I hear regularly people say that No / Low Code is not secure or has performance issues or is not scalable. When I ask why. I often discover it is an assumption. Most never used a No/Low Code tool. This blog intends to provide insights No Code security for generic No Code platforms. Those provide the infrastructure for you as well.
What is No Code security?
No Code Security is a multi-headed beast. There are many security aspects. Many that need to be working perfectly so you don’t have nightmares. No nightmares about stolen data. Or complaints from users. Or a hacker taking over your application and making fun of some public figure.
But you are no security expert. Don’t worry most No Code users are not. And at the same time security is a serious topic.
First, we have to take a step back. To define how a No Code (or any application) is logically structured. Each application can be viewed using different layers as depicted in the figure below.
The Infrastructure layer is the foundation of your application. The infrastructure provides the server capacity, the connection with the internet, storage space, firewall, the operating system and others complicated things. Think of this layer as your laptop with the operating system installed combined with your internet connection at home. It is not very valuable to you without an application installed.
The Data Layer is about managing your data, documents, images, etc. This uses the storage provided by the Infrastructure. Typically, there is some sort of database technology that does the management of your data. Compare this a music management application like Apple’s Music or Spotify (but then installed on your laptop). You can record and manage data about your music. It will also allow you to play your favourite songs.
The Logic Layer contains all the rules that you want to apply for your application. The rules will among others determine how data is treated within your application. And it also should determine who can create, read update and delete data.
Finally, there is the User Interface layer. This determines what your user is shown. For example a web page that contains a table with products or employees. This helps the user to access data, find data and/or manage data.
Ok great. What does this have to do with No Code Security? Hang in there!
Your application will typically not be the only one running on the platform. You are one of many. The supplier makes sure that your application is separated from applications of others. If you share your laptop with a family member. And each of you have an own account then you typically only have access to data or documents of the other IF you allow this.
The supplier also ensures that security measures prevent security breaches in each layer. If there are security threats they will patch their software and fix bugs.
So, you think you are of the hook? For many things but not everything.
The technical security should be arranged by the supplier. This is where you should be able to trust the supplier. And be comfortable they are doing the best possible job. There can be some technical aspects, like setting up integrations securely or SSL certificates, that you have to configure yourself. If you don’t know how, get help from the supplier or a consultant.
However, the supplier does not prevent you from exposing all your data to public unintentionally. For example, if you don’t implement access controls then anyone can read all data, change your data or worse steal the data. This means that you need to ensure that the rules and the user interface that you create does what needs to happen. The figure below depicts who is primarily responsible for security.
Is that all? Sorry there are also other aspects that you are accountable for
Among others you need to make sure that you have procedures in place to handle privacy requests by the end users. Procedures to handle security risks and issues. And procedures to regularly review your supplier’s security performance.
How to ensure no code security does not provide you nightmares?
Step 1: Mindset
No Code Security is like creating a new habit. It takes effort and motivation to get started. With time and some perseverance, it becomes a new habit. Don’t be deterred by doom and gloom security experts. Yes, there are scary people that try to hack applications to steal data or money.
You already are dealing with security every day. You log in into your computer and websites every day. In some cases, you might even have setup an authenticator app to increase security. In many social media platforms, you determine who sees your posts, photos etc. These are all security activities.
You also store your data with many platforms. And you trust that your data’s security is taking seriously. If those platforms don’t then their users will leave.
The same applies for No Code platforms as well. These have to be secure to stay in business.
Embrace the topic of security. Your users will love you for it.
Step 2: Trust but verify
Not all no code platforms are created equally. You should do your due diligence before you start building your application. Here are some questions you should be able to answer yourself or get reliable answers from experts:
- Is the supplier a trustworthy party?
- Is the platform itself technically secure?
- Are good security practices and procedures in place? Security Certification is a good start.
- Have there been security incidents recently?
- How are security incidents handled?
- Are there the right security features for your needs? For example user management functionality out of the box.
Sometimes you might need to use multiple platforms for example one for the mobile app or web application, one for integrations and one for payments. You should make sure each of these are designed to be secure. Better to be safe than sorry.
You may already have selected a platform. Or have used one for some time. It is a good practice to evaluate security periodically. The scary people get smarter all the time. Excellent security today is likely to be only so so in a few years’ time.
Step 3: Don’t drop the ball yourself
While creating your application, you can still make a security mess. Despite your platform being secure. You can still open the door to confidential data because you do not check who the user is and what their access privileges are.
There are a number of sub-steps that you should follow.
A. What are your requirements?
Answer these 3 questions:
- Is there a need to restrict access to data? In most cases this is a yes.
- Which persons – users, administrators, technicians, etc – can read what data*?
- Which persons can change and/or delete data? What are the conditions for these actions?
Create a spreadsheet for this. With your data on one axis and the roles on the other.
B. Setup your user management and access privileges
Assuming you answered yes to question 1, you start with enabling* user management.
Using the answers from questions 2 and 3, you setup your access privileges for users. A role-based setup is often a good approach for this.
This is the basis for the logic and user interface that you set up. For example, you only show a delete button to users with a role that is allowed to delete data. You can also setup checks in the logic that only allows users to see data with a specific role AND only for data that is related to themselves.
C. Setup additional technical measures
This could be, but not limited to:
- Enabling a SSL certificate if not provided out of the box. This enforces that the communication between a user and the application is encrypted.
- Setup 2 factor authentication for login
- Setup rules for password strength and refresh
- Setup a process for password reset that is secure enough
D. Secure your infrastructure, if applicable
Not all platforms support using your own (cloud) infrastructure. In case you have your own infrastructure you need to make sure this is secure. I recommend to use an expert to do this for you. This is a specialist area which is easy to mess up if you don’t know what you are doing.
E. Check your coding extentions, if applicatble
In case you or someone else added own codes to your application, you should check that it does not introduce security issues in your application. For example the additional code could show data that is not meant for the user or allow a hacker to get access to the application.
F. Testing your work
You should assume that mistakes have been made. Test the functionality thoroughly. Preferable also have the application tested by persons that were not involved in the setup.
G. Rise and repeat
You will have to revisit periodically this topic even if there are no issues. Unfortunately new security threats popup daily (if not faster).
Disclaimer: I am a No Code enthousiast and not a security expert. Security is a serious matter for any application (no code or otherwise). The actual security provided by the supplier must be checked by you and preferably by a security expert. When you use no code platforms for yourself or your customers you are accountable for the security of all data and documents. The supplier typically will not accept any liability (read the terms & conditions). This article intention is increase your awareness and is not exhaustive. It only provides you suggestions of areas to look into. This article is not intended to provide security advice in any way for your application or the use of a No / Low Code platforms. Any action taken based on this article is your own responsibility.