Lack of governance will limit the success of low-code / no-code
In October 2020, I wrote an article on the risks and benefits of the citizen developer approach, urging developers to put good governance practices in place. Almost a year later, cybersecurity firm UpGuard discovered an issue with default permissions in the Microsoft Power Apps environment, which resulted in over 38 million records being exposed online.
To be clear, the vulnerability was not inherent in the Power Platform architecture. What UpGuard found, despite a warning in the documentation, users built a number of portals set to default permissions that created the hole and exposed the records. Microsoft has since made changes to fill the gap and improve security by default.
The full promise of No-Code, Low-Code will not be achieved without governance
Do not mistake yourself. I’m a fan of the no-code / low-code citizen developer movement. Industry analysts see no-code / low-code as the only way around the shortage of professional developers to support digital transformation efforts. Growing investments in this category of software have resulted in an increase in the number and flavors of offerings. Apparently, this proliferation has caused some confusion among buyers, as Gartner released a briefing note on the differences between no-code and low-code earlier this year. According to Gartner:
- No-code is a marketing term. It is used to imply that the tool or set of tools in question is intended for non-professional developers.
- The low code, however, suggests support for scripting or other capabilities that go beyond a pure no-code approach.
Gartner recommends that any buyer evaluating such products ensure that the approach, as well as the product, supports the skill set of your developers, whether they are citizen developers in a business unit or professional developers. in computer science.
But your developer’s skill level won’t necessarily matter in cases like the one described above. The problem detected by UpGuard could appear in any no-code or low-code development platform that comes with loose recommendations in the documentation, which developers easily ignore. Good governance processes, while not preventing all problems, will help organizations get the most out of no-code / low-code tools in a safe and secure manner.
Related article: Citizen Developers: An Assembly Required
A governance framework and a question of risk
Last year’s message still holds true:
“Ideally, you will have an organizational policy and framework in place for governance of application development. It should be simple and address the risks and the controls in place to manage them. “
Along with setting the policy, organizations using no-code / low-code platforms for agility and generating business benefits should have a good quality assurance process in place. Even if you only have five or six business units building their own solutions without code, it’s worth having QA engineers on hand who can review and control them first. While this requires a bit more investment in time and budget, it will potentially save you the embarrassment (and potential legal headaches) of a simple misconfiguration leading to a breach of customer records.
Which brings me to another reason why I chose to come back to this topic. While I remain a huge fan of the no-code / low-code movement in general (including the Microsoft Power Platform) and understand why evangelists and advocates think this might be the way of the future, I have to put it off questioned some of the decisions organizations make regarding the use of these tools.
If the business issue you’re solving includes a public or customer-centric application, doesn’t that inherently involve more risk than an application deployed internally, within an organization’s firewalls, and security perimeter? ? In which case, despite the benefits of agility and time-to-market, can you really accept the risk of citizen developers building a code-free solution that goes to market without having been verified and approved by the industry? ‘computer science ? If your IT teams are using low-code platforms to support agile responses, rapid prototyping, and speed to final solution, that doesn’t remove good development practice obligations, including reviews. code and testing with a specific eye on security.
Related article: Is Low-Code Technology Right For You?
UpGuard provides a timely reminder
The discovery of UpGuard reminded us of the need for good governance around code-free and low-code development. Policy implementation does not need to slow down processes or make them more complex. Find the right balance that matches your risk appetite, but beware of doing nothing for fear of finding millions of your customer records shared on the dark web.
Jed Cawthorne is Director of Security and Governance Solutions at NetDocuments. He is involved in product management and works with clients to make NetDocuments even more phenomenally successful products.