Low-Code Paradox in DevOps: Security and Governance Insights from Practitioners

TL;DR

This paper explores how low-code development platforms impact security and governance in DevOps, highlighting risks and the need for proactive practices based on practitioner insights.

Contribution

It provides empirical insights into security and governance challenges of LCDPs in DevOps through interviews with IT professionals.

Findings

LCDPs automate tasks but increase security risks

Governance challenges are amplified by LCDP adoption

Proactive security practices are essential for safe LCDP integration

Abstract

DevOps has become a dominant paradigm in modern software engineering, while low-code development platforms (LCDPs) are increasingly adopted to streamline software development. The integration of these approaches promises efficiency gains but also raises critical concerns regarding security and governance. Despite their growing use, insufficient attention has been given to the implications of these platforms for security and governance in DevOps environments. This study investigates practitioners perspectives on the security and governance implications of LCDPs in DevOps environments. Twelve semi-structured interviews were conducted with IT professionals experienced in low-code and DevOps practices. The data were analyzed using a grounded theory approach to identify emergent themes. Findings reveal that LCDPs help automate tasks; however, they also increase security risks and governance challenges, highlighting the need for robust practices and a security-conscious culture. This study suggests that the intersection of DevOps and LCDPs requires careful governance and proactive security practices. Addressing these issues is essential for organizations to unlock the potential of LCDPs while safeguarding resilience, compliance, and developer needs.