Categories
Blog

Seven assumptions to avoid when considering an enterprise low code platform

In the journey of digital transformation, the path to modernization could be a challenging one. When faced with technology modernization, dealing with legacy systems such as 5250-based, green screen applications, tightly coupled business logic, monolithic code base structures and limited knowledge of the application architecture, what choice do you have? You take a look at what’s trending in the market. You observe that there is an increase in the spending on enterprise low code technology (to the tune of $21.2 billion by 2022). Consequently, you decide to get on the bandwagon.

You choose a low code development platform and begin the process of modernizing your applications. Fast forward a few months and you realize that the easy to use, drag-and-drop feature is great to build a prototype but the platform falls short in etching out the intricacies of a serious enterprise application. You also realize that when you want to scale up and build more applications and increase the number of users there is an additional cost. Added to that you have runtime dependency and added cost of deployment on infra of your choice. These among many other challenges edge you towards a reality check and it makes you wonder whether, in the urgency to modernize and be competitive, was the low code development platform a right choice?

Every enterprise is keen to ride the low code wave, and in line with the modernization narrative, they should. The challenge arises when low code is adopted without learning about the ‘nuts and bolts’ of the platform and understanding how it fits their requirements. This is when a reality check occurs, when there is a glaring gap between expectations and reality. More often than not, the reality of technology modernization and digital transformation is different from what is expected. It’s a fact that while companies have reportedly spent $1.2 trillion on digital transformation in 2019, analysis indicates that just 1% of these efforts would actually achieve or exceed expectations.

Expectation Vs. Reality. Bridging the Gap When Adopting an Enterprise Low Code Platform

Assume nothing. Know what to expect to mitigate reality checks 

Before adopting an enterprise low code platform, it is important to take into account the expectations and requirements of different stakeholders. CIOs, CTOs, Application and IT Leaders expect that an investment in a low code platform must speed up time to market of application development and delivery, reduce operational costs, address the skills gap, bridge silos between users, developers and IT teams, ensure scalability, and promote growth. IT teams expect low code platforms to take the pressure off by enabling business-users build their own applications with minimal IT support, thereby giving them the bandwidth to innovate.  Developers are a league of their own, and assume that they “tell” the platform what the application should be. Professional development teams expect low code platforms to automate time-consuming and mundane tasks of code generation, so that they can focus on developing application features that will provide differentiation and improve user / customer experience.

Taking into consideration these different expectations, let’s take a look at some of the assumptions that create the gap between expectations and reality, and what can be done to reduce it.

Assumption 1: The platform is built for enterprise-grade application development

  • Expectation – You assume or expect that all low code platforms are designed for professional developers. That the enterprise low code platform has the technology stack and architecture to help development teams build complex, enterprise-grade applications.
  • Reality – Not all low code platforms support professional application development. Most platforms are designed for citizen developers or business users who typically build prototype or shadow IT apps using template-driven UI.
  • What could be done to reduce the gap – Take into consideration the technology stack offered and the platform architecture to understand if it can support serious, enterprise-grade application development.

Assumption 2: Low code will replace coding

  • Expectation – With the promise of a WYSIWYG development environment and visual drag-and-drop application development, you expect that by using a  low code development platform it will replace manual coding.
  • Reality – Complex, enterprise grade applications usually have intricate business logic. Building a rich application often requires developers to go native and there is a certain degree of manual coding needed to give attention to details of the application.
  • What could be done to reduce the gap – Low code application is not about replacing manual coding it is about optimizing the time of developers. When adopting a low code development platform, you need to maintain a balance between low code and high code. In this way you can shorten the time frame of time-intensive tasks such as testing and allow developers to focus on other intricacies of application development.

Assumption 3: The platform generates quality code and testing is not required

  • Expectation – You assume that as the code is auto-generated and not manual there would be a lesser chance of errors. You may also expect that the enterprise low code platform generates quality code and has built in security and testing features therefore applications built would function successfully.
  • Reality – Some applications built using low code fail to perform, owing to several reasons, from coding or business logic errors, integration issues, to security threats.
  • What could be done to reduce the gap – While the promise of low code is to build applications that would be functional and secure, you need to have a testing strategy in place. You need to ensure the platform has features across the development lifecycle to test applications for functionality and security.  This would reduce the level of risk associated with implementation failures and security threats.

