Together with Bertil Schaart from webbit21, I wrote this whitepaper regarding No Code platform selection and what skills are required to get started properly.
No Code security. You are accountable so don’t mess it up.
I hear regularly people say that No / Low Code is not secure or has performance issues or is not scalable. When I ask why. I often discover it is an assumption. Most never used a No/Low Code tool. This blog intends to provide insights No Code security for generic No Code platforms. Those provide the infrastructure for you as well.
What is No Code security?
No Code Security is a multi-headed beast. There are many security aspects. Many that need to be working perfectly so you don’t have nightmares. No nightmares about stolen data. Or complaints from users. Or a hacker taking over your application and making fun of some public figure.
But you are no security expert. Don’t worry most No Code users are not. And at the same time security is a serious topic.
First, we have to take a step back. To define how a No Code (or any application) is logically structured. Each application can be viewed using different layers as depicted in the figure below.
The Infrastructure layer is the foundation of your application. The infrastructure provides the server capacity, the connection with the internet, storage space, firewall, the operating system and others complicated things. Think of this layer as your laptop with the operating system installed combined with your internet connection at home. It is not very valuable to you without an application installed.
The Data Layer is about managing your data, documents, images, etc. This uses the storage provided by the Infrastructure. Typically, there is some sort of database technology that does the management of your data. Compare this a music management application like Apple’s Music or Spotify (but then installed on your laptop). You can record and manage data about your music. It will also allow you to play your favourite songs.
The Logic Layer contains all the rules that you want to apply for your application. The rules will among others determine how data is treated within your application. And it also should determine who can create, read update and delete data.
Finally, there is the User Interface layer. This determines what your user is shown. For example a web page that contains a table with products or employees. This helps the user to access data, find data and/or manage data.
Ok great. What does this have to do with No Code Security? Hang in there!
Your application will typically not be the only one running on the platform. You are one of many. The supplier makes sure that your application is separated from applications of others. If you share your laptop with a family member. And each of you have an own account then you typically only have access to data or documents of the other IF you allow this.
The supplier also ensures that security measures prevent security breaches in each layer. If there are security threats they will patch their software and fix bugs.
So, you think you are of the hook? For many things but not everything.
The technical security should be arranged by the supplier. This is where you should be able to trust the supplier. And be comfortable they are doing the best possible job. There can be some technical aspects, like setting up integrations securely or SSL certificates, that you have to configure yourself. If you don’t know how, get help from the supplier or a consultant.
However, the supplier does not prevent you from exposing all your data to public unintentionally. For example, if you don’t implement access controls then anyone can read all data, change your data or worse steal the data. This means that you need to ensure that the rules and the user interface that you create does what needs to happen. The figure below depicts who is primarily responsible for security.
Is that all? Sorry there are also other aspects that you are accountable for
Among others you need to make sure that you have procedures in place to handle privacy requests by the end users. Procedures to handle security risks and issues. And procedures to regularly review your supplier’s security performance.
How to ensure no code security does not provide you nightmares?
Step 1: Mindset
No Code Security is like creating a new habit. It takes effort and motivation to get started. With time and some perseverance, it becomes a new habit. Don’t be deterred by doom and gloom security experts. Yes, there are scary people that try to hack applications to steal data or money.
You already are dealing with security every day. You log in into your computer and websites every day. In some cases, you might even have setup an authenticator app to increase security. In many social media platforms, you determine who sees your posts, photos etc. These are all security activities.
You also store your data with many platforms. And you trust that your data’s security is taking seriously. If those platforms don’t then their users will leave.
The same applies for No Code platforms as well. These have to be secure to stay in business.
Embrace the topic of security. Your users will love you for it.
Step 2: Trust but verify
Not all no code platforms are created equally. You should do your due diligence before you start building your application. Here are some questions you should be able to answer yourself or get reliable answers from experts:
- Is the supplier a trustworthy party?
- Is the platform itself technically secure?
- Are good security practices and procedures in place? Security Certification is a good start.
- Have there been security incidents recently?
- How are security incidents handled?
- Are there the right security features for your needs? For example user management functionality out of the box.
Sometimes you might need to use multiple platforms for example one for the mobile app or web application, one for integrations and one for payments. You should make sure each of these are designed to be secure. Better to be safe than sorry.
