Applications developed by citizen developers are on the rise. Low-code and no-code (LCNC) platforms are reshaping the development ecosystem. These tools are broadening horizons and enabling citizen developers to create powerful applications.
LCNC development is a way of developing apps in which developers use existing system design elements that can be added onto a visual interface.
These platforms focus on swift development that can automate processes, empowering users with minimal or no technical knowledge to build their apps innovatively.
However, security is not often at the forefront of app development when using LCNC platforms, as business users often lack a strong understanding of secure development methods.
Strategies to Secure LCNC Platforms
A breach of the LCNC platform could result in financial losses, damage to the organization’s reputation, and violation of compliance regulations. Below are some ways in which the security of the LCNC platforms can be preserved-
- LCNC vendor assessment: Before procuring an LCNC platform, the organization’s security team must review the vendor’s security policies, data backup and recovery policies, and controls for securing the platform against vulnerabilities. Organizations should have an inventory of approved LCNC tools vetted by the security teams and prevent employees from installing and using unapproved LCNC tools that can expose the organization to compliance and security risks.
- Citizen Developer Training: Before building apps, citizen developers must thoroughly familiarize themselves with the LCNC tool and its security best practices.
- Identity management: Organizations can implement Single Sign-On (SSO) with multifactor authentication (MFA) so that users use a single password to log in to the network but confirm their identity every time they log in to the LCNC application, thereby ensuring security.
- Access management: Enforce role-based access in all environments in combination with the principle of least privilege to bolster overall security. System administrators must assign administrator privileges to only a few citizen developers who have taken the organization’s security training and monitor user accounts to track for suspicious behavior.
- Enforce Static and dynamic application security testing: Technical developers can perform static and dynamic application scanning to ensure no new vulnerabilities have been introduced in citizen-developed applications.
- Incident response plan: Create a robust incident response plan and execute the tabletop exercises, simulation attacks, and testing included in the plan to prepare for threats or security incidents.
- Push the latest updates and security patches: Technical developers need to update the LCNC tools with the latest vendor patches, as these provide fixes for code flaws.
About the Author
Aparna Achanta is a Principal Security Architect at IBM Federal Consulting. Aparna oversaw mission-critical projects for US Federal Agencies. While at IBM, she successfully implemented the Zero Trust framework in federal agencies. Aparna spearheaded the Center of Excellence for SaaS applications at federal agencies like Department of Veterans Affairs, which is tasked with implementing the Zero Trust framework, thereby enhancing the security posture of these agencies. This Center of Excellence equips numerous citizen developer professionals with the necessary tools and security and governance frameworks to develop applications using low-code, no-code platforms, such as Power BI and Microsoft Co-Pilot, and establishes guidelines to ensure the responsible and secure implementation of GenAI apps. Aparna also established an Architecture Review Board for D365 and Power Platform applications, defining security requirements and shaping application architecture best practices for development teams. With 10+ years of experience, Aparna has designed secure digital transformation projects for large federal clients that have greatly streamlines processes. Aparna is a motivated person who is committed to giving back to the cybersecurity industry. She is an active mentor, author, peer reviewer, and speaker.
Aparna can be reached online at her website https://aparnaachanta.com/ or her LinkedIn https://www.linkedin.com/in/aparna-achanta-41741739/