Alon Jackson is the CEO and cofounder of Astrix Security, a leading enterprise solution securing app-to-app interconnectivity.
At the end of every year, leading cybersecurity companies place their bets on what the biggest threats will be the following year.
Looking ahead to 2023, hackers will, of course, continue to become more advanced, and we’ll surely see more breaches. But, the big threats we’re betting on are the ones that stem from requiring a hyper-connected enterprise, one, in particular, being low-code/no-code integration platforms.
As the digital workforce continues to expand, app integrations have proven to be a necessity to the business, making the organization operate faster and more efficiently. Specifically, low-code/no-code tools are predicted to be one of the main application platforms in over 50% of all medium- and large-sized organizations to automate and integrate processes that were once manual. While this has led to incredible leaps in productivity and employee satisfaction, it also presents new vulnerabilities as these new low-code/no-code tools create ungoverned connections between the organization’s core systems and third-party applications.
The Acceleration Of The Citizen Developer
The worldwide developer shortage is nothing new, but it is escalating. IDC predicts that the need for full-time developers will increase from 1.4 million in 2021 to 4 million in 2025. Despite the need for qualified talent, businesses must still meet their growth and revenue goals. That means an increased demand for tools and processes that can maintain efficiency and output.
Citizen developers—a non-specific role that creates application capabilities for the organization—and the demand for low-code/no-code platforms aim to offer a solution. With integration platform tools, it’s a no-brainer for citizen developers to integrate and automate business processes that connect critical systems and third-party apps. The breadth of tools that fall within the category is quite extensive and even encompasses platforms like Salesforce, making way for the dedicated profession of Salesforce Developers.
Information Services Group (ISG), a global technology and research and advisory firm, cites that despite the worldwide market for low-code/no-code development platforms still being in its infancy, the market is valued at nearly $15 billion already and expected to quadruple in the next five years. The report depicts benefits that span speed, convenience and cost, showing that low-code/no-code tools allow 70% cost savings and set-up times as quick as three days, compared to full-scale IT modernization, which can take one to two years. So, it’s not surprising to learn that 66% of developers either already use no-code or plan to do so in the next year.
Convenience And Growth—But At A Price
The reality is that citizen developers are filling a critical talent gap, but the catch is that they’re not security experts.
Low-code/no-code tools can be built with the blinders on. They provide a solution to a specific issue or need, but citizen developers, to no fault of their own, often lack the larger context and knowledge around application security, data governance and compliance. The issue is further amplified when these applications become connected with one another.
What we now have is a new generation of iPaaS platforms focused on citizen integrators that have made an organization so connected that it’s virtually impossible for security leaders to have full visibility into their most valuable company assets. What makes this even more intimidating is that attackers are already one step ahead and know that. Regardless of the company size or maturity level, companies like Microsoft and GitHub have even fallen victim to recent supply chain attacks in which attackers take advantage of improperly secure app-to-app connections.
Author and analyst Joe McKendrick poses a powerful question: “Will concerns about technology spinning out of control in an insecure way put a damper on this [low-code/no-code] growth?”
In my opinion: probably not, or maybe only after we experience the first major breach of 2023.
Reading The Writing On The Wall
We’re obviously not the only ones paying attention to the growth and risks of low-code/no-code. Forrester predicts that the movement will lead to a “headline security breach at a major enterprise by next year.”
Here’s what won’t change in 2023: Enterprises will still be in dire need of developers, low-code/no-code tools will continue to prove their value in the modern enterprise environment and app-to-app integrations will continue to skyrocket.
But here’s what will change: security teams may get increasingly overwhelmed and unable to maintain visibility into all integrations, and bad actors will recognize just how wide the gaps are.
We need to recognize the pros and also cons of the low-code/no-code movement. It’s time for businesses to establish clear security policies and guidelines for business-led developers, or they’ll run the risk of burnt-out security teams—an attacker’s dream.
To begin establishing these policies, create a directory of all connections to your organization, then know or assign each connection. In doing so, security teams should also evaluate the permission levels at each integration, which can help identify any applications that aren’t necessary to your business or that may be too much of a risk. Nonetheless, identify a process for these integrations that can help manage any current or future third-party applications.
It may seem daunting, but it’s worth the price you might have to pay if attacked. One final piece of advice: Don’t ignore the smoke signs!