You may already have selected a platform. Or have used one for some time. It is a good practice to evaluate security periodically. The scary people get smarter all the time. Excellent security today is likely to be only so so in a few years’ time.
Step 3: Don’t drop the ball yourself
While creating your application, you can still make a security mess. Despite your platform being secure. You can still open the door to confidential data because you do not check who the user is and what their access privileges are.
There are a number of sub-steps that you should follow.
A. What are your requirements?
Answer these 3 questions:
- Is there a need to restrict access to data? In most cases this is a yes.
- Which persons – users, administrators, technicians, etc – can read what data*?
- Which persons can change and/or delete data? What are the conditions for these actions?
Create a spreadsheet for this. With your data on one axis and the roles on the other.
B. Setup your user management and access privileges
Assuming you answered yes to question 1, you start with enabling* user management.
Using the answers from questions 2 and 3, you setup your access privileges for users. A role-based setup is often a good approach for this.
This is the basis for the logic and user interface that you set up. For example, you only show a delete button to users with a role that is allowed to delete data. You can also setup checks in the logic that only allows users to see data with a specific role AND only for data that is related to themselves.
C. Setup additional technical measures
This could be, but not limited to:
- Enabling a SSL certificate if not provided out of the box. This enforces that the communication between a user and the application is encrypted.
- Setup 2 factor authentication for login
- Setup rules for password strength and refresh
- Setup a process for password reset that is secure enough
D. Secure your infrastructure, if applicable
Not all platforms support using your own (cloud) infrastructure. In case you have your own infrastructure you need to make sure this is secure. I recommend to use an expert to do this for you. This is a specialist area which is easy to mess up if you don’t know what you are doing.
E. Check your coding extentions, if applicatble
In case you or someone else added own codes to your application, you should check that it does not introduce security issues in your application. For example the additional code could show data that is not meant for the user or allow a hacker to get access to the application.
F. Testing your work
You should assume that mistakes have been made. Test the functionality thoroughly. Preferable also have the application tested by persons that were not involved in the setup.
G. Rise and repeat
You will have to revisit periodically this topic even if there are no issues. Unfortunately new security threats popup daily (if not faster).
Disclaimer: I am a No Code enthousiast and not a security expert. Security is a serious matter for any application (no code or otherwise). The actual security provided by the supplier must be checked by you and preferably by a security expert. When you use no code platforms for yourself or your customers you are accountable for the security of all data and documents. The supplier typically will not accept any liability (read the terms & conditions). This article intention is increase your awareness and is not exhaustive. It only provides you suggestions of areas to look into. This article is not intended to provide security advice in any way for your application or the use of a No / Low Code platforms. Any action taken based on this article is your own responsibility.
No Code Books (07-2020)
Only a few No Code books have been written to date.
Since 2017, I keep an eye out for websites and books about No Code. Back then there was next to nothing that was helpful. Over the years several helpful websites have appeared, which I will discuss in another blog. However books are still really scarce. I only found the following to date that you have to pay for with money. Perhaps you found others. Please do share!
De wereld van Udi (in dutch only)
This a combination of a picture book and explanation book about No Code. It uses an analogy of different worlds with different inhabitants to explain aspects such as cloud, software development, citizen developers and other topics.
If you have never heard of the cloud, no code, citizen development, etc this provides some light reading to give you an idea of these topics. The visuals are nice to look at.
If you are looking for more detail or practical steps how to use no code tools then this book does not help you a lot.
There is also a related magazine that you can subscribe to: https://www.dewereldvanudi.nl/citizenwave/
How to build an app with No Code
7 Steps to scale your idea
This book is the first book that I encounter that actually refers to specific No Code tools. If you have never looked into No Code you get pointers of potential no code tools to look into. The lists of tools are not exhaustive, as stated by the author. Except for oneliners about what a tools focus is there is not much help for selecting a tool or set of tools that is right for you.
If you are new to developing a business idea and are interested in doing this without writing one line of code then this book gives you a few starters.
This is a very short book. Actually it is an ebook that you can get printed and delivered by Amazon. It is also available as Kindle book. The primary focus is giving you a basic step by step method to generate a business idea and develop it into an actual product. There are hints about which no code tools you could use to develop your prototype, MVP and actual product. The (e)book is quite short and therefore limited in detail.