Assumption 4: The platform is scalable and supports increasing growth

  • Expectation – You assume that you can easily scale up to build unlimited number of apps and support an increasing number of users at no additional costs.
  • Reality – When the time comes to build more applications, increase the number of users, or move to another development environment, you realize many low code platforms have an additional cost involved and do not have the capabilities for scaling up.
  • What could be done to reduce the gap – It is important to assess if the platform provides dev-time and run-time scalability and consider if the licensing model of the low code platform fits your scalability needs. While there are platforms where you need to pay to increase the number of users or applications you can develop, there are pricing models where you can choose to pay per developer. Therefore, identify your scalability needs first to make sure the licensing model is suitable.

Assumption 5: You are not locked in to the platform and can customize applications after migration

  • Expectation – In a situation when you need to migrate to another platform, you assume that the low-code provider can provide the assurance you will be able to generate the code and recompile applications.
  • Reality – While your application may run, do you know if you can make changes to the code or are you locked in to the platform? Is the code readable to customize applications? In situations of migration, generated code is usually algorithmically accurate, although the code is not readable by humans, making it difficult for developers to make any meaningful code modifications required.
  • What could be done to reduce the gap – Given the significant impact of applications on operations, anyone using a low code platform must check and test the code generated. Make sure the code generated is syntax-agnostic and that the code is readable and customizable which are important factors in long-term maintenance of applications.

Assumption 6: There is no runtime dependency and you are free to deploy on infra of your choice without separate cost for deployment.

  • Expectation – You expect end-to-end freedom in using the platform, from application development to deployment. You assume there is no runtime dependence and that you can deploy applications on infrastructure of choice, from containers, virtual machines to on-premise infrastructure.
  • Reality – While application development is free, many low code platforms have a separate cost for deployment and use in-house runtime engines. The applications built on the platform are deployed on select clouds and in their environments, making it a challenge to gain ownership of code and rebuild applications.
  • What could be done to reduce the gap – To minimize operational cost, ensure the low code platform has an open-source runtime engine, one that gives access to the runtime libraries used and allows developers to customize applications without being locked-in to the platform.

Assumption 7: Underestimating the complexity of managing APIs during integration

  • Expectation – During the integration process, you expect the platform to provide developers with a visual approach to embed data elements directly into the application, connect to data sources, and even allow them to configure business logic and design data models inside the application.
  • Reality – This would probably work fine if your application is integrating with only a few other systems. The challenge arises, when you have to integrate more than a dozen systems and manage APIs.
  • What could be done to reduce the gap – When you have to integrate several systems, it is best not to underestimate the complexity in managing APIs. What you need to understand is the type of documentation that the low code provider offers and how it would enable managing APIs in the long run.

Modernization, as a part of digital transformation, is an intensive affair. Through 2021, Gartner  predicts that digital transformation projects, by large and traditional enterprises, will take twice as long and at double the cost than anticipated. On the other hand, smaller and agile enterprises will be more successful in implanting modernization and digital transformation initiatives. Regardless of this factual prediction, enterprises, large and small alike, can still gain leverage by adopting emerging technology solutions, such as low code. Solutions that constantly evolve, adapt to the challenges of technology modernization and make the journey of digital transformation smooth sailing and successful.

Categories
Insights

How low code can help enterprises left-shift application security

Modern enterprise application needs have become intricate. They demand application development and deployment to be cloud-native, agile, scalable, and secure. The app ecosystem has become intertwined, and enterprise applications have become complex beasts, built on monolithic systems. The transformation continues. Modern application development is becoming more agile and scalable and deployment of applications on the cloud is increasing. Application architecture is transforming from monolithic to microservice-oriented architecture. Developers and IT Ops are collaborating giving rise to the culture of DevOps. With the increasing pressure on high performance, DevOps teams are urged to use more sophisticated technology and techniques.

Besides achieving agility and scalability, DevOps teams are also entrusted with achieving enterprise application security goals. App Security has become a high-priority goal and a shared responsibility. It’s reflected in Gartner’s “Magic Quadrant for Application Security Testing, 2020” report, there’s a 50% increase in the number of end-user and client conversations about AST (Application Security Testing) tools and DevSecOps in 2020.

To embed application security across the development cycle requires various levels of automation testing and setting up of configurations at different stages of the application development and deployment process. What development teams are doing is that they are using container technology and microservices to “pull security” early into the DevOps process. In addition to application security, another trend highlighted in Gartner’s report is the increasing attention (of 65%) on container security.

While many enterprises are already running cloud-native, microservices-based, containerized applications in production, there are several challenges; from technology immaturity, a steep learning curve, to the lack of operational expertise and know-how. What’s taking precedence today in high-performance development teams is the left-shift application security earlier in the stages of development.

