As organizations delve deeper into digital transformation, the utilization of low-code/no-code (LCNC) technology has become increasingly prevalent. This tech allows individuals without formal coding or software development training to easily construct applications, ultimately giving rise to what is now known as “shadow engineering.”

The appeal of LCNC platforms lies in their intuitive interfaces, which enable employees to independently create and deploy apps without the oversight of the security team. While these applications present significant security risks, they also offer considerable benefits in terms of driving digital transformation and cost savings.

According to Gartner, a considerable number of chief information officers (CIOs) have either deployed LCNC platforms or are planning to do so in the near future. The primary motivation behind these deployments is the desire to excel in customer experience, improve operating margins, and generate revenue through digital technology investments.

Nevertheless, the democratization of application development through LCNC platforms has inadvertently created a security blind spot within organizations. Shadow engineering allows citizen developers to bypass established software development life cycle (SDLC) processes, including security assurance measures. This lack of oversight exposes organizations to unforeseen risks related to software vulnerabilities and regulatory compliance.

For instance, a simple low-code automation developed by a sales team to process credit card payments could inadvertently leak sensitive data, violating industry standards like PCI DSS without the knowledge of the security operations team.

To mitigate the risks associated with shadow engineering, organizations must apply traditional application security principles to LCNC apps. This includes practices such as discovering and tracking all applications and automations, protecting applications from threats and vulnerabilities, enforcing compliance with relevant regulations, and empowering citizen developers to remediate risks effectively.

By monitoring LCNC applications and conducting regular security assessments, organizations can identify and address security vulnerabilities proactively. This structured approach to governance and security control ensures that the benefits of LCNC technology can be realized without compromising data integrity or regulatory compliance.

In conclusion, while the democratization of software development through LCNC platforms and robotic process automation (RPA) presents significant opportunities for innovation, organizations must prioritize security and governance to mitigate the inherent risks. By implementing robust security measures and fostering a culture of compliance among citizen developers, organizations can harness the full potential of LCNC technology while safeguarding against potential security threats.

Source link