Low Code No Code (LC/NC) is a divisive topic in the software development industry. While it’s not new technology – the roots of LC/NC platforms can be traced back to the 1980s – there has been a recent resurgence, with Gartner predicting that almost two-thirds (65%) of app development will utilise low code application platforms by 2024.
One of the primary reasons that LC/NC platforms have risen in popularity is because they enable people from a non-technical background to quickly create and deploy simplistic applications in-house, cutting the costs of hiring professional developers. Software is a rapidly developing industry, and as such, there’s a global shortage of qualified professionals to fulfil demand. But while LC/NC platforms open up software development to a wider user base, the implications for security are concerning.
In order to fully mitigate the risks of a vulnerability, security needs to be baked into every line of code. One of the main issues with LC/NC platforms is that the end-user cannot guarantee the quality of the code and whether it’s been written with security front of mind.
One of the main security concerns of LC/NC platforms is low visibility. In many cases, enterprises will not have visibility of the code and security controls that are put in place by the LC/NC vendors, meaning they need to rely on their existing security tools, which may not be suitable. Similarly, LC/NC platforms can have limitations on access control, which is a vital consideration at implementation stage to ensure best practice is maintained.
There needs to be an onus on both the creators and the users of LC/NC platforms to ensure standards are met when it comes to security. Users cannot blindly trust the frameworks and assume by default that everything will work. It’s essential that users understand from a security perspective how the framework was designed and how it’s intended to work as there may be consequences of oversimplification. Though low code no code platforms may be able to plug the developer shortage in the short term, they’ll never replace professional developers. Instead of investing time and resource into improving LC/NC platforms, we need to prioritise training and upskilling our IT and security teams to deliver best practice, secure code, throughout each stage of the build.