Is Low-Code Secure?

Security is on the mind of all IT professionals. Therefore, it’s no surprise that when evaluating low-code, they are sure to ask, “Is low-code secure?” In this blog, we’ll answer this question and others that IT managers like you have about low-code security and where it fits in the state of software development security today.

The State of Software Development Security

Unless you’ve been living way off the grid, it’s not news to you that cybercrime is growing and getting more sophisticated as businesses enter into new stages of digital maturity.

The increasing cyber threats have led CIOs and CISOs to rethink the way their development teams produce software. Two main vectors have led to that change:

• The lack of cybersecurity pros available in the market
• A growing demand to adopt DevSecOps practices.

1. It’s a Great Time to Be a Cybersecurity Pro

According to the Cybersecurity Jobs Report, in 2021, there were 3.5 million unfilled cybersecurity jobs, a number that is not expected to decrease before 2025. An increase in cyber crime is fueling demand for cybersecurity experts much faster than industry and universities can deliver raw talent. It’s a great time to be a cybersecurity pro and a terrible time if you’re trying to hire one.

Gartner’s advice on how to plug this cybersecurity talent gap is to “automate the boring parts,” such as manual log reviews, so skilled team members can use their time on value-adding activities. And in a recent report by the cybersecurity advocacy group (ISC)2, the use of intelligence and automation for manual cybersecurity tasks was identified as a top technology investment to overcome the talent gap.

2. DevSecOps: The New Kid on the Block

Between an uptick in ransomware attacks, lack of clear boundaries for organizational data, and increased risk with collaborative citizen development, we see an increased demand for DevSecOps. In this approach, instead of security testing being a heroic effort late in the software delivery lifecycle, it’s baked in from the get-go.

This “shift-left” mentality sees developers taking responsibility for security from requirements gathering and analysis all the way to architecture design, implementation, and testing. However, this ideal world, where security is embedded in the several stages of the app lifecycle, is very different from reality.

According to The State Of DevSecOps Report by Contrast Security:

• 79% of organizations surveyed say their DevOps team is under increasing pressure to shorten release cycles.
• 40% of respondents report that their teams sometimes or often skip security processes to meet deadlines.
• 62% say that developers stop coding to remediate vulnerabilities at least every two or three days —and 27% do so daily.
• Nearly 8 in 10 respondents say that the average application has 20 or more vulnerabilities.

This report shows that IT leaders have an uphill cybersecurity battle. On one hand, recruiting developers with the necessary security skills is hard. On the other, training their existing staff to infuse security practices into the entire lifecycle takes time and perseverance.

Fortunately, there is a third option.

Fear Not: Low-Code Is Here

In a recent presentation based on customer research, Gartner named security as one of the top obstacles to adopting low-code, along with vendor lock-in and technical debt. The reason for these “fears” has more to do with perception than fact.

Why Is Security Seen as an Obstacle?

The reason for this “fear” has to do with the fact that low-code platforms abstract code, which is perceived as sacrificing security posture, such as vulnerability, threat, and error prevention, for speed. This is especially true when we’re talking about development platforms that cater to business users (the so-called citizen developers). Also, you cannot access the underlying code from the abstraction to test it the same way you test traditionally coded (“high-code”) applications.

Another reason that security is an obstacle is because many in IT have the idea that low-code requires even more specialized cybersecurity practitioners than DevSecOps. There is also a fear of time lost if entire development teams need to be trained on low-code security while IT backlogs continue piling up.

How Low-Code Can Help

The truth is, however, that low-code has a place in today’s software development security landscape. In fact, contrary to popular opinion, traditional application development doesn't always take security into account either. Or, someone puts it in place later.

By contrast, even the most basic low-code platforms today offer security protections. They can automatically test for vulnerabilities and performance and integrate with existing testing tools. This automation reduces manual security steps and significantly increases developer productivity.

Also, in some low-code platforms, some basic governance and controls are in place out of the box, before anyone starts tinkering with application development.

But How Secure Is Low-Code for the Enterprise?

Now, for enterprise security use cases, the most basic low-code platforms might not be enough. If you’re dealing with highly regulated industries, like finance and healthcare, you need to ensure the development platform is compliant with certain regulations.

Many low-code platforms aren’t. For example, with a regular low-code platform-as-a-service, updates that the vendor implements might not be consistent with your security policy. Even big names like Microsoft have had their challenges.

Also, an enterprise full of citizen developers needs special security care and feeding. These citizens may be highly technical people, but they don’t have the experience or expertise of professional developers to be sensitive to the security liabilities and interdependencies between applications.

It doesn’t help that not all low-code platforms provide the same features or cover the same use cases. I discussed that in my previous blog post about the low-code market, where I explained the difference between regular low-code and high-performance low-code like OutSystems. And security is one of the main differentiators between these two groups of low-code platforms.

To give organizations some peace of mind, Gartner has a list of recommendations you can follow from the moment you start evaluating the right low-code platform to the development process¹. In this table, I compare regular low-code to the OutSystems high-performance low-code platform based on Gartner's recommendations for secure low-code.

Learn More about High-Performance Low-Code

This is just a sneak peek of how OutSystems high-performance low-code protects your applications and users. To read about all of our security features take a look at these additional resources:

• OutSystems security page
• OutSystems evaluation guide
• OutSystems security infographic (download here)

And to learn more about our platform, take a look at our platform page and feel free to schedule a demo. Our experts are here to clarify any questions you may have.

¹How to Mitigate Vendor Lock-In, Technical Debt and Security Risks of Low-Code Development, by Jason Wong, Gartner 2022.