Business operations have undergone seismic changes over the past few years, as accelerating digitization — spurred by the pandemic — has driven enterprises to embrace a borderless world of work and commerce. In this process, organizations have become more dependent than ever on the cloud to meet these new demands for flexibility and accessibility. Concurrently, they also face added risk from an expanding attack surface and an increasingly dynamic threat landscape.
In this climate, it is more important than ever for organizations to be aware of emerging threats and evolving tactics and to ensure that they adjust their security policies and practices accordingly. One of the key areas to watch in 2023 is low-code/no-code software development, which is on a collision course with DevSecOps.
Faster … but less secure?
The security skills shortage has been well publicized, but organizations have struggled just as much to find coding talent. So it should be no surprise that companies have moved toward low-code and no-code applications in an effort to speed up software development and maximize available resources. These options are attractive because they allow people with no or very little coding experience or expertise — like sales and marketing folks — to string together applications and build things quickly.
Low-code/no-code development platforms enable more users to build new applications faster, but their lack of governance will likely introduce significant new sets of security vulnerabilities across the industry. While organizations may appreciate the speed and convenience gains these options supposedly deliver, embedding low-code and no-code applications into everything they do creates potentially serious risks, since whoever does develop the code may be doing so in a manner that isn’t fully secure.
This lack of transparency about security feels particularly ominous in the wake of the discovery of the Log4j vulnerability, as broad adoption of popular but questionably secure low-code and no-code applications would create ideal conditions for a similar time bomb. It’s not hard to imagine a low-code/no-code applet from a small company gaining broad popularity and being embedded into a wide range of applications across many enterprises. Then, when a vulnerability is identified in that application, that small company is likely to find itself ill prepared to communicate broadly and manage patching across its customer base. If the response to Log4j was any indication, avoiding serious exposure will require a herculean effort. Unfortunately, it’s all but inevitable that this situation will occur, and it will be up to the enterprises that deploy the applet to be prepared to mitigate the situation themselves.
Contrasting trends
If not handled correctly, the low-code/no-code trend threatens to undermine a growing push for broad adoption of DevSecOps, an approach to software development that integrates security at every phase of the IT lifecycle rather than “tacking on” security and testing at the end. DevSecOps promises to deliver a range of benefits, such as higher-quality code, early vulnerability detection, more efficient launch of applications and APIs through automation, and improved compliance monitoring.
DevSecOps seeks to create broader accountability for and awareness of security needs throughout the development process, and its growing adoption has been a welcome sign that the industry is taking security more seriously. Conversely, low-code and no-code development centers on speed to deployment — widely regarded as the root of many security problems across the industry.
Security due diligence and accountability must be core tenets of the development lifecycle, and organizations must ensure that their IT teams are equipped to handle pressure from marketing, sales and other lines of business that are eager to implement opaque “shadow apps” that have not been properly vetted.
IT teams will face growing pressure from marketing, sales and other lines of business that are eager to implement opaque “shadow apps” that have not been properly vetted. Organizations must support efforts to bolster security due diligence and accountability and ensure they are core tenets of the development lifecycle across the business.