By Peter Tiszavolgyi, CIO of Lowcono Inc.

In the digital age, businesses must prioritize security to protect their sensitive data and documents. Low-code development platforms have become increasingly popular as they streamline and accelerate operations, but they also necessitate a thorough evaluation of associated security risks. A security breach can lead to severe consequences, including reputational damage, financial losses, intellectual property theft, and compromised customer data. As a result, businesses must develop comprehensive strategies to safeguard their digital assets, focusing on infrastructure, application, and data security.

In this three-part article we explore the critical aspects of maintaining robust security in low-code development platforms.

Infrastructure Security

Hosting

When evaluating low-code platforms, businesses look for a hosting solution that best suit their overall needs. Most platforms are hosted on major cloud service providers like AWS, GCP, or Azure, others are running in their own data centers, such as Salesforce. Key factors to consider include the criticality of your application, vulnerability to cyberattacks, and regulatory compliance or other legal requirements.

For businesses offering commercial solutions with lower risk profiles, a shared cloud solution can be sufficient. However, organizations with heightened security requirements should at least opt for a virtual private cloud, carving out their own isolated space in a public cloud, or look into hosting their applications in their own cloud space, hosted privately.

In specific cases, mainly in the financial and government sectors, even on-premises solutions can be warranted, to retain full control and maintain mandatory compliance.

Zone Separability of Subsystems
Companies with high-risk profiles should choose a platform capable to independently host internal and external applications. The internal subsystem processes sensitive data on an isolated internal network, while the external subsystem only contains public data. A unidirectional ETL (Extract, Transform, Load) process is in place to maintain communication between internal and external, carrying data between them without exposing critical information. Even in there is a breach on the public-facing external subnet, the attacker cannot access sensitive data as it is not present there.

Regular Vulnerability Assessments and Penetration Tests
When selecting the platform, it is highly recommended to choose from platforms that conduct regular vulnerability assessments and penetration tests, using reputable third-party providers. These proactive measures help to identify and thus preemptively address potential weaknesses in infrastructure, applications, or in the data handling processes before anyone could exploit them.

Observability and Alerting

Continuous monitoring through log, using detectors and alerts is essential for maintaining robust security. A new platform must come with extensive logging facilities, and it should be made compatible with your existing monitoring solutions if there’s any. While it is expected from the platform’s provider to continuously monitor your application, integrating your own logging and detectors offers an additional layer of monitoring, and it can act as a secondary line of alert system in case of any issues with the other one. The most common log format is RFC 5424 with grok pattern, allowing efficient parsing and processing of log data, the platform should be able to confirm it. Additionally, compatibility with established open source monitoring solutions, such as Zabbix, provides a comprehensive and reliable means of tracking your application’s performance and security.

Security Incident and Event Management (SIEM)
SIEM solutions provide a unified view of an organization’s security landscape, enabling rapid identification of threats and swift response to mitigate potential risks. Your chosen platform should be able to integrate seamlessly with your existing or preferred SIEM solution, allowing for continuous monitoring and analysis of security events related to your applications.

Intrusion Detection and Prevention Systems (IDPS)
IDPS solutions proactively monitor, detect, and respond to potential threats and malicious activities within your network. It is important that your new platform can be effectively integrated with your existing or preferred IDPS solution, enabling continuous monitoring of your network traffic and rapid response to any intrusions.

Regular and automated security checks during the CI/CD process
When you are preparing to evaluate a low-code development platform, ask about automated security checks during the developer’s Continuous Integration and Continuous Deployment (CI/CD) process.
In general, from an infrastructure perspective the platform development process should watch the following security checkpoints:

  • Kernel-level security checks: these checks help identify and prevent potential security issues involving the operating system’s kernel, preventing kernel-level exploits.
  • System dependency CVE checks: regular scans for known Common Vulnerabilities and Exposures (CVEs) in system dependencies help identify and mitigate security risks associated with third-party libraries and software components.
  • Docker image checks: assessing Docker images for vulnerabilities, misconfiguration, and security best practices is crucial for ensuring that application containers are secure and adhere to industry standards.
  • RBAC (Role-Based Access Control) checks: ARMO, a security solution for cloud-native environments, ensures that Role-Based Access Control (RBAC) security is strictly maintained, privileges and access to resources is appropriately restricted and managed, preventing unauthorized access to sensitive data or critical infrastructure components.

By selecting a low-code development platform that incorporates regular and automated security checks into its CI/CD process, you can strengthen your overall security posture, and safeguard your applications and infrastructure against threats.

Lowcono’s platform development prioritizes security. We have extensive experience in creating critical applications for government agencies across Europe as well as organizations such as USAID (United States Agency for International Development), including military-grade products for the Ministry of Defence in Hungary. Our expertise covers various domains requiring strict security measures and data protection, ensuring the Lowcono platform meets the most stringent requirements of government and private sector clients.

Do you want to learn more about low code and understand more of its benefits? Read What Is Low-Code and How Is it Still Not on Everybody’s Agenda?

In this first part of this three-part security series, we looked at the infrastructure level, we examined the different layers we need to monitor, and the tools we should incorporate into our new platform.

In the next installment, we will focus on application security, and look at the multiple ways Lowcono’s robust security practices can benefit your business.

Does your organization have a software project that’s too complicated to manage, running behind schedule and costing too much to build? Reach out to us at Contact Us – Lowcono