In the rapidly evolving digital landscape of Asia, low-code/no-code (LCNC) platforms have emerged as a game-changer for enterprises seeking to accelerate innovation amid developer shortages and intense market competition.
These platforms empower business users and citizen developers to rapidly create applications with minimal coding expertise, thereby democratising software development and enabling agility.
However, this acceleration introduces significant security risks, including inadequate access controls, unmanaged integrations, and shadow IT, which can bypass traditional compliance protocols.
For CIOs in Asia, it is critical to proactively embed security early in the LCNC development lifecycle, maintain visibility into decentralised development efforts, and balance governance with innovation to mitigate risks without stifling agility.
In acknowledging the risks, Jason Merrick, senior vice president of product at Tenable, emphasises, this surge in adoption brings with it significant security challenges that CIOs must address proactively.
“Low-code/no-code platforms are transforming how businesses innovate, especially in markets like Asia where speed and adaptability are crucial,” Merrick explains. “But with this speed comes complexity in security oversight. Organisations need to embed security early in the development lifecycle to avoid costly breaches and compliance failures.”
The Security risks of LCNC platforms
The rapid proliferation of LCNC platforms has introduced a range of vulnerabilities that traditional IT security frameworks are often ill-equipped to handle.
According to the OWASP Low-Code/No-Code Top 10, the most common risks include account impersonation, authorisation misuse, data leakage, authentication failures, and security misconfiguration.
These risks are exacerbated by the decentralised nature of LCNC development, where business units often operate outside the purview of central IT governance.
For instance, account impersonation can occur when applications use shared credentials, making it challenging to distinguish between legitimate and malicious activity.
Similarly, misconfigured permissions can grant excessive access to sensitive data or functions, creating avenues for insider threats or external attacks. Data leakage is another critical concern, especially when integrations between multiple platforms inadvertently expose confidential information.
“One of the biggest risks we see is shadow IT — where departments build applications without IT’s knowledge or oversight. This creates blind spots in security monitoring and asset management, increasing the attack surface dramatically,” reiterates Merrick.
AI and automation: Double-edged swords
The integration of AI and automation into LCNC tools further complicates the security landscape. While AI accelerates development by automating repetitive tasks and enhancing intelligence, it also introduces new vectors for risk. Automated workflows can propagate misconfigurations or vulnerabilities at scale if not carefully governed.
“AI-driven automation is a powerful enabler but also a potential risk multiplier,” Merrick warns.
“CIOs must ensure that AI tools incorporate security checks and that developers understand their outputs. Automation should augment, not replace, human oversight.” Jason Merrick
Why embedding security early is important
Leading analysts underscore the importance of shifting security left — embedding security considerations from the earliest stages of LCNC development. A 2025 Gartner report projects that by the end of the year, 70% of successful digital transformation initiatives will have integrated security protocols into their LCNC workflows, resulting in a 40% reduction in incident rates compared to those that do not.
Merrick concurs, “Security can no longer be an afterthought. It must be integrated into the very fabric of LCNC platforms and processes. This includes enforcing least privilege access, securing APIs, encrypting data in transit and at rest, and continuous monitoring.”
Balancing governance and innovation
One of the toughest challenges for CIOs and business leaders is striking a balance between governance and the need for innovation and speed. Overly restrictive policies risk stifling the agility that LCNC platforms promise, while lax controls can lead to compliance failures and data breaches.
“Governance frameworks must be flexible and adaptive,” Merrick advises. “We recommend a risk-based approach where critical applications undergo stringent controls, while less sensitive projects enjoy more freedom. Centralised visibility into all LCNC activities is key to striking this balance.”
Unique challenges and opportunities for Asia
Asia’s diverse regulatory environments and rapid digital adoption create a unique backdrop for LCNC security. Markets such as Hong Kong, Singapore, and Greater China are witnessing explosive growth in LCNC usage, driven by both startups and large enterprises. However, the region’s complex data privacy laws and rising cyber threats demand heightened vigilance.
A recent IDC report forecasts that by 2026, over 65% of Asian enterprises will have formalised LCNC security policies, up from just 30% in 2023, reflecting growing awareness and maturity in this space.
Practical Recommendations for CIOs and Leaders
Merrick offers actionable advice for leaders navigating LCNC risks:
- Implement Zero Trust principles: Limit access strictly on a need-to-know basis and continuously verify identities.
- Maintain comprehensive application inventories: Track all LCNC apps to prevent orphaned or unmonitored assets.
- Enforce secure configurations: Regularly audit platform settings and apply security patches promptly to maintain a safe environment.
- Educate citizen developers by providing training on secure design principles and common pitfalls that can occur.
- Leverage security automation: Use tools that automatically scan for vulnerabilities and compliance violations in LCNC environments.
Looking Ahead: LCNC in 2025 and beyond
The future of low-code/no-code is undeniably bright, with Forrester estimating that 87% of enterprise developers will use LCNC platforms for some of their work by 2028. Yet, as Merrick cautions, “The promise of LCNC can only be fully realised if security is baked in from day one. CIOs who master this will lead their organisations to sustainable digital success.”
Click on the PodChats player and hear Merrick discuss critical questions CIOs for business leaders need to address when adopting low-code/no-code.
- Define what low-code/no-code means/is to users and the application development team.
- Current State of Adoption: What is the current landscape of low-code/no-code adoption in Asia, and what trends are emerging?
- Security and Compliance: How do we ensure that LCNC platforms comply with relevant data protection and regulatory standards, and what access controls are in place to secure these environments?
- Embedding Security: How can security be integrated early in the LCNC development lifecycle to mitigate potential risks?
- Inventory Management: What processes should be established to maintain an up-to-date inventory of all LCNC applications and integrations, ensuring visibility and governance?
- Citizen Development Oversight: What visibility and monitoring tools are implemented to oversee decentralised citizen development and manage risks associated with shadow IT?
- Training and Incident Response: What training and support are provided to citizen developers on secure practices, and what incident response plans exist for vulnerabilities or breaches related to LCNC applications?
- Final advice: With technologies like AI and agentic AI, among other things, what is your advice for business leaders and the heads of development teams regarding LCNC adoption in 2025/2026?
