The low-code revolution continues to gain momentum. Yet, some IT professionals are still leery of joining that revolution. One of the main sources of that hesitation is concern about the security of low-code apps. In a recent survey, 59% of respondents cited security as their biggest low-code concern.
The issue of low-code security certainly warrants serious attention. If applications created using low-code development platforms (LCDPs) are inherently less secure than software created using traditional methods, companies that employ such apps may be making themselves prime candidates for exploitation by cybercriminals. They may also run afoul of data protection regulations such as those mandated by GDPR, HIPAA, and California's CCPA.
So, what's the truth about low-code development and data security?
The distinguishing feature of the low-code approach to software development is that it allows "citizen developers" who are not software professionals to create their own apps. Rather than requiring traditional coding, LCDPs allow technically unsophisticated users to implement their designs visually, by dragging and dropping pre-coded modules and templates into place using a Graphical User Interface (GUI).
Typically, citizen developers can implement 90% or more of an app's functionality on their own, requiring IT assistance only for more complex coding requirements such as integrating the app with other applications or systems.
But citizen developers are notoriously unconcerned about security—they just want to produce apps that function the way they want as quickly as possible. Left to themselves without IT governance, they would certainly produce apps that are inherently insecure, or that inadvertently open doors that bad actors can use to gain unauthorized access to sensitive data.
So, low-code security concerns must be taken seriously.
But that's exactly what top-tier LCDP providers do! Recognizing that low-code developers cannot be relied on to have either the knowledge or the motivation to ensure that their apps are secure, low-code vendors have built stringent security features into the platforms themselves. Because of that, low-code can produce apps that are actually more secure than those created using traditional methodologies.
Bullet-proof data security is tough for even the most professional of software developers to achieve. For example, in 2021 UpGuard Research revealed that apps and websites created with Microsoft Power Apps had suffered a data leak of 38 million records containing private personal information. Because Power Apps is a low-code platform, some observers initially saw this incident as proof of the inherent insecurity of low-code apps. Actually, the leaks had nothing to do with low-code, but occurred because of a misconfiguration by a professional software developer.
The fact is, because of the safeguards LCDP providers build into their platforms, properly designed low-code apps are typically more secure than those developed by traditional means. Forrester Research puts it this way:
"Applications built on low-code platforms can be more secure than those built with more traditional coding methods. Low-code vendors take on major responsibilities for securing their platforms on their 'own' clouds and ensuring the technical quality of applications built with their tooling."
In other words, a good low-code development platform will automatically build a high level of data security into the apps it creates.
For example, the award-winning LCDP provided by eSystems partner OutSystems automatically applies more than 200 security controls to every app created using the platform. The compiled code is fully documented and runs in a standard technology stack. That means code-level security can be assessed for low-code apps using the same tools and methods as with any other software. Plus, the visual editor provides design-time warnings of potential security vulnerabilities in the design. It will even, if necessary, automatically block deployment until security issues are fixed.
In addition, the OutSystems platform automatically builds important security features into apps, such as identity management, access control, and secure data storage, including encryption.
In light of these platform-based security features, Forrester's conclusion concerning low-code security is perhaps not entirely surprising:
"Application-security risks rise when developers build parts of their apps outside of the native tooling of the low-code platform… This risk is lower for businesspeople delivering apps (citizen developers) because they are less likely to write custom code."
As the strength of low-code security has become more widely known, low-code is more and more being used not just at the departmental level, but also for enterprise-wide, business-critical applications. Let's look at some examples.
"We delivered a new end-to-end PPP approval system in one week and configured it for multiple credit unions. We saw over 263,000 application hits in a week, and OutSystems handled it like a breeze… OutSystems Sentry gave us the peace of mind we were looking for, which was important considering we are handling sensitive financial data for hundreds of credit unions and millions of their members."
—Jim Horlacher EVP, Chief Information Officer, Corporate One
Already known as the best low-code house in the Nordics, in 2019 eSystems became the first Nordic company to be named an OutSystems center of excellence. OutSystems then gave us their 2020 Partner of the Year award for the Europe, Middle East, and Africa (EMEA) region.
What does that mean? It means we are the low-code experts who can help you create apps with enterprise-level security.
Not yet convinced low-code is for you? Let us hear your concerns and discuss how low-code can bring massive opportunities for you and your business. Please, contact us today!
WRITTEN BY: Reggie Rusan | Chief Technology Officer