Developers must consider low-code app security

Security is baked into most low-code development platforms, but developers still need to pay attention to security issues and test for vulnerabilities.

Beware the citizen developer?
The rise of citizen developers has underpinned the movement toward low-code/no-code platform, but this population brings built-in security risks with it.

“[Low-code] sure makes things easier, but it’s putting a lot of power and responsibility in the hands of non-technical folks who may not always be doing things with the express written consent of the good folks in IT,” said Chris Gonsalves, an analyst at the 2112 Group. “Are vulnerabilities being introduced or compounded in low-code development? Maybe. Are policies being violated? Probably. Are we going to stop doing it? No way.”

Gonsalves said he believes it’s too late to un-ring the democratization of appdev bell at this point.

“We’re not likely to make seasoned security professionals out of business-unit level developers,” he said. “Therefore, the onus is on the CTO and the CISO to make sure the framework and the environment are screwed down tight and firmly controlled by well-crafted security policies.”

Poorly executed citizen developer programs can expose enterprises to security risks, said Sheryl Koenigsberg, head of global product marketing at Mendix, a Boston-based low-code platform provider. “If people who don’t have the skill set or expertise around security are suddenly unleashed to create software without guardrails, then there can be issues with everything from data security to network exposure,” she said.

This issue is particularly acute when citizen developers are given the freedom to access low-code point products, or to purchase licenses outside the purview of IT.

“I’m not completely sold on low-code and no-code development being a boon to security, but it sure as heck can be a bane,” Gonsalves said. “In many places, it’s threatening to become the shadow IT of appdev.” …

by Darryl K. Taft,

> Read the entire article, Developers must consider low-code app security, at