In the world of DevSecOps, a little empathy goes a long way — particularly when it comes to expectations for your developers. While security pros have been steeped in common security flaws and the OWASP Top 10 for years, most developers never took a security course at the university level. As security pros, our job is to enable and support developers who may have the best intentions for security but who also face competing priorities — they are not security pros, and security is just one of many issues they need to consider. Our job is to integrate security into the developer experience and make it easier for them to get secure products in customers’ hands. Many of the advances in application security processes and tooling — gamified training, contextually relevant remediation guidance, integration with the developer’s toolset, developer security champions — have been driven by that reality.
When my colleague on the application development and delivery team, John Bratincevic, and I started to research low-code security, we realized that security teams were going to need to extend that perspective to a brand-new class of developers. As John discusses in our recently published report, “Don’t Ignore Security In Low-Code Development,” low-code developers fall into two buckets: professional developers who leverage low-code to improve speed and responsiveness and citizen developers who sit outside of IT and development. Citizen developers not only have never taken a secure development class but likely have not taken any development classes at all — therefore, common application security concepts will be even more foreign.
What does this mean for security teams? Three key points:
- Application developers may no longer just work on the development team. Spend some time understanding your organization’s low-code strategy, who is developing what sorts of low-code applications, and where they sit.
- It’s time to expand your network again — get to know the citizen developers in your organization and start building the security team’s credibility with these new stakeholders.
- Security training will look different — the abstraction of low-code means that citizen developers are less likely to introduce an SQL injection than they are to misconfigure permissions or leak data. Focus on the security principles most aligned with how low-code developers build applications.
To learn more about low-code security considerations, please check out our report. If you have additional questions, please set up an inquiry with us — we’re excited to discuss this further!