In a recent SC Media webcast, host Mike Shema spoke with Amichai Shulman, Co-Founder and CTO at NoKod Security, and Tim Lange Senior VP, Enterprise Information Security Group at Great American Insurance Company, about a fast-growing blind spot in enterprise security: the surge of applications created outside traditional development pipelines from applications, automations to AI-driven agents. In the SC Media webcast, the panel discussed the mounting risks that come with the proliferation of applications and automations built outside traditional IT channels. The panelists revealed just how dramatically the landscape has shifted: enterprise solutions are increasingly crafted by “citizen developers”— business users leveraging no code or low code platforms like Microsoft Power Platform, UiPath, and Salesforce to automate processes and build apps with minimal IT oversight.Shulman emphasized the explosive growth of these solutions, pointing out that the number of apps now built by non-developers can far outstrip those built by IT professionals. This democratized approach accelerates business but introduces major gaps in visibility and security, with sensitive workflows and data flows often outside established safeguards.Lange shared firsthand the struggle his organization faced—thinking they had a few hundred automations, only to discover thousands, many built by staff with little security training. Both speakers highlighted common vulnerabilities such as hardcoded credentials, injection attacks, and inappropriate file or email access—problems once prevalent with traditional web apps and now resurfacing in no code environments.The panelists agreed that manual oversight simply doesn’t scale. Instead, organizations must fight automation with automation, deploying monitoring and security layers that can detect risky behaviors and empower users with clear, actionable guidance, regardless of technical background. Communication is key: security teams must translate risk into language business and citizen developers understand, and tools should enable non-experts to fix issues quickly and safely.Ultimately, responsibility for securing these systems is shared—between business users, IT, and security leadership. The webcast concluded with a call for more visibility, better tooling, and proactive collaboration to address these fast-moving risks before they turn into costly breaches.
Application security
Empowering without exposing: A roadmap for security teams in a citizen developers’ world
Bill Brenner
InfoSec content strategist, researcher, director, tech writer, blogger and community builder. Senior Vice President of Audience Content Strategy at CyberRisk Alliance.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds