The low-code revolution continues to gain momentum. Yet, some IT professionals are still leery of joining that revolution. One of the main sources of that hesitation is concern about the security of low-code apps. In a recent survey, 59% of respondents cited security as their biggest low-code concern.
The issue of low-code security certainly warrants serious attention. If applications created using low-code development platforms (LCDPs) are inherently less secure than software created using traditional methods, companies that employ such apps may be making themselves prime candidates for exploitation by cybercriminals. They may also run afoul of data protection regulations such as those mandated by GDPR, HIPAA, and California's CCPA.
So, what's the truth about low-code development and data security?
The low-code security challenge
The distinguishing feature of the low-code approach to software development is that it allows "citizen developers" who are not software professionals to create their own apps. Rather than requiring traditional coding, LCDPs allow technically unsophisticated users to implement their designs visually, by dragging and dropping pre-coded modules and templates into place using a Graphical User Interface (GUI).
Typically, citizen developers can implement 90% or more of an app's functionality on their own, requiring IT assistance only for more complex coding requirements such as integrating the app with other applications or systems.
But citizen developers are notoriously unconcerned about security—they just want to produce apps that function the way they want as quickly as possible. Left to themselves without IT governance, they would certainly produce apps that are inherently insecure, or that inadvertently open doors that bad actors can use to gain unauthorized access to sensitive data.
So, low-code security concerns must be taken seriously.
But that's exactly what top-tier LCDP providers do! Recognizing that low-code developers cannot be relied on to have either the knowledge or the motivation to ensure that their apps are secure, low-code vendors have built stringent security features into the platforms themselves. Because of that, low-code can produce apps that are actually more secure than those created using traditional methodologies.
Why a good LCDP can provide superior data security
Bullet-proof data security is tough for even the most professional of software developers to achieve. For example, in 2021 UpGuard Research revealed that apps and websites created with Microsoft Power Apps had suffered a data leak of 38 million records containing private personal information. Because Power Apps is a low-code platform, some observers initially saw this incident as proof of the inherent insecurity of low-code apps. Actually, the leaks had nothing to do with low-code, but occurred because of a misconfiguration by a professional software developer.
The fact is, because of the safeguards LCDP providers build into their platforms, properly designed low-code apps are typically more secure than those developed by traditional means. Forrester Research puts it this way:
"Applications built on low-code platforms can be more secure than those built with more traditional coding methods. Low-code vendors take on major responsibilities for securing their platforms on their 'own' clouds and ensuring the technical quality of applications built with their tooling."
In other words, a good low-code development platform will automatically build a high level of data security into the apps it creates.
For example, the award-winning LCDP provided by eSystems partner OutSystems automatically applies more than 200 security controls to every app created using the platform. The compiled code is fully documented and runs in a standard technology stack. That means code-level security can be assessed for low-code apps using the same tools and methods as with any other software. Plus, the visual editor provides design-time warnings of potential security vulnerabilities in the design. It will even, if necessary, automatically block deployment until security issues are fixed.
In addition, the OutSystems platform automatically builds important security features into apps, such as identity management, access control, and secure data storage, including encryption.
In light of these platform-based security features, Forrester's conclusion concerning low-code security is perhaps not entirely surprising:
"Application-security risks rise when developers build parts of their apps outside of the native tooling of the low-code platform… This risk is lower for businesspeople delivering apps (citizen developers) because they are less likely to write custom code."
Examples of low-code projects requiring a high level of data security
As the strength of low-code security has become more widely known, low-code is more and more being used not just at the departmental level, but also for enterprise-wide, business-critical applications. Let's look at some examples.
- Humana—Humana is a Fortune 500 health insurance provider, a field in which data security is highly regulated. Although it was at first skeptical of low-code, after a three-month evaluation process the company decided to use the OutSystems LCDP to create apps that are critical to its ability to deliver services to its agents and customers. One project that was originally projected to require eight months was completed in eight weeks, and at a quarter of the original estimated cost. Humana is so pleased with its low-code results, it now has a total of seven applications built with the OutSystems platform.
- thinkMoney—Customers of this British banking provider depend on it as a hub for managing their finances. The company needed to upgrade its digital banking application as quickly as possible, and decided to do so using the OutSystems low-code platform. Originally estimated as a six-month effort, the project was completed in just 14 weeks, including implementation of advanced security services such as biometric authentication.
- Corporate One Federal Credit Union—As a leading wholesale financial services provider for more than 750 U.S. credit unions, Corporate One wanted to create apps that would provide core banking services to member credit unions. They chose OutSystems Sentry for the project. How did it turn out?
"We delivered a new end-to-end PPP approval system in one week and configured it for multiple credit unions. We saw over 263,000 application hits in a week, and OutSystems handled it like a breeze… OutSystems Sentry gave us the peace of mind we were looking for, which was important considering we are handling sensitive financial data for hundreds of credit unions and millions of their members."
—Jim Horlacher EVP, Chief Information Officer, Corporate One
eSystems can help you create highly secure low-code apps
Already known as the best low-code house in the Nordics, in 2019 eSystems became the first Nordic company to be named an OutSystems center of excellence. OutSystems then gave us their 2020 Partner of the Year award for the Europe, Middle East, and Africa (EMEA) region.
What does that mean? It means we are the low-code experts who can help you create apps with enterprise-level security.
Not yet convinced low-code is for you? Let us hear your concerns and discuss how low-code can bring massive opportunities for you and your business. Please, contact us today!
WRITTEN BY: Reggie Rusan | Chief Technology Officer
COMMENTS