Zero-code platforms? More like zero-clue platforms
Sometimes touted as the “the future” of software development, zero-code platforms allow for complex software to be developed by non-coders.
They provide simple building blocks which can be “assembled” in a graphical environment, without any coding.
These platforms sometimes include the deployment aspect, turning them into solutions that manage multiple environments and allow for rapid development and release of incremental changes.
A good friend of mine has worked with this kind of platform for a while now and although I have never liked it (as I generally dislike things that take control away from me) I have learnt to appreciate some of its benefits.
Zero-code or visual development platforms are not too dissimilar from modern MVC frameworks. The big difference is that they take web application code abstraction much further than say Ruby on Rails or Laravel. These frameworks abstract a large chunk of code from the developers and therefore the quality of the final deployed code is dependent on the quality of the code in the framework.
In a nutshell these platforms are code generation (and operation management) tools. They can produce good code or bad code, secure or insecure code, efficient or slow code, bloated or nimble, all depending on what is built into the framework to start with.
The user does not normally get to see the code so it’s anyone’s guess whether it is any good (fast, secure, does what is was meant to — pick any two). There is an opacity layer that purposefully (on commercial platforms) or implicitly hides the final code that is executed when the application is used. In terms of quality this provides one of two outcomes:
- If the platform generates bad code, the user would not have a clue without testing it afterwards. Even if it is confirmed to be bad, the opacity layer prevents developers from fixing it because there is no access to the final code.
- If the platform generates good code, then the opposite happens – there are security benefits to it, because the same opacity layer ensures that the developers cannot reinvent the wheel and that each simple building block is consistent and implemented securely.
Lowest common denominator security
One of my pet hates about automation in such complex platforms is that more often than not, within the platform’s components, the pre-configured or recommended settings for interconnecting the various components converge to the lowest common denominator of security to ensure that everything works.
In conclusion if a zero-code platform is done right, then I believe it has the potential of generating secure code that could be built up to secure complex applications out of the box. Square wheels will no longer be reinvented by developers (within reason) and the consistency of, for example, input validation could be guaranteed.
In my view, a zero-code platform cannot be used with the purpose of replacing a skilled development team. And there is that thick opacity layer that hides the end result and leaves the security team in the dark. To find out whether the application is secure, it requires testing, just like any other application.