Low-code/no-code (LCNC) programming is incredibly powerful. It enables non-programmers to develop microprograms that once took months to develop, all at a fraction of the cost. Created using drag-and-drop tools, LCNC applications are being used by every large and small enterprise to improve workflows, streamline processes, and compete more effectively.
The benefits of LCNC are undeniable. Business users have been transformed into business developers, eliminating standard software development lifecycle tasks like planning, verification, controlled deployment, monitoring, and management. They save hundreds of expensive engineering hours and reduce the time to value to just a fraction of what it once was.
However, in the rush to make application development more efficient, many organizations have overlooked security. These applications are developed by business users who lack security training and are rarely aware of specific security concerns that could derail their applications. LCNC apps aren’t designed to scale, and they lack logs, security checkpoints, and runtime protection.
To put it bluntly, these applications often have access to sensitive business, health, or financial data. They operate similarly to SaaS applications, but lack security controls and weren’t built with security in mind. Due to their widespread popularity and ease of creation, the thousands of LCNC apps have significantly broadened a company’s attack surface.
A Problem on the Cusp of Blowing Up
Chris Gardner, VP Research Director for Forrester, predicted we would see “a widely reported security breach to be borne from citizen development in 2023.”
While we are already deep into 2024 and haven’t experienced the type of doom and gloom predicted by analysts, that doesn’t mean their concerns are unfounded. These types of warnings are only issued when applications have enough access within their organization to attract threat actors. After all, if hacking an LCNC app would only yield the developer’s name and email address, it wouldn’t be of value to the threat actor.
LCNC applications don’t have the same type of security settings commonly found in SaaS applications. They lack a configuration panel with settings that can be used to control access or prevent data leakage. However, the applications used to create LCNC applications can embed certain settings within the application.
PowerApps, an LCNC app builder created by Microsoft, allows users to limit the number of write/create permissions within an app to prevent data leakage. Limiting the number of app admins is another way to shrink down the attack surface. By reducing the number of admins to the bare minimum, applications reduce risk in the event of a breach.
Data loss prevention policies within the app creator should be enabled. This allows organizations to control the connectors option with users creating apps, preventing them from inadvertently allowing access to sensitive materials from the application.
Creating secure LCNC applications requires less focus on the app that is being created. Instead, it is the applications being used that create the LCNC apps that must be properly secured. Taking these steps can prevent LCNC apps from being weaponized and used to breach or steal data.
Using SSPM to Monitor LCNC Development Apps
Business users have gotten a taste of development, and are hooked. Democratization of the tech world is expected to drive the creation of over 500 million new LCNC applications by the end of this year. This should be matched with the democratization of security. LCNC app owners should learn how to secure such platforms, and security teams need to assist them through enhanced visibility into LCNC apps such as PowerApps.
Organizations’ best chance to secure those applications is through an SSPM solution monitoring the platforms used to create those applications. The configurations within the platform are vital to ensuring that the apps created reflect a company’s security policy, and with the wealth of applications being developed on a daily basis, these organizations can’t risk configuration drifts that leave a wide swath of unprotected apps.
SSPMs provide automated, constant monitoring. When configurations that impact the posture of LCNC apps change, security teams and business units are immediately notified, so they can address the issue and restore the application’s security posture. This way, organizations can confidently create more business-critical applications without worrying about tomorrow’s LCNC breach headlines.