Get Cybersecurity Right for Your Low-Code/No-Code Projects
The low-code, no-code revolution has made it possible for anyone at your organization to create software applications without all the extra overhead of traditional software development.
By leveraging low-code platforms, such as the Microsoft Power Platform, your staff members have a vast ecosystem of emerging technologies at their fingertips. Your “low-coders” or “citizen developers” can use technology to optimize the unique business processes they already know intimately.
I’m a product manager, so I have the privilege of being on a team producing software every day. Unlike low-code, it’s a complicated process. Every piece of software has a software development lifecycle (SDLC) that typically involves discovery, requirements gathering, design, implementation, testing, deployment, and ongoing maintenance. Throughout the lifecycle, I typically work with software architects, engineers, UX designers, business analysts, application security experts, and other stakeholders. We follow the SDLC process to ensure we are creating software that is valuable, usable, and perhaps most important, secure.
How does the SDLC process for low-code applications differ? What processes and procedures should low-coders be aware of while creating low-code workflows? How can your organization embrace the speed and power of low-code development and still have the peace of mind that your data is protected?
Low-code platforms can give your team great power to improve their day-to-day workflows and increase their productivity. As the saying goes, with great power comes great responsibility, and this is true when it comes to wielding power over the data that your constituents entrust to your organization. To protect them and your organization, you must get cybersecurity right for your low-code and no-code projects.
Here are five cybersecurity considerations as you prepare to join the low-code revolution.
Create a Security-First Mindset
Low-coders are typically business users who may not have formal training in cybersecurity, This makes it imperative for them to receive instruction before creating applications that touch sensitive information. How can you help low-coders keep security considerations front of mind? Your organization needs to cultivate a security-first mindset.
The best way to start is to ensure that staff, especially those who have access to sensitive data, receive the appropriate cybersecurity and data security training. This will help everyone understand what’s at stake and how to follow cybersecurity best practices:
- Cover the language of security
- Provide a foundation for basic concepts such as password security
- Ensure everyone is aware of phishing and social engineering
- Explain data security concepts such encryption, classification, and retention
IT and software development professionals receive security training as part of their chosen profession, but training must be ongoing due to the ever-changing security and threat landscape.
Respect the Principle of Least Privilege
Any software that contains sensitive data must have tools for managing each user’s access to that data. These identity and access management tools enable administrators to add users and assign roles and permissions for users to access data when they sign into the software.
When it comes to integrating third-party applications, such as applications created from low-code platforms, it’s common for those applications to assume the permissions of an authenticated user. Put another way, the application is accessing data on behalf of a user, and therefore should only be able to access the data the user has permission to access. For example, applications using Blackbaud’s SKY API® will have a step that asks the user to authorize the application to access data within the Blackbaud software with their assigned permissions.
This is the industry’s best-practice way for enabling different software applications to exchange data. However, there is a problem if the user has more access than they themselves or the third-party application needs to perform its function. It’s a common mistake to give users too many permissions or to give admin-level access when the user doesn’t need it. This elevated level of access can then be passed on to the applications the user authorizes.
A basic cyber security principle is the principle of least privilege. The principle advocates that users or applications should only be given the “least privilege” or the minimum level of access necessary for their tasks.
To combat over-elevation of access, follow the principle of least privilege when authorizing low-code applications by creating a “service principal” user account. It can be given only the permissions necessary for the application to do its job.
Another tip is to follow the example of established software companies: Blackbaud, for instance, provides admins the ability to create roles with granular permissions, so that each user can be given precisely the permissions they need, and no more.
Test in a Safe Environment
Low-code development can be incredibly fast. It’s feasible that someone at the organization can have an idea for an application and have it created and ready to use within the same day. While this is an exciting prospect, the application needs to be tested in a safe environment that does not contain real live data. Even fully trained professional developers can make mistakes. This is why before code is released into production, it goes through a process involving code reviews by other developers, as well as automated tests to ensure the code is valid.
Most nonprofit organizations won’t have a mature software development testing and release process, and even if they do, it’s possible that the low-coder isn’t aware of the process. Therefore, it’s important to test all low-code applications in an environment separate from the production environment.
For developers using SKY API, Blackbaud provides a shared test environment that enables them to get started testing their applications using dummy data. Only when the application has been tested and verified to meet the business needs of the user—and can function at scale—should it be considered for use in the production environment.
Create a Low-Code Center of Excellence
One of the many benefits of low-code development is that it empowers any user to act on their ideas to create applications and deploy them very rapidly. However, this is also one of the glaring problems with low-code development. Just because anyone can create applications, does not mean that they should.
What are the risks of launching projects developed by an inexperienced low-coder?
A low-code app builder with no security training or development experience can put data at risk if appropriate safeguards are not in place. They might lack the knowledge to safely request and store data (for example, asking for highly sensitive information in a form and storing it in a plain-text format rather than an encrypted format).
To give the organization more visibility and oversight into applications being developed by low-coders and how data will be accessed, you should create a Center of Excellence (CoE). Here’s how Microsoft sees it:
“A Center of Excellence in an organization drives innovation and improvement and brings together like-minded people with similar business goals to share knowledge and success, while at the same time providing standards, consistency, and governance to the organization.”
The CoE should include members from the IT or cybersecurity teams responsible for the organization’s technical infrastructure, so they can approve the use of systems and monitor how data is being transported and stored.
Want to learn more? The Microsoft Power Platform provides a CoE Starter Kit.
Kill Your “Zombie” Apps
This last suggestion is a sleeper tip since it is so important but often overlooked. With more people in the organization able to create applications, there will be more applications created. Not every application will be a hit. In fact, creating an application that becomes widely adopted and provides long-term value is no easy feat. Even if you have deep resources to do up-front research, discovery and design, projects can fail. The reasons? Could be the right app but at the wrong time. Maybe the organization was not prepared for change, or interdepartmental politics created roadblocks.
Whatever the cause, your organization wants to avoid a stockpile of “zombie apps” that could increase your risk exposure and create an incident. Apps can become zombies when they are not maintained or monitored, and provide no real value, yet are still authorized to access production data.
A common scenario is when there is staff turnover, and nobody is aware that the app even exists (lack of visibility and a governing team). Make sure you have a process for identifying when applications are no longer needed and a plan for the end of the app’s lifecycle. If they no longer provide value, archive or delete them.
What Next?
The low-code revolution is one of the most exciting movements in tech. And it’s building momentum. I truly believe that low-code platforms will be the way most organizations will experience bleeding-edge innovations emerging in the decades to come.
As you jump into low-code development, I hope you’ll keep the five tips in this article top of mind before you dive in too deep.
If I could suggest only one additional resource, I would pick the OWASP Low-Code/No-Code Top 10. A globally recognized authority on web application security, OWASP (Open Web Application Security Project) provides guidelines for professional software development and has responded to the growing need for security guidance for low-code platforms.