Should You Trust Low Code/No Code for Mission-Critical Applications?

The use of low code and no code is growing as organizations attempt to deliver value faster. Before putting too much at stake, think carefully about what you're doing.

Lisa Morgan, Freelance Writer

July 29, 2021

9 Min Read
low code
tippapatt via Adobe Stock

More enterprises now understand the value of low code and no code, though the differences between those product categories are worth considering. Low code is aimed at developers and power users. No code targets non-developers working in lines of business. The central idea is to get to market faster than is possible with traditional application development.

The no-code audience is excited about improving the efficiency of tasks, workflows and processes using a visual interface to build simple applications versus waiting for IT to do it. This is fine at the group level, but not every platform may be able support the evolving needs of the group or the company. When a platform doesn't scale well or its capabilities are too limited, the entire application may have to be rebuilt from scratch because there are no command-line options.

Professional developers use low code to construct much of an application that does not require custom code. Then the custom portion is created on a command line, which happens to be a second window developers can open in low-code platforms.

This command-line functionality provides two benefits. The first is the transparency of code which means developers can see the actual code and make changes to it. Second, if a power user has created an application that is growing beyond a non-developer's capabilities, they can hand the project to developers who can add the enhancements or make changes to the application.


Low-code platforms tend to be integrated with integrated development environments (IDEs) and other things so developers have considerable flexibility.

But don't be fooled. There are variances among low-code platforms and variances among no-code platforms. The wise organization will consider its current and future requirements and will select a partner accordingly.

One important consideration is, should organizations use low-code or no-code to build mission-critical applications? Since platform capabilities vary, the correct answer is "It depends."

Why to Avoid Building an Application in Low Code or No Code

Developers initially rejected the idea of low code on the basis that they were "toys" a serious developer wouldn't use. There was also considerable skepticism about a low-code platform matching a developer's coding prowess. However, as software release cycles continue to shrink, developers are now viewing low code as a means of accelerating what they're doing. If the majority of an application's functionality can be built visually, why not do it? One reason is because it may not be necessary.

"If your team needs to develop some sort of enhancement to an existing set of systems, a low-code platform can provide a bridge to doing that. It's really powerful, especially when the tools allow you to go down in the guts" said Blair Hanley Frank, principal analyst at technology research and advisory firm ISG. "At the same time, you're taking on a risk as an enterprise because the deeper these systems go, the more central they are to business processes and the more reliant you are on the ongoing licensing and maintenance of these systems to keep the core parts of the business going."

In some cases, it makes a lot of sense to use low code, but not always. In Frank's experience, an individual enterprise's requirements tend to be less unique than the company believes and therefore it may be wiser to purchase off-the-shelf software that includes maintenance. For example, why build a CRM system when Salesforce offers a powerful one? In addition, Salesforce employs more developers than most enterprises.


About six years ago, Bruce Buttles, digital channels director at health insurance company Humana, was of the opinion that low code/no code systems "weren't there yet," but he was ultimately proven wrong.

"I looked at them and spent about three months building what would be our core product, four or five different ways using different platforms. I was the biggest skeptic," said Buttles. "My criteria was simple: Whoever wins the battle is the one left standing that I can't break."

Now the company has a total of seven applications, all built with OutSystems' low code. The first one enables the 40,000 independent insurance agents selling Medicare plans to get early access to the information they'll need to help their clients since Medicare policies change every year. Traditionally, those insurance agents have received entire libraries of PDFs.

Buttles reframed the problem, thinking in terms of an application versus PDFs, but he didn't think low code was the right tool because the audience was 40,000 agents, which meant the platform had to be scalable. He was also concerned about the complexity of the data.

For the first time in the company's history, his team aggregated three core datasets. The first dataset was plan information from 12 different back-end systems. The second dataset contained information about Humana's 1,500 agents, their headshots, markets, and regional maps. The third dataset was all the plan information in the networks related to Human's plans. Using traditional application development, he was given an eight-month window and a price which he declined to share. With low code, he built the application in eight weeks at a quarter of the originally quoted cost.


