The most common fears that discourage organizations from adopting low-code are inflexibility, vendor lock-in, security, scalability, and career impact. The links here will take you to previous posts in this five-part series. In this post, we investigate the third myth: the suspicion that applications delivered using low-code will be insecure.
In our State of Application Development 2018 Survey, fifteen percent of responders who were not currently using or planning to use low-code blamed fear of insecurity as a reason.
Looking at this from their point of view, it’s an understandable concern.
“Anything that claims to make development up to ten times faster must cut all sorts of corners!”
Application security is not a matter to be taken lightly. We want even the most skeptical of Application Development and Delivery (“AD&D”) pros, and cybersecurity specialists to take a close look “under the hood,” and see what OutSystems has to offer. This article is intended to provoke precisely that kind of scrutiny.
Far from cutting corners, OutSystems significantly speeds up application delivery because of the security automation capabilities built into the platform.
It’s a Great Time to Be a Cybersecurity Pro
The Cybersecurity Jobs Report 2018–2021 predicts “there will be 3.5 million unfilled cybersecurity positions by 2021.” Cutting to the chase: increasing cybercrime is fueling demand for cybersecurity experts much faster than industry and universities can deliver raw talent. Which means it’s a great time to be a cybersecurity pro, and a terrible time if you’re trying to hire one.
Gartner’s advice on how to plug this cybersecurity talent gap is to “automate the boring parts,” such as manual log reviews, so skilled team members can use their time on value-adding activities.
Is it just me who wonders if this advice focuses on the symptom rather than the cause of the problem?
Agreed. Vulnerabilities need to be found and addressed fast. However, unless organizations stop vulnerable code from getting deployed into production, it’s like plugging a few leaks in the dam, while the dam is full and overflowing.
The Race to Find a Needle in a Haystack
Cybersecurity pros are in a race to detect and resolve faster than criminals can attack and exploit. When firms lose that race, the damage can be immense, such as in the case of British Airways a few weeks ago when just 22 lines of code claimed 380,000 victims, whose personal and credit card details were stolen.
Press speculation suggests that British Airways could become the first high-profile company to fall foul of Europe’s new GDPR regulations. At stake is a fine of four percent of sales, which is an eye-watering $633 million based on 2017 revenue.
Moving Security Upstream
Returning to the dam and river analogy, AD&D teams need to move security upstream so that instead of security testing being a heroic effort late in the software delivery lifecycle, security is baked in from the get-go.
This “shift-left” mentality sees developers taking responsibility for security right from requirements gathering and analysis through to architecture design, implementation, and then testing.
Successfully orchestrating all of these security practices for an entire development team is no mean feat. It requires considerable training for developers to learn secure coding practices and on-going governance to ensure they continually follow the required procedures, policies, and validation.
Ideal World Meets Reality
The 2018 DZone Guide to Security report makes sobering reading compared to the picture painted above. The reality is that skills shortages and delivery deadlines often undermine the best intentions for secure development. The DZone survey of over 680 developers revealed that:
Although security training is rising, a worrying 58 percent of developers described their security training as either lacking or ad-hoc.
- Fifty-one percent of respondents said that release schedules often interfere with security concerns.
- Thirty-seven percent of respondents said that their organization views performance as the largest priority, compared to just 31 percent who said security was the top priority.
- An article by CyberArk (embedded in the report) complains that “developing secure software is rarely if ever taught in schools.”
According to our research, 80 percent of organizations describe application development talent as scarce, with hiring taking longer and costing more.
It seems that AD&D leaders face an uphill struggle to move security upstream. It’s a battle to recruit and train developers with the requisite security skills. Governing their adherence to required security standards takes considerable time and perseverance. Preventing performance speeds and release schedules from trumping security priorities could even be career limiting.
Industrializing the work of developers is a solution. Just like automotive production lines have embraced increasing degrees of automation to improve efficiency and quality, the artisan craft of coding needs to embrace automation as well.
The kind of automation I’m describing would not result in millions of coders being made redundant. On the contrary, we’re talking about keeping skilled developers at the helm of software development but reducing manual steps and significantly increasing productivity.
Given that demand for applications and digital innovation far outstrip supply, such productivity gains will help businesses compete more successfully, improving the prospects for all employees, including developers.
How Automation Should Aid Security
Prevention is better than the cure. Automation in the software development production line can deliver the following kinds of security benefits:
- Clear assignment and segregation of duties for those involved in the DevOps process
- Production of secure code patterns that protect applications from common web and mobile application vulnerabilities and automatic update of such patterns when new threats emerge
- Proactive alerts to potential security issues so insecure code doesn’t get deployed
- Integration with static code analysis tools to allow automatic code vulnerability scans during testing
- Proven, easy-to-reuse templates for identity management and support for leading single sign-on protocols and identity providers
- Enforcement of HTTPS/SSL encryption for native mobile applications and web applications
- Secure application deployment
- Complete logging and auditing of both development and runtime environments
If the application development production line has all of these features built-in, surely AD&D leaders will find it easier to keep their development teams on the straight and narrow? After all, they will have to spend less time on all kinds of security protocols, whether that includes peer reviews, manually executing code validation, documentation of the code based on various security policies, rework, and so forth.
