Bron: artikel gedeeltelijk overgenomen van blog.devops.dev
Origineel auteur: Michael Burch
Nearly everything we use is built on code, from cars to smart fridges to doorbells. In businesses, countless applications keep devices, workflows and operations running. So, when early no-code development platforms launched in 2010, promising more accessible application development for citizen developers, its success felt inevitable.
It’s hard to deny the success of no-code. These platforms flatten the learning curve for would-be developers, allowing organizations to innovate and automate with useful applications despite a developer skills shortage. Plus, the out-of-the-box applications offered by no-code platforms expedite the application development process in a world where speed-to-market is king. Last year, Forrester found that 87% of enterprise developers use low-code and no-code tools or platforms for at least some of their workload.
But functionality is not the only sign of success. Unintentionally, the same trends that pushed for application development to be democratized have led to a wild west of insecure applications and misconfigurations that expose a whole host of organizations to cyberthreats.
The Importance of Security
While these platforms democratize development, they must be used with caution. The OWASP Top 10 highlights factors such as misconfiguration and using vulnerable components as common security threats. Yet, a reliance on no-code development could introduce un-spotted vulnerabilities directly into an organization.
Forrester has long warned of the risk of no- and low-code, featuring the vulnerability in its predictions for the coming years. The spectrer of an untrained employee creating applications is especially alarming: These platforms empower employees with no application security knowledge to develop programs that security teams are often unaware of.
Organizations must gain real oversight into who is responsible for developing software, whether professional developers leveraging no-code platforms as tools, or citizen developers creating applications for smaller teams and projects. It is no secret that CVEs are rising sharply. They hit a record 28,092 last year and are projected to increase by 25% throughout 2024. Last December, Microsoft revealed a high-severity CVE that affected low-code and no-code users.
When businesses are facing a tide of new exploits each day, skills such as vulnerability detection and remediation are critical to any new software development project.
Software development needs to become more flexible in its roles, but never at the expense of security. By fostering a culture of “security by design” across the organization, security leaders can ensure that all roles in the software development lifecycle (SDLC) understand their responsibilities in their security posture — including citizen developers.
No matter what tools arise, knowledgeable human users will always need to understand what the tool is providing and can act as a stopgap for quality and security.