By Philippe Rondel, Senior Security Architect and Evangelist, Check Point Software.
Maybe it’s a bit too early to call “Low Code/No Code” a revolution, but it appears to be. This new step in the abstraction of the development environment – similar to the way the C language abstracted raw assembler code – could really lead to disruption, as it provides non-coders with the ability to produce their own applications through a development interface which invites them to describe/draw the process expected, in place of directly coding it.
Of course, the Low Code/No Code model will not be used by business units alone. DevOps and traditional development teams will also benefit from it when it comes to speeding development, and compensating for the constant lack of developer resources. However, clearly business units will see a significant opportunity for them to be autonomous in applications creation; fitting their needs without any direct coding and with a very low time-to-market for delivery of applications to the business.
But, is there a downside to Low Code/No Code? Without any clear involvement of CIO and CISO in this adoption, Low Code/No Code may represent an open door to shadow IT from other business units. Not only can they already consume SaaS applications, but now they can also create their own applications. Therefore, it would be in the best interest of the business if IT does not block this adoption, but instead guardrails this usage by providing a catalog of services to host those applications in public or private clouds, and takes the time to validate and provide adequate security.
As security professionals, we need to anticipate these new use cases, and be prepared in advance for the risks they involve. We also need to recognize that, clearly, legacy thinking -which was focused on banning new technologies like these because they introduce new risks- cannot be sustained anymore.
CISOs should quickly define their decision criteria, including data produced, data consumed in information systems, data stored by application itself, access methods, and authorization – all of which will allow them to validate a project, and to determine where to host the application and which security measures are necessary.
Decrease attack surface
Some of the Low Code / No Code solutions are linked to large platforms like ERP, CRM or Collaboration solutions and in that case, the applications released are more add-ons, plugins and complementary SaaS applications. Alternately, other solutions are completely independent, and provide a full application that generally needs to be hosted in Kubernetes or similar environments.
As the final application code is not well controlled, it would be very important to focus on validating the compliance of the full application environment with the organization’s security policy. CSPM (Cloud Posture Management) will allow you to continuously validate the private or public cloud environments used by those applications and to remediate automatically when needed, including network, right, container images, and other aspects.
Shared responsibility model
With introduction to Low Code/No Code applications, the existing shared responsibility model between cloud service providers and customers is significantly expanded with the addition in the middle of the Low Code/No Code Provider. Indeed, this abstraction solution produces applications that could contain technical vulnerabilities (SQL Injection, for example), but we cannot hold the application producer/customer accountable, as they have only provided a schema of the process.
In any case, you should consider that such an abstraction mechanism is prone to create vulnerabilities, and when you discover such vulnerabilities, it will take time to solve them. First, because, you do not have the hands on the final code, and secondly because the Low Code/No Code provider needs to correct the code that produced the defective code, which is clearly more challenging.
To overcome this higher risk, such application should be protected with a Web Application Protection solution that must include an automatic learning mechanism, as the business will often have the lifecycle in their hands, and the development phases will be very quick.
In summary, rather than blocking what could provide value to your organization, instead, be prepared to guardrail and securely host these new applications that will be arriving anyway.
Get more cyber security, tech and business insights when you sign up for the CyberTalk.org newsletter.