Low Code Programming: Understanding the Future of Software Development with Zenity

Understanding Low-Code Programming with Michael Bargury

Michael Bargury spent years working on cloud security at Microsoft, bootstrapping security products that tackle emerging threats like IoT, APIs and IaC.

Interview with Michael Bargury, CTO at Zenity

Ishan Pandey: Hi Michael, welcome to our series “Behind the Startup.” Please tell us about yourself and the story behind Zenity?

Michael Bargury: Hi Ishan, thank you for inviting me. I was always drawn to domains where there were not a lot of certainties but a lot to discover. I spent several years focused on cloud security at Microsoft, bootstrapping security products that tackle emerging threats like IoT, APIs and IaC. My role was to always be on the lookout for the next big thing. Microsoft was betting hard on Power Platform and was eating its own dog food at that time.

We had a few hundred thousand apps (!!) developed through Microsoft by IT and business units, and I was tapped as part of the team tasked to figure out how we tackle this security challenge. We tried a few different things and were in development when COVID hit and the effort got cancelled. In parallel, I was eager to go out on my own journey and was looking for a BIG problem to tackle and a strong partner I could do this with.

Ben Kliger and I worked together throughout our time at Microsoft, and always knew we’d love to do something together someday. Ben has taken a pivotal role in growing Azure cloud security offering. Once we connected and decided to go on this journey together, we talked to a few dozen enterprise, Fortune 500 included, tech C-levels and figured out that low-code/no-code security is a widely overlooked area in our industry and that companies are struggling right now and this will only continue to grow. It was clear that we were going to spend our next years tackling this problem.

Ishan Pandey: Please tell us a little bit about the Zenity platform?

Michael Bargury: Low-Code/No-Code is a great enabler. The really cool thing about it is that it lowers the bar to be a digital creator. So business units within the enterprise can address their own needs without waiting for IT. However, IT is there for a reason. Apps need to be secure, compliant, maintain customer privacy, and be resilient and supported. So much of our security frameworks depend on the security savviness of developers. Can we ask the same from business users? Enterprise IT and security teams today are finding themselves between a rock and a hard place. They either maintain security by blocking low-code/no-code innovation or enabling productivity but losing all visibility and control.

Zenity is all about letting organizations have both. It provides cross-platform visibility, risk assessment, monitoring and governance, so the enterprise can fully adopt low-code/no-code without compromising security. Security and IT teams can set guardrails, respond to threats and monitor citizen developers as they innovate.

Ishan Pandey: Because low-code and no-code platforms enable even those without a development background to swiftly construct apps, they can also contribute to a rise in shadow IT. What are your thoughts on this rising issue within such platforms?

Michael Bargury: First, I want to acknowledge that this is a real issue we’re seeing customers face today. It’s not just dedicated low-code/no-code platforms like Zapier or IFTTT. It seems like every SaaS vendor today is becoming a development platform. Salesforce, ServiceNow, Microsoft, Workday, Slack and other companies are embedding their services with low-code/no-code platforms, which go directly into the heart of the enterprise. That means that enterprises have no way to “stop” citizen development, and they must face this new reality.

However, the advent of low-code/no-coda platforms should be considered a blessing for security teams, not a curse. For many years now, the industry has been trying to tackle the shadow-IT problem, or its old uncle, the DLP problem, with no real success. It’s challenging to figure out how data moves when users are using “copy-and-paste integration”. But when users are encouraged to automate data movement through low-code/no-code, suddenly there’s a repository of data movers security teams can look at! By analyzing these apps security teams can get unprecedented visibility and control over how data moves in the enterprise. And so, with the right guardrails and analysis engines in place, security should drive their organization to use low-code/no-code.

Ishan Pandey: What are the major security concerns pertaining to low-code and no-code applications?

Michael Bargury: The number one issue security teams are worried about is identity misuse. Low-code/no-code platforms make it extremely easy for makers to embed their identity into an application. Everyone who uses it does so while impersonating the maker. This one fact makes every existing security solution obsolete, from network controls to pro-code application security tools. None of them can figure out what’s going on because, as far as they can see, the maker is doing all the action, and the app doesn’t even exist.

Another issue is about data flow and control. You are always a click away from connecting your personal account and using it for business purposes, either intentionally or by mistake. In enterprise settings, we often find automation put in place to sync business and personal accounts, usually because people prefer to read their professional emails together with their personal ones. The sprawl of micro-applications produced by low-code/no-code becomes impossible to manage, with hordes of applications touching, changing and moving data around unchecked.

Insecure authentication is another pressing concern.

By their nature, low-code/no-code applications are about connectivity. Since makers are the ones creating those connections, they find themselves having to configure settings like SSH fingerprint, FTP encryption, and other non-trivial security settings. Mistakes are very often lead to enterprise data or identity sent over an insecure channel.

We are leading a new OWASP group that is focused on the top security concerns for low-code/no-code security, together with strong experts throughout the industry.

Ishan Pandey: LC/NC software development methodologies can support a wide range of application types. Can you please explain to our readers what some major application types supported by such LC/NC softwares are?

 Michael Bargury: Low-Code/no-code is being used by IT and business users to power what used to be the sole responsibility of Business Application and Integration teams. Enterprises are building business-critical applications with low-code/no-code, with some taking it further and building customer-facing applications with low-code. Let me share a couple of examples.

One typical use case is around streamlining business processes. In one organization, the HR team was launching a new Give-Away program where employees could pledge a donation and participate in a ruffle. HR employees created an application that allowed employees to log in with their corporate identities, choose donations, and facilitate payment to streamline this process. This kind of app is very typical, where business units facilitate and automate business processes through a dedicated app. Note that the app is handling payments, which entails critical security and compliance risks. In this particular organization, the app was developed without participation or review from IT, which created financial risk.

Another common use case is automation. If-this-then-that rules that help stitch together different systems to avoid manual work. Slack famously automates its entire order-to-cash process using low-code automation. Through contract approvals, facilitation of payment and auditing through Salesforce. Of course, this process is as critical as it gets. Making sure customer payments are smooth and can be tracked throughout their lifecycle is crucial, and automating it all shows great talent and a double-down on low-code by Slack.

Ishan Pandey: While there are a few challenges with low-code/no-code platforms, kindly elaborate on the major benefits of such platforms?

Michael Bargury: In a typical enterprise, business users are always fighting for their needs to get fulfilled by IT. With the shortage of developers worldwide and the need to move faster than ever, businesses are just stuck and left looking for solutions. Low-code/no-code places the power right in the hands of the people who can bring the most benefit to the business, the business users. Rather than getting management buy-in, specifying requirements with PMs, waiting for prioritization, and working with another department across the org, business users can now focus on getting the job done. They know best what the business needs, and low-code/no-code gives them the tools to act on that knowledge quickly and independently.

Ishan Pandey: What does the roadmap ahead look like for Zenity and the LC/NC ecosystem as a whole?

Michael Bargury: Zenity is focused on helping enterprises accelerate the adoption of low-code/no-code without compromising security. We are an enterprise-first company, which means that we comply with the highest security and compliance standards and also play nicely with the enterprise ecosystem. In the upcoming months, Zenity is focused on advanced governance features that will allow admins to trigger immediate actions when applications are found non-compliant. We are also working on getting direct security insight right to the business users, guiding them through the process of building secure and compliant apps.

Don’t forget to share and like the story!