The App Factory Playbook
How you can develop your App idea without learning to Code and without a technical Co-Founder
This book is for non-technical persons or teams that cannot afford to hire an (expensive) digital agency. It is about taking your idea for an App and develop it. The book gives you pointers how to develop specifications for the idea. From talking to customers to gather requirements, writing user stories and creating sketches.
The purpose of this is to be able to give your specification to a developer that does the development. The book provide also hints where and how to hire the developer(s) and how to manage the project.
Although it does not provide any tips or insights into how to use no / low code for your app, It does provide you a basic approach to get started without any technical expertise.
A list of questions for assessing No / Low Code platforms and/or projects. This book has 500+ pages
Disclaimer: I have not read this book. Perhaps it is over interest if you are looking for a generic (long) list of topics which also contains a number of specific ones.
An example of a guide focussed on a specific platform or tool. This book has 150 pages.
Disclaimer: I have not used this tool. It allows you to create web applications on top of an oracle database without coding. You can easier leverage the strengths of an Oracle Database. I did not read the book
Please note: these are only my opinions. I have intentionally left out links to websites or webshops as these are books that I looked into but none of them provided what I was looking for.
Is No Code for you?
On April 16th 2020 I hosted with Sharat Shreekantan from webbit21 an online meetup.
How to select the no code platform for you?
You can watch the recording below.
No Code can be too fast for an organisation
Earlier this year, I was working with other entrepreneurs in a startup to develop a new service as fast as possible. The service included an application to support the service. We started very enthusiastically using WEM as platform because we could very fast develop the application. We wanted to demonstrate the application to prospect customer. And avoid having to find trustworthy developers and keep costs contained.
The enthusiasm and excitement grew with every new feature we developed
There were many created in a very short period. Due to the rapid evolution of the application, we were very quickly confident that we decided to deploy the application in trial mode for a number of prospects. The initial feedback was great and we were getting very, very close to signing up a first customer. We really were confident that we could make this work.
But then it went all downhill in a matter of weeks in a completely different area…
With a No Code platform you can build an application lightning fast. However, we also needed develop of the service itself which included among others the creation of a legal entity, define and agree roles and responsibilities, the creation of predefined content, start a knowledge base, define consulting services, and the staffing the required support.
We tried to do the organisational development at the same speed
This meant we were doing many of those service components and the organisational development in parallel in a matter of months. With an application ready to be used and a first customer lined up it was really important to be able to deliver.
It was crunch time. There were a lot of tasks that were started but not finished. Decisions had to be made quickly. People had to be assigned to roles within the project team for the first customer. Individuals had to step into their agreed roles and deliver on promise. Unfortunately, it did not work. There was simply put not enough commitment from some of the people involved…
We made the tough decision to stop almost as quickly as we decided to start
The main lesson for me was that you can save a lot of time by using No Code. However this does not mean that organisational, people and process development can keep up. It actually will reveal very fast and painfully whether your assumptions are correct. In traditional projects this need for speed is often obfuscated because the application development takes much more time and therefore there is more lead time to deal with this.
This blow was written by me for webbit21
Digital Transformation benefits from No Code
Your organisation is going through a digital transformation programme. This has its ups and downs while trying to deliver according to expectations. Digital transformation programmes are essentially change programmes that need to cope with resource shortages, organisational resistance, process reengineering and technology changes.
A major difference with a traditional change programme is that digital transformation programmes aim to introduce digital capabilities into all parts of your organisation. Digital capabilities mean more and more technology is used. Technology to replace non-digital capabilities, such as paper forms and document. Technology to do things that you could not do in the past, by using chatbots for customer interaction or artificial intelligence to recognise issues with your product earlier. Technology that enables you to speed up existing processes significantly. Technology that replaces obsolete technology you already have, for example smart meters.
Another aspect that is part of a change programme is that you don’t know upfront exactly how you are going to implement the changes required. You need to be adaptable as you are venturing in new areas. Often there is little information about what to expect as this is new territory. As a result you will change processes many times until you get it right.
This means that the applications and IT infrastructure will also have to change many times.
In the area of infrastructure, cloud technology has made huge impact. It already provides a tremendous amount of flexibility to your organisation because you can easily scale up and down.