"I said, 'Let's go’, because we had no other alternative. Eight months could easily turn into 12 and when you add up the dollars and the timeline, it became prohibitive. The company couldn't afford it," said Buttles. "I wouldn't blame anyone for being skeptical about this. I wouldn't believe it if I hadn't lived it myself."

Five years later, COVID-19 hit. By that time, Buttles' team had built a Pharmacy Finder application and was in the process of building a Provider Finder application. However, the call center was spiking with calls about how to find a COVID testing site. Worse, the call center was using a giant spreadsheet to answer questions. Not surprisingly, that wasn't working too well.

Buttles' team leveraged the work they were doing on the Provider finder to replace the spreadsheet with an application that could save the call center time and frustration. Moreover, Humana members could simply go to the Humana website and quickly find a COVID testing location, circumventing the call center. The application was built in four weeks versus the six to nine months Buttles estimated to deliver to build it the traditional way.

"I was like, we need to build a big back office. To build it we needed 10 or a dozen people who are constantly out there, combing the Internet, combing through calls logs. We basically became an advocate for testing locations throughout the whole country by adding this back office," Buttles said.

Security Matters

Enterprise-grade platforms address security, privacy, and governance, which are basic enterprise requirements. In today's evolving cybersecurity threat landscape, which is morphing from single company breaches to supply chain attacks, low-code or no-code platform security is a must.

"Most large IT organizations are clearly using some low-code/no-code model today but they're going through some pretty large learnings," said Stephen Elliott, program vice president, management software and DevOps at IDC. "They're realizing this could be a viable model, but we better have guardrails for security, governance, and usage."

IDC advises large enterprises to invest in planning and strategy when a company is thinking about mission-critical applications. In addition to pondering the business outcomes or the business relevance of the application, enterprises should also consider security, governance, compliance, and audit.

"Security should be a conversation for every product or project, and then it becomes what are the layers? What is the right strategy? What are the right tools, processes and people?" said Elliott. "I think the smart organizations are really addressing security as the key theme."

Obviously, don't overlook data security and privacy given GDPR and CCPA.


"The data you're dealing with is probably at least as important as the platform you're running on," said Randy Potter, chief architect, at global consulting firm Capgemini Americas. "If you look at the big providers, they're very attuned to security concerns, so you can potentially ride on the backs of their coattails and leverage what they're doing on the security side of things. I do think you have to be extremely cautious about visibility and transparency -- lifting the hood and looking underneath to be able to make specific customizations as well as tracing and monitoring."

Still, bad actors never sleep. They're constantly dreaming up new ways of compromising applications and platforms. This requires the platform vendors to be vigilant and proactive about their own platform's security as well as the security of the applications built with the platform. For example, Humana's Buttles said, OutSystems will point out problems in code and will even go as far as blocking a deployment to ensure code quality and security.

However, if a bad actor did infiltrate one of the low-code/no-code platforms, how might they do it?

"There's two scenarios here: You create an app that exposes too much data so that app is vulnerable to data leakage, although the bigger risk is where a bad actor discovers a problem in the platform itself," said Matias Madou, CTO at leading secure coding platform, Secure Code Warrior. "If you're a developer, you're under pressure to crank out functionality so I think a better way forward is thinking more proactively about quality, [including] the security aspects."

In addition, enterprises shouldn't be shy about telling low-code/no-code platform vendors what their security requirements are, Madou said.

"I think quite often we're building code on top of code to protect code, but ultimately, we have to ask why the code is broken in the first place," said Madou. "Let's make sure the developer knows what he's doing so the next line of code can be developed with security in mind, with quality in mind, with everything in mind so there are fewer problems down the road."

Related Content:

Is There a Case for Using Low Code to Develop End-User Apps?

Why CIOs Must Set the Rules for No-Code, Low-Code, Full-Code

Are No Code and Low Code Answers to the Dev Talent Gap?

About the Author(s)

Lisa Morgan

Freelance Writer

Lisa Morgan is a freelance writer who covers business and IT strategy and emerging technology for InformationWeek. She has contributed articles, reports, and other types of content to various publications and sites ranging from SD Times to the Economist Intelligent Unit. Frequent areas of coverage include big data, mobility, enterprise software, the cloud, software development, and emerging cultural issues affecting the C-suite.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights