Low-code platforms for software development are being hailed as the salvation for enterprises short on coders and...
long on mobile projects. But they may have another, less obvious benefit: helping to build security into the development process.
If so, the timing couldn't be better. Huge security breaches continue, with the most recent being the Equifax hack of as many as 143 million personal records. And a just-released survey from WhiteHat Security of 15,000 web applications shows while security efforts are slowly improving, nearly 50% of applications remain so riddled with easy targets that they could be hacked every single day of the year.
"Building security into the software development process is more than just a catchy phrase," said Kevin Greene, program manager in the cybersecurity division of the Department of Homeland Security, speaking at DevSecCon in Boston. "It has to be in all phases of software development."
But security has been a nagging toothache for development teams since the beginning. While everyone pays lip service to the importance of security, the reality is pressure to release applications quickly and a lack of corporate focus can result in security being the last thing considered. Some companies have tried to embed security pros with development teams, but the results have been uneven.
A low-code platform can tackle the problem from the other direction by building in security. But it's important to remember most corporations choosing low-code platforms aren't doing it for security reasons, said Burley Kawasaki, executive vice president of products at low-code platform maker Kony Inc., based in Austin, Texas. "If you're talking to more line-of-business people or divisions, they're looking for low-code tools to get stuff done faster. Security is not on the list of advantages. It's a pure need for speed."
That's OK for Ann Monroe, vice president of marketing at low-code platform provider FileMaker, based in Santa Clara, Calif., who feels confident that the built-in security is going to be very helpful in companies going faster. FileMaker recently surveyed low-code users in conjunction with 451 Research and found security was an issue with users -- specifically concerns about keeping customer and corporate data safe.
"Security is really important to us, and one of the things we do from a platform perspective is we start with security first. If you're planning a new release at the core, you need to think security first. You have to get that right, so that's why we really focus on that first."
At Kony, Kawasaki talks up the advantages of ready-made security, if for no other reason than he said IT departments have an overwhelming job trying to keep track of all the random applications floating around. "Low-code tools, when used appropriately, give IT a way to extend the olive branch out to the business so that they can still take advantage of the speed and productivity, but in a sandbox."
But you need a low-code tool that lets IT continue to keep track of the back end and offers the ability to get to the API layer. "You need a common set of APIs that are secured, or blessed or certified by IT, particularly if the business is out there whipping out 15,000 apps. You've got to be able to ensure the data is secure, even if you're creating a lot of applications."
And at the end of the day, Kawasaki said it was important to be realistic about the process. Not every app needs to be natively built. "In some cases, if the app is only used behind the corporate firewall, using a low-code approach to build a web-based hybrid web app is fine. I'm not saying native is better than web. But from a low-code standpoint, pick and choose which one makes sense. For the apps with the stronger security need, use the native approach."
What you need to know about low-code/no-code platforms
Get a productivity boost, fast
Best practices with low-code/no-code platforms