Topics In Demand
Notification
New

No notification found.

Is Low-Code Secure?
Is Low-Code Secure?

November 2, 2022

327

0

Security is on the mind of all IT professionals. Therefore, it’s no surprise that when evaluating low-code, they are sure to ask, “Is low-code secure?” In this blog, we’ll answer this question and others that IT managers like you have about low-code security and where it fits in the state of software development security today.

The State of Software Development Security

Unless you’ve been living way off the grid, it’s not news to you that cybercrime is growing and getting more sophisticated as businesses enter into new stages of digital maturity.

The increasing cyber threats have led CIO and CISOs to rethink the way their development teams produce software. Two main vectors have led to that change:

  • The lack of cybersecurity pros available in the market;
  • A growing demand to adopt DevSecOps practices.

1. It’s a Great Time to Be a Cybersecurity Pro

According to the Cybersecurity Jobs Report, in 2021, there were 3.5 million unfilled cybersecurity jobs, a number that is not expected to decrease before 2025. An increase in cyber crime is fueling demand for cybersecurity experts much faster than industry and universities can deliver raw talent. It’s a great time to be a cybersecurity pro and a terrible time if you’re trying to hire one.

Gartner’s advice on how to plug this cybersecurity talent gap is to “automate the boring parts,” such as manual log reviews, so skilled team members can use their time on value-adding activities. And in a recent report by the cybersecurity advocacy group (ISC)2, the use of intelligence and automation for manual cybersecurity tasks was identified as a top technology investment to overcome the talent gap.

2. DevSecOps: The New Kid on the Block

Between an uptick in ransomware attacks, lack of clear boundaries for organizational data, and increased risk with collaborative citizen development, we see an increased demand for DevSecOps. In this approach, instead of security testing being a heroic effort late in the software delivery lifecycle, it’s baked in from the get-go.

This “shift-left” mentality sees developers taking responsibility for security from requirements gathering and analysis all the way to architecture design, implementation, and testing. However, this ideal world, where security is embedded in the several stages of the app lifecycle, is very different from reality.

According to The State Of DevSecOps Report by Contrast Security:

  • 79% of organizations surveyed say their DevOps team is under increasing pressure to shorten release cycles.
  • 40% of respondents report that their teams sometimes or often skip security processes to meet deadlines.
  • 62% say that developers stop coding to remediate vulnerabilities at least every two or three days —and 27% do so daily.
  • Nearly 8 in 10 respondents say that the average application has 20 or more vulnerabilities.

This report shows that IT leaders have an uphill cybersecurity struggle. On one hand, recruiting developers with the necessary security skills is hard. On the other, training their existing staff to infuse security practices into the entire lifecycle takes time and perseverance. Preventing performance speeds and release schedules from trumping security priorities could even be career limiting.

Fortunately, there is a third option.

Fear Not: Low-Code Is Here

In a recent presentation based on customer research, Gartner named security as one of the top obstacles to adopting low-code, along with vendor lock-in and technical debt. The reason for these “fears” has more to do with perception than fact.

Why Is Security Seen as an Obstacle?

The reason for this “fear” has to do with the fact that low-code platforms abstract code, which is perceived as sacrificing security posture, such as vulnerability, threat, and error prevention, for speed. This is especially true when we’re talking about development platforms that cater to business users (the so-called citizen developers). Also, you cannot access the underlying code from the abstraction to test it the same way you test traditionally coded (“high-code”) applications.

Another reason that security is an obstacle is because many in IT have the idea that low-code requires even more specialized cybersecurity practitioners than DevSecOps. There is also a fear of time lost if entire development teams need to be trained on low-code security while IT backlogs continue piling up.

How Low-Code Can Help

The truth is, however, that low-code has a place in today’s software development security landscape. In fact, contrary to popular opinion, traditional application development doesn't always take security into account either. Or, someone puts it in place later.

By contrast, even the most basic low-code platforms today offer security protections. They can automatically test for vulnerabilities and performance and integrate with existing testing tools. This automation reduces manual security steps and significantly increases developer productivity.

Also, in some low-code platforms, some basic governance and controls are in place out of the box, before anyone starts tinkering with application development.

But How Secure Is Low-Code for the Enterprise?

Now, for enterprise security use cases, the most basic low-code platforms might not be enough. If you’re dealing with highly regulated industries, like finance and healthcare, you need to ensure the development platform is compliant with certain regulations.

Many low-code platforms aren’t. For example, with a regular low-code platform-as-a-service, updates that the vendor implements might not be consistent with your security policy. 

Also, an enterprise full of citizen developers needs special security care and feeding. These citizens may be highly technical people, but they don’t have the experience or expertise of professional developers to be sensitive to the security liabilities and interdependencies between applications.

It doesn’t help that not all low-code platforms provide the same features or cover the same use cases. I discussed that in my previous blog post about the low-code market, where I explained the difference between regular low-code and high-performance low-code. And security is one of the main differentiators between these two groups of low-code platforms.

To give organizations some peace of mind, Gartner has a list of recommendations you can follow from the moment you start evaluating the right low-code platform to the development process in the report "How to Mitigate Vendor Lock-In, Technical Debt and Security Risks of Low-Code Development, by Jason Wong, Gartner 2022".

 

 

 


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


© Copyright nasscom. All Rights Reserved.