Strategies for making low-code applications cyber resilient

By Frank Baalbergen, Chief Information Security Officer, Mendix.

  • 6 months ago Posted in

In 2023, one in four application breaches consisted of stolen credentials and vulnerabilities. Furthermore, 75% of all applications have at least one flaw. This is an alarming reality regarding application security—but it doesn’t need to be this way. 

In the digital-first world, technology leaders have increasingly turned to low-code applications to accomplish business goals quicker than traditional development. However, some IT professionals have expressed concerns about security and data management specifically for low-code platforms. A third of these professionals reference the lack of low-code governance as the most serious security risk. Meanwhile, 26% of participants did not trust the app development platform.

Despite these concerns, Gartner estimates that the adoption of low-code/no-code technologies will increase from almost 25% of applications in 2020 to 70% in 2025, indicating that their ascent and popularity are not slowing. It is because low-code has impacted numerous organisations’ digital transformation efforts by making it easier to run and create apps. 

However, the rise of citizen coders has raised unique concerns among CTOs and technology leaders. They are concerned about managing these personnel groups while allowing them to remain innovative. The 'why' behind the security risk stems from a shortage of skilled professionals and the imperative to upskill existing employees who will, by default, not be as knowledgeable about keeping systems safe and secure. 

Limited cybersecurity expertise in this fast expanding sector exposes vulnerabilities, underlining the importance of proactive training to strengthen companies’ defences and reduce risk. Below, we look at three actions businesses can take to make low-code platforms more cyber-resilient:

1) Championing data security

Organisations should ensure data security in low-code platforms complies with regulations, protects sensitive information, and maintains trust. Low-code platforms facilitate rapid development but pose risks if security measures are overlooked. Breaches can result in legal penalties, reputation damage, and loss of customer confidence. Implementing robust security protocols, including encryption, access controls, and regular audits, is essential. 

Vulnerabilities in third-party components should be addressed through patch management and security updates. Preventing insider threats is equally important, requiring strict access controls and monitoring mechanisms. By prioritising data security, organisations can safeguard intellectual property, maintain business continuity, and uphold their commitment to protecting customer data, thus fostering trust and mitigating potential risks.

2) Incorporating security by design

Technology leaders should also encourage a security-first approach, including security safeguards in the development process, especially for low-code platforms. To protect their low-code platforms from cyber attacks, developers should use built-in security features. One important approach is to default to the least amount of resource access possible, reducing the chance of design flaws that result in incorrect data rights. This method is consistent with platform-based solutions, where allowing access is expressly needed, lowering the risk of data privacy and integrity. 

Another area organisations could look to implement is a system that provides fail-safe defaults inside entity access methods, such as restricting default permissions to new entity characteristics. This guarantees that developers explicitly grant users access rights to newly introduced data characteristics, improving overall data protection measures. Low-code platforms force developers to explicitly provide users access to newly introduced data characteristics by limiting default permissions to new entity attributes.  

Furthermore, it is critical to address the possible risks of depending entirely on a single security method, which might result in a single point of failure. Instead, a layered approach to security, which includes various checkpoints such as the domain model, microflows, and pages, guarantees a strong defence.

Implementing security controls in these three critical areas before allowing production access may considerably decrease the risk of unauthorised data access or breach. This multi-layered approach improves security resilience and gives users and stakeholders confidence in the platform's capacity to protect sensitive data. 

3) Enforcing security training and awareness

Organisations should educate developers, administrators, and end users on cybersecurity best practices and possible dangers, which is critical for building a strong security culture. Platforms that provide extensive training resources and community forums are critical for arming stakeholders with the information they need to minimise risks successfully.

These platforms enable users to make educated decisions and take proactive security steps by offering easy access to learning about security best practices and staying up to speed on emerging risks. 

It is also imperative to have regular cybersecurity training and awareness sessions within low-code development sectors. This empowers developers with the knowledge to mitigate risks effectively, ensuring that security remains a top priority throughout the development lifecycle.

The rising popularity of low-code platforms creates both benefits and risks regarding cybersecurity. To protect these platforms from cyber attacks, businesses must promote data security, including security by design principles, and implement frequent cybersecurity training and awareness sessions. Organisations can enhance the cyber resilience of their low-code platforms and confidently manage the expanding threat landscape by emphasising proactive measures and providing stakeholders and developers with the required information and tools. 

By Hans De Visser, Chief Product Officer, Mendix.
By Andy Mills, VP of EMEA for Cequence Security.