SAN FRANCISCO – Low-code/no-code (LCNC) software development technology is "a fantastic thing for businesses overall" because it ensures the individuals or groups within an organization who have a problem also have the tools they need to solve it themselves. But the increased security risks of adopting LCNC can't be overlooked, Lacework's Cloud Strategist Mark Nunnikhoven told SDxCentral in an interview at RSA Conference 2022.
The beauty of low code is that instead of someone from a business unit asking the IT department to create a unique solution, that business unit can take matters into its own hands and build a piece of software without needing specialized technical expertise. In this way, LCNC is essentially an advanced set of office productivity tools, Nunnikhoven said.
But low code development is ripe with challenges from a security perspective. "A lot of the time when these people are building an application within that platform, they're building just that context. They don't have the security knowledge, and so a lot of strong defaults need to be built in, which aren't there yet," he explained.
For example, the individual credentials of whoever built a certain application are typically used to connect a low-code tool to another platform. "That's generally a bad practice because now you lose the visibility to who's actually requesting it ... so if something goes wrong, we can't actually figure out what happened because we've lost the visibility," Nunnikhoven said.
But the security risks of LCNC don't signal the broad failure of this tech. It's just early stages for many of these platforms, which carry high projected future growth. According to Gartner, 65% of all application development will happen using low code or no code by 2024.
"Way more people are going to be building now," Nunnikhoven explained. "Existing developers aren't going to switch — it's that we're going to bring so [many] more people to the table, which is a great thing for business."
Community engagement with LCNC platforms is the best way to begin building in proper tooling and controls to allow for full visibility, "not to stop things, but just to know what's going on," he said.
"It was hard enough to figure out where our data was when it was just in known cloud providers. But now that everybody's making applications and connecting to a whole bunch of other things, we're losing track of it again," he added.