Citizen Development Moves Too Fast for Its Own Good
Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
Citizen Development Moves Too Fast for Its Own Good
While low-code/no-code tools can speed up application development, sometimes itâs worth taking a slower approach for a safer product.
Michael Bargury, CTO & Co-Founder, Zenity
December 16, 2024
3 Min Read
Source: Westend61 GmbH via Alamy Stock Photo
LinkedinFacebookTwitterRedditEmail
COMMENTARY
Say youâre working on an important financial report for your company, with a strict deadline. You need to share it with external financial advisers, but security restrictions are preventing you from adding them directly. You grab the report, open your personal email, upload the report â and just before you hit send, you realize this is probably not a wise decision. You delete your draft.
Iâm sure you can think of many other examples where you got into a similar situation in the heat of the moment; hopefully you bumped into a security guardrail that made you think twice. Sometimes some friction is needed to slow us down and get us to rethink.
Low-Code/No-Code Makes Things Too Easy
Business units canât wait around for IT and development units to get to their items on an ever-growing backlog. Low-code/no-code platforms have really made a difference in large enterprises in the past few years, and generative artificial intelligence has turbocharged this trend. Nontechnical users are empowered to create applications by describing them to a chatbot that does everything from generate the database to the user interface. They are also creating automations to streamline business processes, either by chatting with a chatbot or using drag-and-drop. This is all happening at the heart of the enterprise and is wonderful for productivity.
Security controls provided by low-code/no-code platforms typically focus on the point that an application inherits its userâs permissions. That means that, theoretically, a user could manually do everything the application or automation does on their behalf. So whatâs the problem?
People are not robots. We donât move the same amount of data, we are not consistent when we do something again and again, and â most importantly â we have common sense. A human can understand that sharing a financial report externally is not a good idea, while sharing nonsensitive files might be all right. But if an automation is set up to sync data between you and your external vendors, with the intent of sharing nonsensitive files, no one is going to be there to flag it or second-guess when sensitive files are also transferred unintentionally.
You could say that the person who created the automation should have thought about it, and youâre right. But that requires them to stop and think. If you can create an automation by talking to a chatbot, then you quickly get into a situation where youâre creating automations left and right without fully thinking through the consequences. Low-code/no-code platforms are lowering the bar to be creative within the enterprise, which is wonderful but also dangerous.
Tapping the Brakes, Not Taking the Keys
Some friction could make all the difference in the world, if carefully used. Allowing citizen developers to create automations and applications is great, but perhaps if there are external data sources or vendors, somebody needs to take a second look. Low-code/no-code doesnât really follow the software development life cycle process, but notifying the security team or center of excellence for selective reviews where it matters is feasible. We must be careful not to add too much friction, however, or weâll lose the productivity benefits that citizen development brings â or people are going to find ways around our controls.
To hit the right balance, we should let citizen developers build freely but intervene where needed. We should set up automated guardrails that catch when developers go outside of our approved risk zone and intervene â even if just by nudging them to stop and rethink.
LinkedinFacebookTwitterRedditEmail
About the Author
CTO & Co-Founder, Zenity
Michael Bargury is an industry expert in cybersecurity focused on cloud security, SaaS security, and AppSec. Michael is the CTO and co-founder of Zenity.io, a startup that enables security governance for low-code/no-code enterprise applications without disrupting business. Prior to Zenity, Michael was a senior architect at Microsoft Cloud Security CTO Office, where he founded and headed security product efforts for IoT, APIs, IaC, Dynamics, and confidential computing. Michael holds 15 patents in the field of cybersecurity and a BSc in Mathematics and Computer Science from Tel Aviv University. Michael is leading the OWASP community effort on low-code/no-code security.
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
More Insights
Webinars
- Think Like a Cybercriminal to Stop the Next Potential Attack Jul 22, 2025
- Elevating Database Security: Harnessing Data Threat Analytics and Security Posture Jul 23, 2025
- The DOGE-effect on Cyber: Whatâs happened and whatâs next? Jul 24, 2025
- Solving ICS/OT Patching and Vulnerability Management Conundrum Jul 30, 2025
- Creating a Roadmap for More Effective Security Partnerships Aug 14, 2025
Events
- [Virtual Event] Strategic Security for the Modern Enterprise Jun 26, 2025
- [Virtual Event] Anatomy of a Data Breach Jun 18, 2025
- [Conference] Black Hat USA - August 2-7 - Learn More Aug 2, 2025
You May Also Like
Application Security
Gmail for Sensitive Comms: Whatâs the Risk?
Application Security
DeepSeek Jailbreak Reveals Its Entire System Prompt
Application Security
Platform Engineering Is Security Engineering
Application Security
Hundreds of LLM Servers Expose Corporate, Health & Other Online Data
Edge Picks
Browser Extensions Pose Heightened, but Manageable, Security Risks Browser Extensions Pose Heightened, but Manageable, Security Risks
URL bar of a browser showing part of a website address
Endpoint Security
Gartner: Secure Enterprise Browser Adoption to Hit 25% by 2028 Gartner: Secure Enterprise Browser Adoption to Hit 25% by 2028
Icons for Chrome, Edge, and Firefox browsers on a screen
Endpoint Security
ClickFix Spin-Off Attack Bypasses Key Browser Safeguards ClickFix Spin-Off Attack Bypasses Key Browser Safeguards
Stream of 0s and 1s running alongside padlock icons
Endpoint Security
Extension Poisoning Campaign Highlights Gaps in Browser Security Extension Poisoning Campaign Highlights Gaps in Browser Security
Latest Articles in The Edge
5 Min Read
- AI Is Reshaping How Attorneys Practice Law Jul 15, 2025 |
5 Min Read
- Browser Exploits Wane as Users Become the Attack Surface Jul 9, 2025 |
6 Min Read
- Unlock Security Operations Success With Data Analysis Jul 8, 2025 |
2 Min Read
Cookies Button
About Cookies On This Site
We and our partners use cookies to enhance your website experience, learn how our site is used, offer personalised features, measure the effectiveness of our services, and tailor content and ads to your interests while you navigate on the web or interact with us across devices. By clicking âContinueâ or continuing to browse our site you are agreeing to our and our partners use of cookies. For more information see Privacy Policy
CONTINUE
_(1).jpg){kind=logo}
Cookie Policy
When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.
Allow All
Manage Consent Preferences
Strictly Necessary Cookies
Always Active
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. Â Â You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
Performance Cookies
Always Active
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. Â Â All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
Functional Cookies
Always Active
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. Â Â If you do not allow these cookies then some or all of these services may not function properly.
Targeting Cookies
Always Active
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. Â Â They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Back Button
Cookie List
Search Icon
Filter Icon
Clear
checkbox labellabel
ApplyCancel
ConsentLeg.Interest
checkbox labellabel
checkbox labellabel
checkbox labellabel
Confirm My Choices
