Today’s CIOs have multi-dimensional strategic goals to achieve, enhancing speed of delivery and time-to-market, empowering more non-tech users (especially as they confront a crippling shortage of developers and limited engineering capacity), reducing cost of IT operations and building business agility, scalability and responsiveness.
Low code/no code (LCNC) platforms are a powerful means to fulfil this wish list of a CIO. It reduces the dependency on the development of tale— business users with limited or no coding skills that can create value-delivering applications. The core technical team is now free to explore and engage in high-value initiatives that lead to innovation.
It is therefore not surprising that we see a surge in demand for LCNC development. According to Gartner, low-code development accounted for more than 70 percent of application development activity in 2025 (from 20 percent in 2020).
Yet, there is a nagging hurdle and a hidden risk. Can citizen developers, with their inadequate experience and expertise, amplify vulnerabilities, even if unintentionally? For example, an unsecured database belonging to Confidant Health, a telehealth provider, was discovered by a researcher in August, 2024. This exposed more than 120,000 files and 1.7 million activity logs thanks to a misconfiguration in low-code development that provided access to the database without password protection.
And so, here is the all-important question. How can CIOs address the security accountability of low-code developments so that it does not become a showstopper for democratization of innovation at speed and scale?
Low code through a DevSecOps lens
I firmly believe that a low-code platform must be operationalized as part of an enterprise’s IT ecosystem, so that the discipline of control, security and compliance are rigorously maintained as in traditional development environments.
This begins at the strategic planning level. Clear policies must be established for:
- How the low-code platform will be used
- What the development standards will be
- How the approval processes will flow
- What will be the procedures for deployment
This will enable the right choice of the low-code platform — one that complies with internal policies as well as necessary regulations and standards. For sustained performance and adherence to standards, detailed records of the platform’s (and its applications’) performance should also be maintained. Activities must be logged in a manner that supports auditing and forensic analyses. It is relevant to note that many LCNC platforms provide industry-specific build-on applications compliant with regulatory requirements.
Overall, it is a shift in mindset from governance as mere documentation to one embedded as best practices and controls. Security thus becomes a paved road for a continuous journey, and not just a gate to cross.
Embedding security controls within low-code workflows
Following DevSecOps principles (that of integrating security checks at every phase of development) can enable organizations to embed security in low-code environments. They include:
- Policy-as-code templates for citizen developers that include pre-approved building blocks for data access, integrations and workflows. Such templates not only enable speed but also define governance rules in the pipeline and act as guardrails to reduce risk. These guardrails can be configured to bake security and compliance requirements from the start so that every code and code change is evaluated very early against security policies. API access scopes, PII use restrictions, audit logging enforcement are some examples of such policies.
- Automated scanning of CI/CD pipelines for flaws or violations of policies and guidelines before the citizen developer moves to the next phase of development. Modern DevOps platforms allow low-code pipelines to incorporate static code analysis, vulnerability management and dynamic testing
- A shift-left approach to automated vulnerability scanning — static application security testing (SAST), dynamic application security testing (DAST) and software composition analysis (SCA). This enables low-code teams to receive near-instant feedback on vulnerabilities on every build or release, which is vital. CIOs can track metrics such as vulnerabilities per release, remediation velocity, false positives, etc.
- Runtime monitoring and zero-trust enforcement that meticulously ensures oversight of changes and quality. This addresses issues of visibility gaps in low-code platforms — such as unknown API calls, privilege creeps, data flows — and prevents misconfigurations from becoming breaches. Techniques such as least-privilege policies, session behavior analytics and anomaly detection make it easier to track issues across many apps and iterations, especially when citizen developers frequently push updates.
- Data loss prevention (DLP) for citizen development. Due to inadequate security expertise among citizen developers, they unintentionally create data exfiltration paths. Such accidental leakage of sensitive data (PII, financial, IP) can be prevented by establishing rules on connector usage. This will ensure compliance (GDPR, HIPAA) and security, and mitigate risks such as shadow IT, data fragmentation and costly breaches, even as it enables rapid innovation. Creating a pattern library of preventive measures (such as row-level security, data masking, outbound flow filters) will empower citizen developers and make them responsible for innovating secure and compliant solutions.
DevSecOps playbooks for citizen developers can help secure the intake workflow for low-code teams, provide risk classification matrices for low-code apps, and offer compliance-as-code checklists, especially for regulated industries. CIOs also need to have in place firm metrics that balance velocity and security, such as:
- Deployment frequency without increases in vulnerabilities
- Time-to-detect vs. time-to-remediate in low-code environments
- Occurrence of policy drifts
- Percentage of low-code assets covered by automated guardrails
Low code or no code; they must be governed like any other code. Yes, today’s world of rapid transformation demands speed and flexibility, but certainly not at the cost of security. Low code cannot — and should not — be allowed to become a ‘shadow IT’. Neither can their environment be exempted from the rigor of code reviews, version controls and auditability.
Because here is an irrefutable truth. If low-code teams build apps faster than they can be secured, they also build dangerous blind spots. And no enterprise wants that.
This article is published as part of the Foundry Expert Contributor Network.