Security Challenges and Countermeasures in Low-Code/No-Code Development in the AI Era

Low-code development platforms have revolutionized how we build customized business solutions, whether applications, workflows, or intelligent tools. These innovations empower "citizen developers"—non-professional developers—with unprecedented flexibility in application development.

With the integration of artificial intelligence (AI), these tools have achieved a qualitative leap in capability. Faced with shortages of internal technical expertise and the dual challenges of skill and time required for building numerous applications and automations, low-code/no-code development emerged as a solution. Today, even citizen developers without formal technical training can effortlessly create, innovate, and implement AI-driven solutions through intuitive platforms and advanced generative AI technologies.

However, does this convenience come with sufficient security? In reality, it introduces a series of new security risks. Yet there is no need for excessive concern: security and efficiency need not be mutually exclusive. By adopting appropriate measures, organizations can ensure security while maintaining the high efficiency brought by business innovation.

I. The Transformation of IT and Security Teams' Roles

IT and security teams traditionally focus on identifying potential vulnerabilities by scanning and reviewing code. Their priorities include ensuring the security of software developed by programmers and conducting continuous post-deployment monitoring to detect anomalies or suspicious activities.

However, as low-code/no-code development gains traction, more employees are engaging in application and automation development, often bypassing traditional software development processes. Many lack professional software development backgrounds, and their applications frequently operate outside the oversight and control of security teams.

This shift has two key consequences: IT departments no longer govern all software development within organizations, and security teams face diminished visibility and control over development processes. In large organizations, professional development teams might build hundreds of applications annually. With low-code/no-code adoption, this number could skyrocket. Many new applications may evade adequate security scrutiny or monitoring, amplifying risks.

II. Emerging Security Risks

Key security risks associated with low-code/no-code development include:

1. Absence of IT Oversight: Citizen developers operate outside IT governance, leading to reduced security visibility and untraceable "shadow applications." The ease of low-code/no-code tools enables rapid application creation, making it challenging for IT departments to track these activities comprehensively.
2. Lack of Standardized Development Processes: The absence of a Software Development Life Cycle (SDLC) framework may result in inconsistent workflows, operational chaos, and accountability gaps, heightening security risks.
3. Inexperienced Developers: Many application builders lack technical expertise, potentially overlooking security considerations and development risks. Vulnerabilities in widely used components could be exploited across multiple application instances.
4. Ambiguous Permission Management: Poorly defined identity management may enable privilege misuse. Business users with insufficient permissions might borrow others' credentials, complicating audits and accountability.
5. Code Traceability Challenges: Applications generated by low-code/no-code platforms lack scannable code for security analysis, reducing transparency, hindering troubleshooting/debugging, and raising compliance concerns.

These risks may lead to potential data breaches. Regardless of how an application is built—via drag-and-drop interfaces, text prompts, or code—it interacts with identities, accesses data, executes actions, and communicates with users. Data frequently traverses organizational boundaries, easily breaching data governance protocols.

Data privacy and compliance are also at risk. Sensitive data processed by business users unaware of proper storage protocols may result in compliance violations and other issues.

III. Addressing Security Blind Spots

As outlined above, a major challenge for IT and security teams in low-code/no-code environments is the lack of governance over development activities. Data flows between applications become untraceable, and details about application creators and functionalities remain opaque. Many organizations underestimate—or even overlook—the prevalence of such development activities, despite their active use.

How can security leaders regain control and mitigate risks?

1. Map Citizen Developer Activities: Identify and engage leaders of citizen developer initiatives. Security teams should prioritize support and collaboration—not restriction—through education and guidance.
2. Establish Visibility: Build a comprehensive application inventory detailing creators, functionalities, and data interactions. This is critical for incident tracing and root cause analysis during security breaches.
3. Implement Secure Development Frameworks: Develop policies and technical controls to guide secure development choices. Even professional developers may mishandle sensitive data; robust controls minimize errors.
4. Balance Innovation and Security: Traditional coding has limitations in driving innovation amid market competition and time-to-market pressures. While low-code/no-code platforms democratize AI-driven solution development, security and innovation need not conflict. Security leaders must collaborate with business users to strike a balance.

In conclusion, low-code/no-code development simplifies application creation but introduces security complexities. By fostering visibility, governance, and collaboration, organizations can harness its benefits while safeguarding against risks.