Though popular, low-code and no-code platforms have serious security risks, writes columnist and security expert Mark Nunnikhoven on website SD Times.
Nunnikhoven works for Lacework, a DevOps, cloud and Kubernetes service provider. According to Nunnikhoven, low-code and no-code platforms have several inherent risks.
Most platforms largely depend on the cloud. The platforms use APIs to retrieve the data required to run low-code and no-code apps. The apps are connected to third-party systems. Think Salesforce for marketing applications and email providers for email applications.
Unsecured connections to third-party systems serve as pipelines for malware. According to Nunnikhoven, connections are so numerous that organizations often lack an overview. Developers are less likely to detect configurations and vulnerabilities that could affect application security. Logs and access management are often limited.
Risk assessment
Nunnikhoven urges organizations to pay more attention to the security of low-code and no-code platforms. Risk assessments are a good start, says Nunnikhoven. Organizations are advised to determine if and how the platform connects to third-party systems. Once identified, organizations should verify the passwords, usernames and other secrets used to connect to third-party systems.
Logging is a must. Nunnikhoven emphasizes the importance of monitoring user and application activity. Visibility is key to combatting data breaches, he notes. Only then can an organization move on to more advanced security issues.
Tip: Appian launches #lowcode4all, free low-code developer course