the scans just happen. The goal should be to have code that fixes itself like a spell-checker. 
“It’s almost like when you hit the gas pedal on your car. There’s a lot of stuff that goes on, but you don’t have to know anything the engine does other than it goes. That’s pretty powerful.”
Scott Johnson
Johnson shares five key focus areas for building in resilience to your software development: More testing automation, actionable results from testing, more frequent scans, breadth on coverage, and the scalability of your approach.
Low-code will not replace traditional software development—at least, not anytime soon. However, developers are a good resource to tap to create good software practices that will result in resilient low-code applications and as mentors for promising low-code developers, said Forrester’s Bratincevic. “If the platforms are aimed at business people, then it’s really about being a logical thinker and being a problem solver,” he said.
“Most business people are not used to translating their intentions in a concrete way. The people who are going to really be successful are those who can solve problems, think logically, and incorporate requirements—such as security—into their designs.”
—John Bratincevic
Get up to speed fast on the state of app sec testing with TechBeacon’s Guide. Plus: Get Gartner’s 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon’s Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon’s Guide.
Get the best of TechBeacon, from App Dev & Testing to Security, delivered weekly.

Brought to you by

I’d like to receive emails from TechBeacon and Micro Focus to stay up-to-date on products, services, education, research, news, events, and promotions.
Check your email for the latest from TechBeacon.


Leave a Reply