Low-code and no-code solutions are awesome. Why? With limited or no programming experience, you can quickly create software using a visual dashboard. This amounts to huge time and money savings. But with all this software out there, security experts worry about the risks.

The global low-code platform market revenue was valued at nearly $13 billion in 2020. The market is forecast to reach over $47 billion in 2025 and $65 billion in 2027 with a CAGR of 26.1%. Very few, if any, markets can expect to see such robust growth.

What is low- or no-code software? What’s driving the explosive growth in this sector? And what are the security risks?

What is low-code development?

Low-code platforms enable those with limited programming skills to become citizen developers. People can use intuitive graphical interfaces to create applications faster than conventional coding methods. This means non-technical staff can contribute.

At a recent VentureBeat Low-Code/No-Code Summit, brands of all sizes shared how they use low-code to improve and accelerate business processes. For example, no-code solutions can streamline application creation, enable real-time data analysis and automate manual, time-consuming workloads.

Low-code platforms popularity boom

It doesn’t take a master coder to understand the reasons why many companies choose to adopt low-code development. One survey showed that 41% of organizations are using a low- or no-code platform. Within these companies, 69% say professional IT staff use low-code tools. This means nearly a third of low-code users are non-IT team members busily creating software.

During 2020-2021, IT leaders have slashed development times. This increased demand for custom software led to the emergence of non-IT citizen developers. As a result, the low-code market expanded rapidly and will continue to grow by leaps and bounds. Gartner estimates that by 2024, low-code tools will be behind more than 65% of application development.

Starbucks embraced low-code

It’s not only bootstrap businesses that need low-code solutions. On the contrary, many of the biggest brands have pivoted to less technical solutions to meet their needs.

Starbucks chief digital and analytics officer Jonathan Francis says that he saw efficiency gains from low-code tools as the demand for remote solutions stretched IT to the limit. Low- and no-code platforms enabled Starbucks to digest a backlog of development tasks that normally would have taken far longer to finish.

“We need opportunities to scale quickly … You’ll never find enough data scientists,” Francis said. “We’re all competing for the same resources — we have limited budgets. So you have to start thinking about local solutions.”

Who’s guarding the gate?

While all this freewheeling app development may be great for innovation and productivity, the security officer is thinking, “If every Sally, Sam and Joe can conjure up apps across the enterprise, how am I going to secure it all?” Good question.

The good news is that security is built into many low-code platforms. Traditional application development doesn’t always take security into account. Or, someone puts it in place later. But with secure low-code platforms, governance and control are built-in before your people start tinkering. This means IT maintains and sets centralized control over access, automation and data assets.

Setting low-code rules

No matter how good the low-code tool is, there’s still a chance that employees will be tempted to create applications beyond the security radar. For this reason, built-in permissions go a long way in maintaining good governance.

It all begins with proper training for anyone who will dabble in low- or no-code projects. They need to understand that only approved low-code platforms are okay to use. Plus, educate and alert your people to the need for testing. At the end of the day, who gets access to what should be firmly established.

Now, let’s look at some other specific ways to manage low code security risks.

Play in the sandbox

If you put all your approved development resources in a sandbox, then citizen developers can play nice and avoid risk exposure. From there, clearly establish and manage data access and sharing.

Many low-code platforms provide this type of control at the virtual data layer. Some low-code platforms even come with regulation compliance built-in.

Runtime environment management

The runtime environment is where a certain program or application executes. It’s the hardware and software that supports the running of a certain codebase in real-time.

You can configure this to reveal data exposure and poorly applied security controls. These measures can help avoid business logic failure, such as posting sensitive data to a public location.

Other ways to harden low-code environments

Other ways to strengthen low-code environments include:

  • Static code analysis: Perform static analysis on any low-code platform-generated code and test for common errors.
  • Audit proprietary libraries and partners: Ask vendors about their security standards and examine proprietary libraries for potential risks. Does the vendor have a way to verify their security?
  • Secure the API layer: Test API connections regularly with an API scanner.

Trust no one, secure everything

Placed in the hands of non-IT staff, low-code tools are used to create even more applications. This further supports the notion of a perimeter-less architecture. We are in the midst of a boom of applications, APIs, devices, users and environments. This makes securing your network more challenging than ever.

Low-code is only part of a larger, more complex security conundrum. As a response, many organizations are adopting a zero trust approach.

A zero trust security model ensures data and resources are closed off by default. Access is granted on a least-privilege basis. Zero trust requires each and every connection to be verified according to your policies. Zero trust tools then authenticate and authorize every device, network flow and connection using AI-assisted contextual analysis from as many data sources as possible.

Low-code can quickly reshape the technical prowess of any organization. It democratizes development, accelerates innovation and boosts productivity. But to fully leverage the advantages of low-code, it must be secure.

More from Security Services

39% of MSPs report major setbacks when adapting to advanced security technologies

4 min read - SOPHOS, a leading global provider of managed security solutions, has recently released its annual MSP Perspectives report for 2024. This most recent report provides insights from 350 different managed service providers (MSPs) across the United States, United Kingdom, Germany and Australia on modern cybersecurity tools solutions. It also documents newly discovered risks and challenges in the industry.Among the many findings of this most recent report, one of the most concerning trends is the difficulties MSPs face when adapting their service…

A decade of global cyberattacks, and where they left us

5 min read - The cyberattack landscape has seen monumental shifts and enormous growth in the past decade or so.I spoke to Michelle Alvarez, X-Force Strategic Threat Analysis Manager at IBM, who told me that the most visible change in cybersecurity can be summed up in one word: scale. A decade ago, “'mega-breaches' were relatively rare, but now feel like an everyday occurrence.”A summary of the past decade in global cyberattacksThe cybersecurity landscape has been impacted by major world events, especially in recent years.…

How a new wave of deepfake-driven cyber crime targets businesses

5 min read - As deepfake attacks on businesses dominate news headlines, detection experts are gathering valuable insights into how these attacks came into being and the vulnerabilities they exploit. Between 2023 and 2024, frequent phishing and social engineering campaigns led to account hijacking and theft of assets and data, identity theft, and reputational damage to businesses across industries. Call centers of major banks and financial institutions are now overwhelmed by an onslaught of deepfake calls using voice cloning technology in efforts to break…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today