For application development there are a few options to be faster and especially more adaptable:
- Use agile methodologies to increase your adaptability of traditional software development. You only build what you need. You discover earlier if something is not working. The processes allow you to change your priorities quickly. It still requires you to build, test and maintain software.
- Use a Low Code platform to increase the speed with which software is developed. This is achieved by increasing the productivity of your developers. Many of the developer tasks are automated or the effort is reduced significantly.
- Use No Code platforms that completely eliminate all development tasks. You don’t need developers, software tester or application managers anymore. You focus on the functionality, the logic and user experience. the No Code platform takes care of the rest.
Although Low and No Code platforms are relatively unknown for many, they are very powerful platforms that have developed rapidly. These platforms are often used for prototyping but are more that capable of delivering scalable production-grade web applications and mobile apps. The advantage is that they provide the adaptability that your digital transformation requires.
When determining the digital capabilities for application development to support your digital transformation I recommend to look into Low and No code platforms next to using Agile methodologies.
See also Sander’s post “3 reasons why digital transformation has slowed down”
This blog was written by me for webbit21
What is No Code?
This animation was produced by me in collaboration with webbit21
21 Reasons to start with No Code
No time, no budget, no resources. There are many excuses not to start something new. However, you might miss out on a great revolution that is starting. It could mean you miss out. We have compiled a list of 21 reasons why we think you should start with No Code.
- Test your business idea quickly with fully functioning apps and applications rather than with just a powerpoint or mock up
- You can spend way more time with your customers
- You spend time on delivering value fast
- Your customers can see new functionality directly
- You can impress users by delivering new functionality all day long… until your inspiration runs out
- You can redo your app / application entirely and still be faster than normal projects when you discover that it did not work
- You can scale up much quicker and reliably
- Save time and money on development costs
- You don’t have to rely on developers
- You don’t need project managers
- You spend no time on fixing technology bugs
- You spend no time on technical tests because security and performance was part of the design
- You spend less time on maintenance of apps / applications
- You don’t need to spend many many hours to learn to program software and master infrastructure
- Get satisfaction from creating a new app / application yourself within hours or days
- Learn something new without spending 10.000 hours
- Meet new people
- Be part of something new
- You are fed up with having to fix that magic excel sheet you created years ago
- You are fed up with people with great ideas being limited because they don’t get the funding or resources assigned
- You are on a tight budget
What do you think? Do you have other reasons to start with No Code? Let us know in the comments.
This blog was written by me for webbit21
Save money over and over again
After many months of pitching your idea to your management, you get approval and money to go ahead to develop the application. This is just the start of your journey to realise your vision.
You first have to select a reliable party to support you. Then it takes weeks of discussions and frustrating negotiations until the contract is signed. Again, a couple of weeks later the project finally starts with a series of workshops to establish personas, customer journeys and user stories. Next there are several user experience design workshops resulting in mockups. In parallel the development team is formed, brought up to speed and the development environments are setup. The costs already are starting to add up even before the real development starts.
During the development you discover that the translation of your vision to the actual product things is regularly off the mark. Also, you yourself have to adjust your requirements because what you envisioned does not work perfectly when you test it.
This means that every sprint review there are new things added to the backlog. Functionality that was already developed is changed or even scrapped. When the first test/beta users started using your application there are even more items added. But now finally you have a first working version into a production mode so the user group can be extended.
This happens more often than not. The reason for this is that when persons actually use an application in real life situations, the real learning and the actual work only starts. Getting to this point may cost you less than in a traditional setting but it still costs you quite a bit of money.
Would it not be great if you get instant feedback about your ideas from real users within days of starting the project. Ideally without spending any or very little out of pocket money. A pipe dream you say…
Not with No Code platforms. You can save a huge amount of the time that you spend on finding a partner, getting contracts in place, on boarding the development team and getting your ideas translated into an actual application. Yes, the first time there is a learning curve for yourself. However once you gained a bit of experience this will pay off every time you have a similar need. Also as you don’t have to explain your requirements to developers you can setup the application exactly as you intended it. The savings can be used to create other applications. Even if you hire a No Code consultant to bounce of your ideas or do some of the more complicated things, you will save money.
As seeing is believing, I suggest you set a side half a day to try it for yourself. Get a free subscription of a No Code platform, watch a tutorial and build your first app.