Low-Code/No-Code Comes With Conveniences, Concerns

How can organizations balance convenience and concerns with low/no-code development, all without sacrificing security?


Low-code and no-code applications and platforms are emerging as a response to many factors, including companies’ move towards digital transformation and the explosion of remote work that resulted from the pandemic.

According to Forrester Research, total spending on the category is forecasted to hit $21.2 billion by 2022, representing a compound annual growth rate of roughly 40 percent. Despite the continued growth in this new market, it’s important to recognize that low-code/no-code development platforms come with both conveniences and concerns. One of the biggest benefits is the higher production of applications, promoting business agility by decreasing time to market and cost. On the flip side, there is an increased chance of vendor lock-in, fewer customization options and, most importantly, more security risk. 

The other big differentiator when it comes to low-code/no-code development is the user base, which is composed of what’s been dubbed as the “citizen developer.” Defined by Gartner as “an employee who creates application capabilities for consumption by themselves or others, using tools that are not actively forbidden by IT or business units,” citizen developers are not all business technologists, and thus don’t have the same skills as a seasoned software developer. That said, the types of applications being built by citizen developers using low/no-code are diverse, from complete mobile applications, customer-facing applications for mobile/web and web/mobile front-ends, to workflow applications, core business applications and more. With the technical barrier to entry low and the development possibilities endless, low-code/no-code development holds tremendous promise for shrinking time-to-market and lowering overall costs.

However, a key question remains: how can organizations balance convenience and concerns and increase application time-to-market with low/no-code development, all without sacrificing security?

The Conveniences

Digital business acceleration is putting pressure on IT leaders to dramatically increase application delivery speed and time to value, an area where low-code/no-code development offers significant benefits.

  • Application time-to-market: Implementing low-code is revolutionizing the way businesses operate, as it enables the applications that usually took weeks or months to code and test to be created and deployed in a matter of days or even hours, in some cases. Developers are provided platforms that are 80 percent ready and don’t need to worry about deployment, scale or user experience. Concepts turn into realities faster, drastically reducing time-to-market.
  • Scale: Low-code development lowers the barrier to entry for app development, allowing organizations to achieve innovation at scale. People with no coding experience whatsoever can become citizen developers and develop low code. Given the current tech talent shortage, this is a boon for many organizations without the technical resources necessary for more advanced application development. With more resources at their fingertips and faster time-to-market, this also represents significant cost-savings. Essentially, with low code development organizations are able to do more with less, in less time.


As with any emerging technology, low-code/no-code development introduces concerns that must be taken into consideration. After all, low-code does not mean low risk.

  • Security: The low barrier to entry for low-code development means that citizen developers may not be as tech-savvy and often may not realize security isn’t already baked in. This in turn makes misconfiguration a common issue. For example, 38 million records were exposed due to a misconfiguration in Microsoft Power Apps, a popular platform for building low-code custom business apps. Bottom line: security and speed rarely go hand in hand, so it’s crucial that organizations take a beat and assess their risks before mistakes are made.
  • Integration: According to Sandy Carielli, analyst at Forrester, “Enterprises are adopting low-code development tools to build apps that touch-sensitive corporate and customer data.” Given that low-code/no-code development often includes integration with an internal data source that can mistakenly expose sensitive information, citizen developers must carefully navigate and address concerns or risk introducing yet more security issues.
  • Low-Code Lifecycle/Quality: Because low code, and especially no-code, doesn’t usually follow the typical app development lifecycle, it’s easy to miss issues that could create major problems down the road. An unknowing citizen developer can introduce a bug that can damage the entire user experience, and the organization might not be aware that such a little change could affect any employee/customer they have. Without a thorough life cycle that includes testing, staging, reproduction and production, mistakes can easily be made and quality will take the hit.

So What’s the Verdict?

Gartner predicts that by 2023, over 50 percent of medium to large enterprises will have adopted low code as one of their strategic application platforms. While the low-code/no-code user base may not be developers or security professionals by trade, they should understand the security and other implications of the platforms and applications they’re using and creating. This market has emerged quickly and shows no signs of slowing, so it’s crucial to proceed with caution, especially given the profile of a citizen developer. After all, with great power comes great responsibility and enterprises need to be aware of the risks introduced with any new technology.

Ori Bendet is VP of Product Management for Checkmarx. Ori brings more than 15 years of experience to his role. He is an experienced product leader combining his strong technical and go-to-marketing skills. Ori manages Checkmarx flagship SAST product, which is a Gartner and Forrester market-leading solution used by thousands of customers worldwide. Prior to Checkmarx, he held leadership and engineering positions at Time To Know, HPE, PicApp, and Bezeq.