“Shift Left” App Security – The Guiding Force Behind High-Performance Development Teams

App Security has become a business imperative. In Forrester’s Report on “The Top Security Technology Trends To Watch, 2020”, integration of application security tools with CI/CD pipeline is a major priority in 2020. Application security has become the primary focus of high-performance DevOps teams and by “left-shift application security” parameters, security is a shared responsibility and is being implemented by developers. Moreover, with the rise of DevSecOps the silos of application and infrastructure security are being bridged.

AppSec – The Primary Focus of DevOps in a Containerized Environment

DevOps teams not only have to mitigate operational issues related to performance, integrity, availability of containers in production environments, they also need to ensure security is embedded early in the DevOps process. With greater urgency to automate application security testing (AST) in the DevOps process, the attention of DevOps teams needs to be directed towards the integration of the CI/CD toolchain with application security tools such as software composition analysis (SCA), static application security testing (SAST), and container security.

When embracing the DevOps culture and migrating applications to the cloud in a containerized environment, security must be embedded across the development lifecycle. To ensure compliance of performance and resiliency, the focus needs to shift to service-level and container-specific monitoring. DevOps teams need to monitor applications within containers and across containers at a service level. “Pulling in” application security earlier into the development lifecycle would form the beginning of what is called DevSecOps.

DevSecOps – Breaking the Silo of Application and Infrastructure Security

The ‘mantra’ of DevSecOps is “shift left”, encouraging developers to move security from the right end of the development and delivery process to the left end (beginning). True to its abbreviation, DevSecOps – development, security, and operations – ensures the integration of security is automated across the lifecycle, from application design, testing, deployment, and delivery.

With the essence of DevSecOps being “software, safer, sooner”, it enables seamless integration of application and infrastructure security with the DevOps process. By allowing developers to address enterprise application security issues earlier before the application goes into production, it makes security issues easier to fix without disrupting the development cycle. Breaking the security silo, DevSecOps makes security a shared responsibility of IT Ops, security, and development teams.

Integrating security and testing across the development lifecycle may seem like a daunting challenge. However, there are emerging technology and tools available to ensure security is pulled in early enough. Low code platforms give enterprises the leverage to embedded security when developing cloud-native applications, managing containers, and adopting microservices-based architecture. To implement the practice of DevSecOps, low code gives the opportunity to address and improve application security across the development lifecycle.

The Window of Opportunity – How Low Code Enables Enterprises to “Shift Left” Application Security 

Low code platforms help enterprises by integrating application-level, security features such as authorization, authentication, auditability, certification, performance monitoring, and security architecture, across the application development lifecycle. By automating application-level security features, low code platforms ensure robust authorization and authentication systems that have built-in encryption and provide XSS and CSRF configurations to address security threats and vulnerabilities. To help developers configure security features when building applications, low code platforms provide fine-grained controls, built-in encryption options, comprehensive authentication and authorization processes, OWASP compliance support, and data protection.

While application development and deployment processes are transforming so is application architecture, which is moving from monolithic legacy systems to microservices-based architecture. With microservices, there are many hands-on the deck. Enterprise applications are made into smaller components and many developers are working on different functionalities at various stages of the development cycle. At this time, when application architecture is transforming, security goals remain unchanged. In fact, the demands for enterprise application security are heightened and they need to be imbibed in the development process. Low code platforms support microservices-based architecture and enable the “left-shift application security” of security parameters by allowing developers to configure security protocols, set privileges, and automate testing before the application goes into production. Moreover, as enterprises leverage next-generation app delivery tools such as container technology, low code platforms help to embrace containerization at scale without disruption in existing processes and without requiring the reskilling of existing resources.

Low code’s promise is that of “Zero Complexity” DevOps Automation. It ensures minimal disruption of existing development teams, enables on-premise and cloud deployments seamlessly, automates CI/CD processes, saves on security infrastructure costs, and enables DevOps teams to focus on core application needs.

If you think the “left-shift application security” principle of pulling security earlier into the DevOps process may slow down the speed of development, think again. It shouldn’t be a trade-off to choose between accelerating application development and managing application security threats and fixing failures.  Achieving time-to-market delivery and security goals can be simultaneously achieved if you manage the DevOps process using emerging application development and deployment tools. The window of opportunity here is to streamline processes, using a sophisticated technology stack, and utilizing next-gen technology that low code offers to nurture AppSec innovation across the development cycle.