Low-Code Security: How CIOs Can Mitigate Risks & Embrace DevSecOps

March 25, 2026 Rachel Kim – Technology Editor Technology

The Rise of Low-Code Platforms and the Growing Demand for Security Accountability

A researcher discovered an unsecured database belonging to Confidant Health, a telehealth provider, in August 2024, exposing over 120,000 files and 1.7 million activity logs. The breach stemmed from a misconfiguration within a low-code development environment, granting access to the database without password protection, highlighting a critical vulnerability as organizations increasingly adopt these platforms.

Chief Information Officers (CIOs) are facing mounting pressure to accelerate application delivery, empower non-technical users, reduce IT costs, and build business agility. Low-code/no-code (LCNC) platforms have emerged as a potential solution, promising to reduce reliance on traditional development teams and enable business users with limited coding skills to create applications. Gartner estimates that low-code development accounted for more than 70 percent of application development activity in 2025, a significant increase from 20 percent in 2020.

However, this rapid adoption introduces new security risks. The Confidant Health incident underscores the potential for citizen developers, lacking extensive security expertise, to inadvertently create vulnerabilities. The core issue isn’t the technology itself, but the potential for misconfiguration and a lack of robust security practices integrated into the development lifecycle.

To mitigate these risks, a fundamental shift in mindset is required. LCNC platforms must be operationalized as integral components of an enterprise’s IT ecosystem, subject to the same rigorous controls, security protocols, and compliance standards as traditional development environments. This begins with establishing clear policies governing platform usage, development standards, approval processes, and deployment procedures.

Selecting the right LCNC platform is crucial. Organizations must prioritize platforms that align with internal policies and relevant regulations. Maintaining detailed records of platform performance and application activity is also essential for auditing and forensic analysis. Many LCNC platforms now offer industry-specific applications designed to meet regulatory requirements.

Embedding Security into Low-Code Workflows

Integrating security checks throughout the entire development process – a DevSecOps approach – is paramount. This includes implementing policy-as-code templates for citizen developers, providing pre-approved building blocks for data access, integrations, and workflows. These templates not only accelerate development but also establish governance rules and act as guardrails to minimize risk. These guardrails can enforce security policies from the outset, evaluating code changes against defined standards, including API access scopes, restrictions on Personally Identifiable Information (PII) usage, and audit logging requirements.

Automated scanning of CI/CD pipelines for flaws or policy violations before deployment is another critical step. Modern DevOps platforms allow LCNC pipelines to incorporate static code analysis, vulnerability management, and dynamic testing. A shift-left approach to automated vulnerability scanning – utilizing Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA) – enables low-code teams to receive immediate feedback on vulnerabilities with each build or release.

Runtime monitoring and zero-trust enforcement are also vital. These techniques provide oversight of changes and quality, addressing visibility gaps inherent in LCNC platforms, such as unknown API calls and privilege creep. Implementing least-privilege policies, session behavior analytics, and anomaly detection can help track issues across multiple applications and iterations, particularly as citizen developers frequently push updates.

Data Loss Prevention (DLP) measures are particularly essential for citizen development. Establishing rules on connector usage can prevent the unintentional creation of data exfiltration paths and accidental leakage of sensitive data, ensuring compliance with regulations like GDPR and HIPAA. Creating a pattern library of preventive measures, such as row-level security, data masking, and outbound flow filters, can empower citizen developers to build secure and compliant solutions.

CIOs need to establish metrics that balance development velocity with security, such as deployment frequency without increased vulnerabilities, time-to-detect versus time-to-remediate, the occurrence of policy drifts, and the percentage of low-code assets covered by automated guardrails.

low-code development must be governed with the same rigor as traditional coding. While speed and flexibility are essential in today’s rapidly evolving landscape, they cannot come at the expense of security. Allowing low-code environments to operate as ‘shadow IT’ or exempting them from code reviews, version controls, and auditability is unacceptable. If low-code teams build applications faster than they can be secured, they inevitably create dangerous blind spots.