Securely extending and running low-code applications with C#

TL;DR

This paper explores methods to support citizen developers in low-code platforms by developing tools for code editing, static analysis, debugging, and version control, while also addressing security concerns through threat modeling and isolation techniques.

Contribution

It introduces a framework for building code editor extensions, demonstrates custom static analysis with Roslyn, and compares security options for low-code application deployment.

Findings

A framework for quick code editor extension development is created.

Custom static analysis rules for low-code platforms are implemented using Roslyn.

Security options like virtualization, sandboxing, and runtime security are evaluated.

Abstract

Low-code development platforms provide an accessible infrastructure for the creation of software by domain experts, also called "citizen developers", without the need for formal programming education. Development is facilitated through graphical user interfaces, although traditional programming can still be used to extend low-code applications, for example when external services or complex business logic needs to be implemented that cannot be realized with the features available on a platform. Since citizen developers are usually not specifically trained in software development, they require additional support when writing code, particularly with regard to security and advanced techniques like debugging or versioning. In this thesis, several options to assist developers of low-code applications are investigated and implemented. A framework to quickly build code editor extensions is developed, and an approach to leverage the Roslyn compiler platform to implement custom static code analysis rules for low-code development platforms using the .NET platform is demonstrated. Furthermore, a sample application showing how Roslyn can be used to build a simple, integrated debugging tool, as well as an abstraction of the version control system Git for easier usage by citizen developers, is implemented. Security is a critical aspect when low-code applications are deployed. To provide an overview over possible options to ensure the secure and isolated execution of low-code applications, a threat model is developed and used as the basis for a comparison between OS-level virtualization, sandboxing, and runtime code security implementations.