Low-code and no-code solutions are awesome. Why? With limited or no programming experience, you can quickly create software using a visual dashboard. This amounts to huge time and money savings. But with all this software out there, security experts worry about the risks.

The global low-code platform market revenue was valued at nearly $13 billion in 2020. The market is forecast to reach over $47 billion in 2025 and $65 billion in 2027 with a CAGR of 26.1%. Very few, if any, markets can expect to see such robust growth.

What is low- or no-code software? What’s driving the explosive growth in this sector? And what are the security risks?

What is low-code development?

Low-code platforms enable those with limited programming skills to become citizen developers. People can use intuitive graphical interfaces to create applications faster than conventional coding methods. This means non-technical staff can contribute.

At a recent VentureBeat Low-Code/No-Code Summit, brands of all sizes shared how they use low-code to improve and accelerate business processes. For example, no-code solutions can streamline application creation, enable real-time data analysis and automate manual, time-consuming workloads.

Low-code platforms popularity boom

It doesn’t take a master coder to understand the reasons why many companies choose to adopt low-code development. One survey showed that 41% of organizations are using a low- or no-code platform. Within these companies, 69% say professional IT staff use low-code tools. This means nearly a third of low-code users are non-IT team members busily creating software.

During 2020-2021, IT leaders have slashed development times. This increased demand for custom software led to the emergence of non-IT citizen developers. As a result, the low-code market expanded rapidly and will continue to grow by leaps and bounds. Gartner estimates that by 2024, low-code tools will be behind more than 65% of application development.

Starbucks embraced low-code

It’s not only bootstrap businesses that need low-code solutions. On the contrary, many of the biggest brands have pivoted to less technical solutions to meet their needs.

Starbucks chief digital and analytics officer Jonathan Francis says that he saw efficiency gains from low-code tools as the demand for remote solutions stretched IT to the limit. Low- and no-code platforms enabled Starbucks to digest a backlog of development tasks that normally would have taken far longer to finish.

“We need opportunities to scale quickly … You’ll never find enough data scientists,” Francis said. “We’re all competing for the same resources — we have limited budgets. So you have to start thinking about local solutions.”

Who’s guarding the gate?

While all this freewheeling app development may be great for innovation and productivity, the security officer is thinking, “If every Sally, Sam and Joe can conjure up apps across the enterprise, how am I going to secure it all?” Good question.

The good news is that security is built into many low-code platforms. Traditional application development doesn’t always take security into account. Or, someone puts it in place later. But with secure low-code platforms, governance and control are built-in before your people start tinkering. This means IT maintains and sets centralized control over access, automation and data assets.

Setting low-code rules

No matter how good the low-code tool is, there’s still a chance that employees will be tempted to create applications beyond the security radar. For this reason, built-in permissions go a long way in maintaining good governance.

It all begins with proper training for anyone who will dabble in low- or no-code projects. They need to understand that only approved low-code platforms are okay to use. Plus, educate and alert your people to the need for testing. At the end of the day, who gets access to what should be firmly established.

Now, let’s look at some other specific ways to manage low code security risks.

Play in the sandbox

If you put all your approved development resources in a sandbox, then citizen developers can play nice and avoid risk exposure. From there, clearly establish and manage data access and sharing.

Many low-code platforms provide this type of control at the virtual data layer. Some low-code platforms even come with regulation compliance built-in.

Runtime environment management

The runtime environment is where a certain program or application executes. It’s the hardware and software that supports the running of a certain codebase in real-time.

You can configure this to reveal data exposure and poorly applied security controls. These measures can help avoid business logic failure, such as posting sensitive data to a public location.

Other ways to harden low-code environments

Other ways to strengthen low-code environments include:

  • Static code analysis: Perform static analysis on any low-code platform-generated code and test for common errors.
  • Audit proprietary libraries and partners: Ask vendors about their security standards and examine proprietary libraries for potential risks. Does the vendor have a way to verify their security?
  • Secure the API layer: Test API connections regularly with an API scanner.

Trust no one, secure everything

Placed in the hands of non-IT staff, low-code tools are used to create even more applications. This further supports the notion of a perimeter-less architecture. We are in the midst of a boom of applications, APIs, devices, users and environments. This makes securing your network more challenging than ever.

Low-code is only part of a larger, more complex security conundrum. As a response, many organizations are adopting a zero trust approach.

A zero trust security model ensures data and resources are closed off by default. Access is granted on a least-privilege basis. Zero trust requires each and every connection to be verified according to your policies. Zero trust tools then authenticate and authorize every device, network flow and connection using AI-assisted contextual analysis from as many data sources as possible.

Low-code can quickly reshape the technical prowess of any organization. It democratizes development, accelerates innovation and boosts productivity. But to fully leverage the advantages of low-code, it must be secure.

More from Security Services

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware

12 min read - As of December 2023, IBM X-Force has uncovered multiple lure documents that predominately feature the ongoing Israel-Hamas war to facilitate the delivery of the ITG05 exclusive Headlace backdoor. The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers. ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign. X-Force tracks ITG05 as…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today