Securing Citizen Developers: A New Opportunity to Build Safe Applications
CVE/FIRST VulnCon 2025 · Main Stage
In "Securing Citizen Developers: A New Opportunity to Build Safe Applications," Kayla Underoffer, Lead Security Engineer in the CTO office at Zenity, addresses a burgeoning and often overlooked security challenge: the rapid proliferation of applications built by non-IT professionals using **low-code/no-code (LCNC)** platforms. This talk posits that while traditional "shift left" security initiatives have struggled to achieve their full potential within professional development teams, the rise of citizen development presents a "new hope" for integrating security earlier and more effectively into the application lifecycle. Underoffer highlights the unique risks inherent in this paradigm and, crucially, outlines a pragmatic, platform-centric strategy for mitigating them.
AI review
Underoffer covers a legitimate and underserved problem space — the security posture of low-code/no-code environments built by non-technical users — with competence and reasonable structure. The talk correctly identifies real risk categories (auth misuse, hardcoded secrets, unauthenticated agents) and offers a sensible four-part defensive framework. The 90% risk reduction claim backed by a Microsoft/Zenity case study is the strongest concrete data point. But the talk doesn't escape the gravitational pull of its speaker's employer: Zenity sells LCNC security posture management, and the…