Low-code and no-code solutions are awesome. Why? With limited or no programming experience, you can quickly create software using a visual dashboard. This amounts to huge time and money savings. But with all this software out there, security experts worry about the risks.

The global low-code platform market revenue was valued at nearly $13 billion in 2020. The market is forecast to reach over $47 billion in 2025 and $65 billion in 2027 with a CAGR of 26.1%. Very few, if any, markets can expect to see such robust growth.

What is low- or no-code software? What’s driving the explosive growth in this sector? And what are the security risks?

What Is Low-Code Development?

Low-code platforms enable those with limited programming skills to become citizen developers. People can use intuitive graphical interfaces to create applications faster than conventional coding methods. This means non-technical staff can contribute.

At a recent VentureBeat Low-Code/No-Code Summit, brands of all sizes shared how they use low-code to improve and accelerate business processes. For example, no-code solutions can streamline application creation, enable real-time data analysis and automate manual, time-consuming workloads.

Low-Code Platforms Popularity Boom

It doesn’t take a master coder to understand the reasons why many companies choose to adopt low-code development. One survey showed that 41% of organizations are using a low- or no-code platform. Within these companies, 69% say professional IT staff use low-code tools. This means nearly a third of low-code users are non-IT team members busily creating software.

During 2020-2021, IT leaders have slashed development times. This increased demand for custom software led to the emergence of non-IT citizen developers. As a result, the low-code market expanded rapidly and will continue to grow by leaps and bounds. Gartner estimates that by 2024, low-code tools will be behind more than 65% of application development.

Starbucks Embraced Low-Code

It’s not only bootstrap businesses that need low-code solutions. On the contrary, many of the biggest brands have pivoted to less technical solutions to meet their needs.

Starbucks chief digital and analytics officer Jonathan Francis says that he saw efficiency gains from low-code tools as the demand for remote solutions stretched IT to the limit. Low- and no-code platforms enabled Starbucks to digest a backlog of development tasks that normally would have taken far longer to finish.

“We need opportunities to scale quickly … You’ll never find enough data scientists,” Francis said. “We’re all competing for the same resources — we have limited budgets. So you have to start thinking about local solutions.”

Who’s Guarding the Gate?

While all this freewheeling app development may be great for innovation and productivity, the security officer is thinking, “If every Sally, Sam and Joe can conjure up apps across the enterprise, how am I going to secure it all?” Good question.

The good news is that security is built into many low-code platforms. Traditional application development doesn’t always take security into account. Or, someone puts it in place later. But with secure low-code platforms, governance and control are built-in before your people start tinkering. This means IT maintains and sets centralized control over access, automation and data assets.

Setting Low-Code Rules

No matter how good the low-code tool is, there’s still a chance that employees will be tempted to create applications beyond the security radar. For this reason, built-in permissions go a long way in maintaining good governance.

It all begins with proper training for anyone who will dabble in low- or no-code projects. They need to understand that only approved low-code platforms are okay to use. Plus, educate and alert your people to the need for testing. At the end of the day, who gets access to what should be firmly established.

Now, let’s look at some other specific ways to manage low code security risks.

Play in the Sandbox

If you put all your approved development resources in a sandbox, then citizen developers can play nice and avoid risk exposure. From there, clearly establish and manage data access and sharing.

Many low-code platforms provide this type of control at the virtual data layer. Some low-code platforms even come with regulation compliance built-in.

Runtime Environment Management

The runtime environment is where a certain program or application executes. It’s the hardware and software that supports the running of a certain codebase in real-time.

You can configure this to reveal data exposure and poorly applied security controls. These measures can help avoid business logic failure, such as posting sensitive data to a public location.

Other Ways to Harden Low-Code Environments

Other ways to strengthen low-code environments include:

  • Static code analysis: Perform static analysis on any low-code platform-generated code and test for common errors.
  • Audit proprietary libraries and partners: Ask vendors about their security standards and examine proprietary libraries for potential risks. Does the vendor have a way to verify their security?
  • Secure the API layer: Test API connections regularly with an API scanner.

Trust No One, Secure Everything

Placed in the hands of non-IT staff, low-code tools are used to create even more applications. This further supports the notion of a perimeter-less architecture. We are in the midst of a boom of applications, APIs, devices, users and environments. This makes securing your network more challenging than ever.

Low-code is only part of a larger, more complex security conundrum. As a response, many organizations are adopting a zero trust approach.

A zero trust security model ensures data and resources are closed off by default. Access is granted on a least-privilege basis. Zero trust requires each and every connection to be verified according to your policies. Zero trust tools then authenticate and authorize every device, network flow and connection using AI-assisted contextual analysis from as many data sources as possible.

Low-code can quickly reshape the technical prowess of any organization. It democratizes development, accelerates innovation and boosts productivity. But to fully leverage the advantages of low-code, it must be secure.

More from Mainframe

How Dangerous Is the Cyberattack Risk to Transportation?

4 min read - If an attacker breaches a transit agency’s systems, the impact could reach far beyond server downtime or leaked emails. Imagine an attack against a transportation authority that manages train and subway routes. The results could be terrible. Between June of 2020 and June of 2021, the transportation industry witnessed a 186% increase in weekly ransomware attacks. In one event, attackers breached the New York Metropolitan Transportation Authority (MTA) systems. Thankfully, no one was harmed, but incidents like these are cause…

4 min read

Starting From Scratch: How to Build a Small Business Cybersecurity Program

4 min read - When you run a small business, outsourcing for services like IT and security makes a lot of sense. While you might not have the budget for a full-time professional on staff to do these jobs, you still need the services.However, while it might be helpful to have a managed service provider handle your software and computing issues, cybersecurity for small and medium businesses (SMBs) also requires a personal, hands-on approach. While you can continue to outsource some areas of cybersecurity,…

4 min read

A Journey in Organizational Resilience: Supply Chain and Third Parties

4 min read - The next stop on our journey focuses on those that you rely on: supply chains and third parties.  Working with external partners can be difficult. But, there is a silver lining. Recent attacks have resulted in an industry wake-up call when it comes to cybersecurity resilience. You see, the purpose of using external partners is to take advantage of a capability that your organization did not have, or the vendor was just better at than you. In turn, there was…

4 min read

Cybersecurity Trends and Emerging Threats in 2021

4 min read - The year 2021 is finally here, bringing with it the promise of a brighter future — but a long road ahead. In this piece, we’ll dive into five cybersecurity trends that pose significant potential risk in 2021 and offer practical advice to help entities reduce overall risk. The first quarter of 2021 represents a cybersecurity crossroads. Business owners may be shifting staff back into the office and managing the risks and rewards of remote work at the same time. For malicious actors,…

4 min read