Low-Code SDLC – Build Fast, Stay Secure

Low-code application development provides a solution for a wide range of business needs, from business applications through process automation and integrations. Low-code platforms are becoming a key technology behind the ongoing digital transformation trend, and as such, adoption of low-code platforms is soaring. However, low-code is as much a revolution as it is an exciting new technology. Low-code development democratizes application development and makes the process faster, cheaper and more aligned with the business.

Low-code Security – Awareness is Key

Low-code application development drastically reduces the number of stakeholders involved throughout the software development lifecycle (SDLC) process, increasing velocity and productivity. At the same time, low-code development creates new challenges to governance and security. In order to avoid introducing security vulnerabilities into low-code applications, security teams, business users and citizen developers must first be aware of the relevant low-code application security risks and how to overcome them. As you will soon see, this is especially important given the substantial difference between traditional SDLC process and that of low-code application development.   

Building Software – The Traditional SDLC Style

The software development lifecycle (SDLC) process provides a high-level description of the steps required to design, implement and maintain software. It has been molded, reshaped and fine-tuned over the years to create agile, high-quality and secure software.

As an example, let’s say an organization wants to develop a simple integration between two systems – e.g. notifying a Slack channel whenever a new file has been added to a specific Google Drive folder. 

With traditional software development, the development process is done by a team of professional developers, and would be along the lines of the following:

1. Envision – The business stakeholder defines the needs and the scope of the solution.
2. Plan – The product manager creates specifications in collaboration with the business stakeholder and the development team. Once approved, the developer creates a design that satisfies the specification. The design is then reviewed with the development team, product manager, business stakeholder and IT / privacy / security teams.
3. Create – Developers are assigned to build the solution according to the design.
4. Verify – QA teams are assigned to test the automation with manual and automated testing.
5. Deploy – DevOps teams instrument the automation with monitoring capabilities and release the automation.
6. Monitor – DevOps teams continuously monitor the automation to validate it is working properly.
7. Manage – In case of an issue or a change in requirements, DevOps and development teams drive the mitigation with well-defined SLAs.

Note that every time ownership of a project changes hands, new stakeholders are onboarded and their efforts are prioritized.

As mentioned above and demonstrated in this example, the SDLC process assures that all business aspects are taken into consideration when building software. Well-architectured design, enterprise governance, security, maintainability and quality are built into the process.

The main drawback of the traditional SDLC process is that it is prone to stray from the original intentions of the business stakeholder, as information might get lost in translation. It can also be wasteful in terms of time. Software development methodologies like Agile aim to ease those pains by reducing the size of each project that goes through this process, but the inherent problems still remain.

Building Software – The Low-Code Way

Now let’s look at the same requirements, through the low-code lens. low-code development provides an alternative to pro-code (traditional) development, which satisfies business requirements without competing for IT / development resources. Here is the same development process, but this time, adjusted for low-code development:

1. Envision – The business stakeholder defines the needs and the scope of the solution.
2. Create, Verify, Deploy – The business stakeholders use low-code platforms, designed to be user-friendly for non-developers. They create the automation, manually test it to verify it works and seamlessly deploy it to a cloud runtime environment, oftentimes without even knowing or caring what a cloud runtime environment is.

This process varies between organizations. For example, in some organizations, the business stakeholder might reach out to an automation expert within their department or within the Digital Transformation department to create their automation.

As you can immediately see, the low-code development process is much shorter. It involves less people and can even be accomplished by a single professional. This dramatically reduces time-to-feature and the use of development resources. It also ensures business stakeholders get solutions to their needs, with a lot less hassle.

It should be noted that a few key steps of the SDLC are missing, namely Plan, Monitor and Manage. low-code platforms provide tools that can help with these steps, but it is still up to the low-code developer to use them correctly. Moreover, these steps require either a high level of expertise (e.g. security and compliance review) or a different mode of operation, for example – monitoring and maintaining software.

Traditional SDLC vs. Low-code Development

These two development processes are optimized for different goals. Low-code development is optimized for development velocity and alignment with business goals by putting more power in the hands of business stakeholders and digital transformation offices. On the other hand, traditional software development is optimized for quality, security and maintainability. It leverages multiple viewpoints from different stakeholders which verify that all aspects of software development are considered.

Low-code development adds tremendous value to organizations, especially the ones going through digital transformation. However, organizations cannot afford to lose their governance capabilities, security assurances or software maintainability. These challenges must be met with dedicated solutions that do not rely on or interfere with the work of low-code developers. Instead, they must enable working alongside developers to help them follow the paved road. For low-code to reach its full potential, organizations must be able to unleash their citizen developers without compromising secure software development.

Keeping an Eye on Low-Code Security Concerns

To summarize, while low-code development removes a lot of the obstacles associated with traditional software development lifecycle processes, it also introduces new concerns related to the governance and security aspects of low-code application development, partly because of the fact that not enough stakeholders with security and compliance expertise are involved in the process. There are less checkpoints along the way from inception to deployment, and in turn, less opportunities to verify and validate that what’s being built adheres to corporate security standards. Given that low-code development processes are not likely to change anytime soon, the best approach organizations should take is to provide citizen developers with the necessary low-code security education, make them aware of low-code risks and concerns, and provide them with the necessary tools to develop secure low code applications.