Low-code and no-code platforms are eating enterprise software development. Gartner estimates that by 2025, 70% of new applications will use low-code or no-code technologies. Platforms like Microsoft Power Platform, Mendix, OutSystems, and Retool allow business users to build applications by dragging and dropping components, writing minimal code, and connecting to data sources through pre-built connectors.
From a productivity standpoint, this is transformative. From a supply chain security standpoint, it's a slow-motion crisis.
The Hidden Supply Chain
When a professional developer builds an application, the supply chain is at least partially visible. There's a package manifest listing dependencies, a container image with scannable layers, and a build pipeline that can be audited.
When a citizen developer builds an application on a low-code platform, the supply chain is almost entirely opaque.
Platform runtime dependencies. Every low-code application runs on a platform-provided runtime with its own dependency stack. The platform's web server, application framework, database drivers, and utility libraries are all part of your supply chain, but you have zero visibility into them. You're trusting the platform vendor to manage hundreds or thousands of dependencies securely.
Third-party connectors and plugins. Low-code platforms have marketplaces full of connectors, templates, and plugins built by third parties. A citizen developer adding a "Salesforce connector" or "PDF generator" component is introducing third-party code into your application without any dependency review. These connectors often have their own dependencies, creating a nested supply chain.
Pre-built components. UI components, workflow templates, and business logic blocks are shared across the platform's user base. If a popular component has a vulnerability, every application using it is affected. The component's internal implementation is hidden behind a visual interface.
Data connectors as trust boundaries. When a low-code application connects to a database, API, or file system through a pre-built connector, the connector's code handles authentication, data transformation, and error handling. A vulnerability in the connector could expose credentials, leak data, or allow injection attacks, regardless of how carefully the application was visually designed.
The Governance Gap
In most organizations, there's a significant governance gap around low-code applications.
No code review process. Traditional development has pull requests, code reviews, and security scanning. Low-code applications bypass all of these. The "code" is a visual flow diagram stored in a proprietary format that standard security tools can't analyze.
No dependency tracking. You can't run npm audit on a Power Automate flow. The dependencies are managed by the platform and its marketplace components, outside your control and often outside your visibility.
No SBOM generation. Low-code platforms don't produce SBOMs. The concept doesn't naturally apply to visual development, even though the resulting applications absolutely have software components with known vulnerabilities.
Distributed development responsibility. When "everyone is a developer," no one owns security. The citizen developer in marketing who built a customer data processing workflow doesn't think of themselves as someone who needs to worry about supply chain security. And the security team doesn't know the application exists.
Real Risks, Not Hypothetical
Connector vulnerabilities. In 2022, researchers found vulnerabilities in several popular Power Platform connectors that allowed data exfiltration and privilege escalation. Because connectors are shared across millions of applications, a single vulnerability had massive potential impact.
Overprivileged automation. Low-code automation tools often request broad permissions to simplify setup. A Power Automate flow connecting to SharePoint might have access to all document libraries, not just the one it needs. A compromised or buggy flow has an unnecessarily large blast radius.
Data leakage through integrations. Citizen developers frequently connect low-code apps to external services (Slack, email, cloud storage) without understanding the data flow implications. Customer data processed by a low-code application might transit through multiple third-party services, each with its own security posture.
Abandoned applications. Citizen developers build applications for immediate needs and often move on without maintaining them. These abandoned applications continue running on aging platform versions and outdated connectors, accumulating vulnerabilities with no one watching.
What Security Teams Should Do
Inventory low-code applications. Use platform admin tools to discover all applications built on low-code platforms in your organization. Most platforms provide admin interfaces that list applications, their creators, and their data connections. This inventory is the first step.
Classify by data sensitivity. Not all low-code applications need the same level of scrutiny. An application that displays the office lunch menu has different risk than one processing customer financial data. Classify applications by the sensitivity of the data they access and apply proportional controls.
Govern the marketplace. Restrict which third-party connectors and plugins can be used. Create an approved list based on security assessment of the connector publishers and their update practices. This mirrors the dependency governance that traditional development teams practice.
Require review for sensitive applications. Any low-code application that accesses sensitive data, connects to production systems, or processes regulated information should go through a security review, even if it was built by a non-developer. The review might look different from a code review, focusing on data flows, permissions, and connector trust, but it needs to happen.
Monitor continuously. Low-code platforms that provide API access for monitoring should be integrated with your security operations. Track who creates applications, what data they access, and what external connections they make. Treat low-code platforms like any other development environment in your security monitoring.
How Safeguard.sh Helps
Safeguard.sh helps organizations extend supply chain governance to low-code environments by providing a centralized platform where security teams can track all software components, including those generated by low-code platforms. While low-code platforms themselves may not produce standard SBOMs, Safeguard.sh can maintain inventories of platform versions, approved connectors, and known component dependencies at the platform level.
Policy gates in Safeguard.sh can enforce standards for low-code deployments: approved platform versions, permitted connector lists, and mandatory data classification reviews. By integrating low-code application governance into the same supply chain management platform used for traditional development, Safeguard.sh ensures that the shadow supply chain doesn't remain in the shadows.