Fact Or Fiction: Dispelling Low-code Security Misconceptions In The Age Of The Citizen Developer

By   Yad Jaura
, Netcall | Dec 23, 2021 03:48 am PST

The burgeoning skills gap, an urgent lack of coders and the need for growing businesses to transform at pace has ushered in a rise in citizen developers over recent years. When empowered with low-code platforms, which require minimal or no actual code, these developers can create applications by themselves with very little intervention from IT.

However, whilst the revelation that application development can be placed in the hands of anyone within the business is a positive one, there is also a growing concern that, by doing so, security could be at risk.

Last year, it was estimated that internal security misconfigurations accounted for as many as 10% of all breaches, with one of the most recent – and prolific – being the Microsoft Power Apps data leak. Due to the incident, 38 million personal information records across more than 1,000 web apps were said to have been exposed, including particularly sensitive information such as COVID-19 contact-tracing details, vaccination appointments, social security numbers and millions of names and email addresses.

Inevitably, such an event caused many to question the security surrounding low-code tools and with it, a handful of misconceptions have started to emerge. Here we uncover the current myths and misconceptions associated with low-code development, distinguishing fact from fiction to reveal how businesses can reap the benefits such tools have to offer, whilst ensuring the security of their organisations.

Misconception #1:

Development should be left to the experts, or else security is at risk

The Microsoft Power Apps incident certainly cast doubt over the security of applications developed using low-code, with many quick to put this down to the skills gap associated with citizen developers. However, vulnerabilities can be introduced by IT teams and even pro-developers, the very people assumed to be the savviest about such risks. In fact, this was the case for Microsoft, where a default security setting was missed by a pro-developer.

Whilst an easy miss in this situation, it is important to note that most professional developers step into their first role without any security training. Few computer science degrees focus on security, and most don’t even stipulate a single secure development or secure design course. 

Ultimately, whilst those not specifically trained in development can be less conscious of the security implications, the issue isn’t exclusive to citizen developers. As we’ve seen, even pro-developers can get it wrong sometimes.

Misconception #2:

Low-code is less secure than other development software

False. Low-code isn’t inherently less secure than other software. In fact, it’s generally more secure, as enterprise low-code platforms include prebuilt security and governance controls for every application. These platforms provide visual tools and building blocks for speeding up and simplifying app development, making it easier to develop technically secure apps versus traditional coding.

But, like professional coding tools or other software products, low-code can still be misconfigured – as evidenced in the Microsoft Power Apps incident – and security defaults can be insufficient.

Instead, there is a real need for experts to review the security defaults and configurable guardrails of low-code platforms, aimed at scaled citizen developer programs, as well as ensuring that security awareness is part of any internal development strategy.

It’s crucial that businesses consider prevention, not cure, and since low-code platforms vary in their security offerings, the onus is on business leaders to select a platform with sensible security defaults.

Misconception #3:

Once I choose a low-code provider, security is out of my hands  

Wrong again. The security guardrails surrounding low-code can vary drastically from provider to provider. That’s why choosing the right supplier is essential to ensure security is prioritised. To help maintain development security, find out what security, management and governance controls are provided by your chosen low-code provider and make sure you understand what controls you will have and how those controls will be assigned. It may seem obvious, but it is also important to check what data security and privacy controls are included.


Low-code is a powerful tool for development, but only with the right guardrails in place

Low-code, when used by citizen and pro-developers, can empower businesses to turbo-charge transformation and its potential shouldn’t (and needn’t) be overshadowed by security fears. Much like any technology, the possibilities of low-code development are endless, but it does require the right guardrails to be put in place to embrace it effectively.

When used and managed successfully, low-code can add a greater level of protection to a business – without stifling innovation. With pressure surrounding digital transformation always on, and growing increasingly competitive, innovative and digitally-savvy organisations must not abandon security in the race to break new ground.