No-code development may be the future of programming

Are No-Code tools safe? Security concerns answered

The new development platforms may have the biggest year. Is there any security issues with no-code tools?

It seems to be a busy year awaiting for the low-code and no-code development. Both users and professional developers can benefit from these solutions that become more and more popular. Emerging serverless solutions rapidly accelerate the abilities to plan, assemble, maintain enterprise systems.^[1] The No-Code development industry is growing, and more tools are coming out all the time. Appcues recently announced the funding of $32 million for the no-code tools that should fix the onboarding.^[2]

Some people might think these platforms aren't safe because they don't see what lies behind the user-friendly interface, but it couldn't be further from the truth. The outline of most popular No-Code platforms like Bubble.io, Webflow, or Adalo should answer those questions. Developers follow best industry practices when it comes to data security by outlining what sort of security standards these platforms employ and what non-technical users should look out for.^[3]

Are there safety risks when using no-code?

It is only natural that many have security concerns centered on No-Code and Low-Code platforms, as not all of them offer the ability to export code, which prevents users with more technical knowledge from applying traditional measures like static application security testing, there is a certain mystery to and how they handle sensitive data. Of course, No-Code is not a flawless software development methodology. It does come with certain security risks.

One of the biggest safety risks in No-Code tools are the plugins and APIs that these tools use. It has to be mentioned. However, that dangerous APIs are not exclusive to No-Code or Low-Code development platforms, they can threaten traditionally developed software as well.

When using external APIs that are not a part of the No Code tool you are connecting them to, pay attention. Since plugins and APIs are not necessarily put under extensive testing that No-Code and Low-Code platforms have to go through, there might be inherent security risks.

Before completely integrating external APIs to your No-Code app, integrate a few procedural security measures into your development process: look for security problems with penetration tests or scanner tools, use an OAuth-based API token exchange that has a functional refresh mechanism. Once an API is integrated, conceal it by setting up a proxy with extra authentication for good measure. These security best practices should take care of any problems APIs might cause.

Security standards in popular platforms

All of the popular No-Code software vendors follow mainstream security and compliance certifications when it comes to data security. There is no need to worry about the code, frameworks, and workflows within the tools that you are you using. The security of your data is always the number one priority of No-Code development platforms. Below we will dive deeper into the security of some of the most popular tools in the market.

Bubble.io

Bubble.io uses Amazon Web Services to host their platform, which is one of the most popular cloud hosting solutions on the planet. They definitely maintain reasonable security oversight, with certifications such as ISO 27001, SOC 2, CSA, and others.^[4]

Talking about the platform itself, it does show an impressive degree of security awareness. It has integrated automated code testing, provides security controls to users, automatic activity logs of your app (including background activity), and data recovery. Bubble.io even provides a live test of their data encryption strength. Robust in-built security, flexibility, power, and abundance of plugins are the reasons why Bubble No-Code^[5] is the preferred tool for many agencies in the niche.

Adalo

Adalo is a reasonably secure app development tool, although it is the least transparent out of the three when it comes to security measures. As of January 2020, the platform was only partially GDPR-compliant,^[6] as it did not have servers in the EU territory and did not use the EU-US Privacy Shield. In other aspects such as data processing, transmission, right to be forgotten, storing & transmitting encrypted data, they were in compliance on said date.

In terms of general security, the app is using 'industry leading' encryption for data both when it is stored and transmitted, with additional safety measures for sensitive customer data like credit card information and passwords. However, at the time of the report, the platform did not offer two-factor authentication or Face ID capabilities in their apps.

Webflow

As a general rule, Webflow is a very secure platform, as evident by the substantive transparency they show in this regard.^[7] For example, Webflow is compliant with SOC2 and GDPR regulations, its data is also hosted on the aforementioned AWS. In addition, the platform performs 3rd party pentests, offers two-factor authentication, single sign-on, and SSL data encryption. The No-Code development tool even offers its own tips on how to make your Webflow-based website safer.

Building a safe No-Code app

The only part where No-Code cannot ensure safety is in the actual apps that citizen developers build – without knowing proper software security practices, these users can unknowingly create security gaps in their own creations.

There are two main ways to solve this – either to spend considerable time learning principles of software security yourself through Youtube videos, webinars, websites that educate on No-Code tools, or hire an agency that has professional developers to build your app and extensive experience in No-Code security.

No-Code tools like Bubble.io, Webflow, or Adalo are safe to use and employ best industry practices when it comes to data security. It is important for No-Code developers to not only learn all about the tool development but also the basics of software security in order to create a safe app that will keep their customers' personal information safe and protected from cyber-attacks.