Shock Horror: I’ve Been Talking About Low-Code
The menu of benefits sounds appealing. It’s hard to imagine AD&D leaders or developers saying “no” to the help these kinds of automation would deliver to their efforts.
Until that is, we declare those benefits are a blatant copy and paste from the OutSystems Security pages in the Evaluation Guide.
As said before, in our survey fifteen percent of IT pros who told us they were not currently using or planning to use low-code blamed fear of insecurity as a reason.
Why the Distrust?
It seems IT pros are slow to trust low-code, and perhaps in their eyes, all low-code products are tarred with the same brush.
Much of the marketing noise generated by low-code and no-code vendors over the past four years has harped on this topic:
Fast, easy, and citizen development
At first glance, it’s easy to see why coders who are fiercely proud of their expertise might be less than welcoming of these noisy upstarts gate crashing their party. How can “fast and easy” be as good as code? As my colleague, Stanley Idesis, put it so eloquently “Developers fear low-code because it’s not code.”
To some, accepting low-code must feel like writing-off years of learning and experience as a wasted effort.
Add to this the considerable baggage associated with the term “citizen developer,” and it’s not surprising that introducing low-code could have some developers rolling down the shutters.
Security is complex.
How can amateur developers be trusted to create and deploy secure apps?
There’s No Such Thing as Citizen Development Without IT Governance
Although the above skepticism of business-led development is understandable, it’s worth revisiting the original definition of citizen developer.
“A citizen developer is a user who creates new business applications for consumption by others using development and runtime environments sanctioned by corporate IT.”
The words “sanctioned by corporate IT” distinguish citizen development from shadow IT. For success, IT needs to be at the helm of such citizen development efforts. As I’ve previously argued, without guide rails and governance provided by IT, citizen development is neither correctly defined, nor likely to be successful in the long term.
Stripping this back: it’s not the responsibility of citizen developers to create secure applications. Rather, it’s the responsibility of IT to procure and govern a platform that ensures its users only deploy applications that are secure.
Low-Code for AD&D Pros
If you thought low-code was aimed purely at non-professional developers, that’s another myth that needs busting.
The low-code market spans a broad spectrum, and Forrester helpfully split the software segment in two in 2017.
“Low-code platforms for AD&D target professional development groups with rich tooling and promises of high scale. Low-code platforms for business developers target nontraditional developers with simple tooling and more modest scale.”
Although OutSystems has numerous customers that have successfully empowered less technical developers to build applications, we are primarily focused on meeting the needs of professional developers. We’re proud to be ranked as a segment leader in both of Forrester’s recent Wave™ reports, Low-Code Development Platforms for AD&D Pros and Mobile Low-Code Development Platforms.
My previous posts in this series aimed to scotch two other misconceptions that people often have regarding low-code, namely lack of flexibility and vendor lock-in. These fears often stem from the perception that low-code (or “no-code”) platforms aimed at business developers have to be more prescriptive or they will overwhelm non-professional developers.
The Challenge for Low-Code Vendors
A haze of distrust and confusion hangs like smoke over the battlefield of low-code sales and marketing. One can imagine that vendors who are intent on transforming the productivity of AD&D teams might be tempted to drop the term “low-code,” and focus instead on “automation” to be more appealing to this audience.
Vendors need to work hard to ensure not just that their platforms are truly enterprise grade, but also that developers learn how automation delivers a slew of benefits over and beyond speed, with security in bold and double underlined at the top of that list.
Putting these benefits across to developers transparently and compellingly is a challenge OutSystems gladly accepts. So, please dig into the detail of what enterprise-grade means at OutSystems, with the extensive resources listed below.
Enterprise-Grade Security: Resources From OutSystems
Enterprise-Grade = Peace of Mind
A one-stop page to explore all aspects of enterprise-worthiness, including security, scalability, governance, performance, and architecture.
Evaluation Guide – Security
Everything You Always Wanted to Know About Security—But Were Afraid to Ask. Learn how OutSystems helps you secure your apps.
Discover OutSystems Sentry
Get all of the benefits of OutSystems, reinforced with additional security, risk management, and monitoring for a SOC2 Type II compliant cloud platform.
OWASP Mobile Top Ten and OutSystems
How OutSystems addresses each of OWASP's top 10 security risks for mobile applications.
OWASP Web Applications Top Ten and OutSystems
How OutSystems addresses each of OWASP's top 10 security risks for web applications.
Get Started With OutSystems Today
Free, forever. Get your own OutSystems environment and full access to our self-teach learning curriculum.
Compare OutSystems to Other Low-Code Platforms
Once you emerge from the exhaustive reading list, if you’d like to see how leading industry analysts Gartner, Forrester, and Ovum compare OutSystems to other low-code, MADP, and hpaPaaS platforms, visit https://www.outsystems.com/analysts and help yourself to our free-courtesy research reports.
More Reading on Low-Code Myths
Myth #1 – We cannot build what we need. Read What Can You Build With Low-Code?
Myth #2 – The Fear of Vendor Lock-in.
Myth #4 – Low-Code will not scale.
Myth #5 – Low-Code will be bad for my career. Coming soon.