If you ask CTO and Co-founder of Zenity Michael Bargury, low-code/no-code (LCNC) is a relatively (and alarmingly) unexplored area in terms of security.
"The sooner we get on bringing LCNC under the security umbrella, the better we will be left off," Bargury argued during an RSAC Cybersecurity Learning webinar. Every modern SaaS vendor is on a path to become a LCNC platform, and he believes there's a clear reason for those shifts. "It's about extendibility. It's about becoming a platform rather than a single solution," he said.
Salesforce, for example, is much more than a customer relationship management tool – it's a way to build applications very similar to those built for the public cloud. "As a large organization, you will typically find yourself a customer of either Microsoft or Salesforce or ServiceNow any other one of the companies" leading the LCNC market.
Those companies have introduced LCNC features into their existing products, which means LCNC is finding its way directly into the heart of the enterprise, Bargury explained. "The important thing is that it's built directly on top of business data because, of course, business sensitive data sits within each one of these platforms," he added.
The LCNC market is so successful because of its its naturally faster speed of application development and deployment. "There is one stakeholder that can do everything from thinking about the need to solving the need [on] their own," he said. That doesn't mean, however, that those citizen developers or business technologists should be solely responsible for the security risks posed by low-code application development.
Why can't low-code application platform vendors ensure each app created on their platform is secure? "We've actually tried this before, and this failed, and we've come across a better solution," which is "the same shared responsibility model that we've seen in the public cloud," Bargury explained.
While some of the responsibility has to fall onto the vendor, the customer organization needs its fair share, too. "The part where we need to own the applications that we're building – this is what's missing," he said.