10+ Best Hybrid App Development Frameworks in 2025



secure sdlc :: Article Creator

Securing The SDLC For No-Code Environments

Yair Finzi is cofounder & CEO of Nokod Security and was cofounder & CEO of SecuredTouch (now Ping Identity) and a product leader at Meta.

Getty

The software development life cycle (SDLC) is the backbone of application development, providing a structured process to ensure quality, functionality and security. Traditional SDLC security controls—applied during software planning, analysis, design, implementation, testing and maintenance—are deeply ingrained in how enterprises manage application risk. However, no-code development flips the script, presenting unique challenges that render many traditional security practices unworkable.

Traditional SDLC Security Versus No-Code

In conventional application development, SDLC phases serve as gates where security checks and balances are applied:

•Planning involves defining security requirements.

•Analysis identifies potential threats.

•Design incorporates secure architectures.

•Implementation follows secure coding practices.

•Testing evaluates vulnerabilities.

•Maintenance ensures ongoing compliance and patching.

No-code development, however, operates under vastly different rules. Many traditional SDLC phases are skipped outright in no-code workflows—not necessarily because developers are careless, but because the nature of no-code makes these steps redundant or unfeasible.

Since apps are often created and deployed within days, no-code development leaves little room for detailed planning or analysis. Also, because no-code platforms simplify much of the underlying complexity in creating applications, developers are heavily dependent on pre-built tools and connectors.

Given these differences, expecting the full SDLC to apply to no-code environments is unrealistic. Instead, organizations need to rethink how and where to embed security, focusing on phases where it can have the most impact.

What Doesn't Work—And Why

Many elements of the traditional SDLC simply don't apply to no-code development. For example, in the planning phase, traditional SDLC emphasizes budget allocation, timelines and stakeholder input, with security embedded from the outset. In no-code, many projects are grassroots efforts initiated by citizen developers to solve immediate problems, and planning often does not involve security personnel.

The analysis phase, typically used for threat modeling and risk assessments, also proves challenging. Most citizen developers lack the expertise or time to conduct such activities. While centrally managed no-code projects may include some level of analysis, it is rarely robust enough to support meaningful security measures.

The design phase often does not exist in no-code workflows as developers jump directly to implementation and "coding." While some no-code users may create informal plans, these rarely incorporate security considerations. This lack of structured design can create critical gaps, particularly around data sensitivity and access controls, since citizen developers rely on drag-and-drop interfaces or AI-driven prompts and frequently bypass traditional secure coding practices.

The testing phase suffers from gaps as well, as many no-code platforms lack robust testing environments. Apps frequently move straight from development to production without validation, increasing the risk of undetected vulnerabilities.

Finally, in the maintenance phase, no-code apps lack centralized version control or visibility into changes, making it harder to track and secure updates over time. Maintenance tends to be reactive and inconsistent, which can introduce additional risks associated with unremediated vulnerabilities.

How To Secure The No-Code SDLC

Given the unique dynamics of no-code, securing the SDLC must focus on the later phases—implementation, testing and maintenance—where security can make the most difference. While earlier phases like planning and analysis are often skipped for the reasons mentioned above, these later phases present opportunities to embed meaningful security controls.

Implement real-time security detection and remediation.

Focus security efforts on the implementation phase, where no-code developers are actively building apps. Automated tools should integrate directly with no-code platforms to detect vulnerabilities in real time, such as injection risks or misconfigured permissions. These tools must translate findings into actionable guidance tailored to the platform's terminology, helping citizen and automation developers address issues without requiring deep security expertise.

Establish governance policies for testing and deployment.

Testing environments are essential for validating security before apps go live. Establish governance policies that mandate dev-test-prod separation and enforce checks for security compliance. This ensures that testing becomes a natural step in the development process, enabling vulnerabilities to be addressed before reaching production.

Streamline maintenance with version control.

In the maintenance phase, a centralized version control mechanism is essential for tracking changes and ensuring accountability. Require all no-code apps to log updates, capturing details such as who made changes and when. Governance policies should extend to monitoring app performance and enforcing timely security updates.

Opt for secure-by-default platform features.

Advocate for no-code platform providers to include built-in security features, such as pre-configured secure connectors and automated compliance checks. Choosing platforms with robust security defaults reduces the burden on developers and mitigates risks upstream.

Conclusion

Many SDLC phases aren't directly relevant to no-code development, and some are skipped altogether. Rather than forcing traditional SDLC security practices into no-code environments, organizations should focus their efforts on later SDLC phases—primarily implementation, testing and maintenance. This can empower citizen developers to innovate quickly without sacrificing security.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?


Secure Software Development Practices

Nature Research Intelligence Topics enable transformational understanding and discovery in research by categorising any document into meaningful, accessible topics.  Read this blog to understand more about managing research with topics. Nature Research Intelligence is exploring providing the research community with summaries of research topics.  If you've reached this page expecting a research topic summary, they are currently in development.  Please complete the contact form if you wish to be notified about the next release.





Comments

Post a Comment

Popular posts from this blog

7 Ways to Remove an External USB Drive in Windows 11 - MUO - MakeUseOf

Image
Many users utilize USB flash drives (sticks) to store files and transfer them between PCs. Of course, you can always remove such drives from USB ports without ejecting them first. However, you might corrupt data on your USB stick if you don't safely remove it. To forestall potential file corruption, you should eject USB sticks and external hard drives. There are numerous ways you can select to eject a USB flash drive before removing it. Here are several alternative methods for safely removing USB drives on Windows 11 PCs. 1. How to Eject an External USB Drive via the System Tray Windows 11's system tray displays a Safely Remove Hardware and Eject Media icon whenever you've inserted a USB stick or other external hard drive. Right-click that icon to open a context menu for it, which includes an Eject option. Select the Eject option there, and proceed to remove the drive when the Safely Remove Hardware icon has disappeared. ...
Read more

ZLUDA v2 Released For Drop-In CUDA On Intel Graphics - Phoronix

Image
One of many interesting and original open-source projects to be started in 2020 was ZLUDA, an open-spurce drop-in CUDA implementation for Intel graphics. ZLUDA - developed independent of Intel and NVIDIA - is built atop Intel's oneAPI Level Zero interface (hence the name, ZLUDA) and allows for unmodified CUDA applications to run on Intel UHD/Xe Graphics hardware with near-native performance. Well, that's the goal at least but with the initial ZLUDA release were a number of support limitations. Out today is ZLUDA Version 2 that has been focused on ensuring it works well with the Geekbench CUDA test cases as an interesting stressor for CUDA on Intel graphics. Additionally, the Microsoft Windows support for ZLUDA has been improved while continuing to provide first-rate Linux support. ZLUDA Version 2 implements more host-side functions, a number of bugs have been fixed, I/O performance improvements, support for creating traces of CUDA kernel executions, and other enhancements for...
Read more

SPECapc for Solidworks 2020 benchmark adds new GUI; CPU and 2D drafting tests - Graphic Speak

Image
By Bob Cramblitt The new SPECapc for Solidworks 2020 benchmark includes 10 models and 50 tests exercising a full range of graphics, CPU, and storage functionality. SPEC's Application Performance Characterization (SPECapc) project group has released new performance evaluation software for workstations running Solidworks 2020. Major new features in the new SPECapc for Solidworks 2020 benchmark include: Testing under the new Solidworks 2020 enhanced graphics interface. Two new CPU tests for file conversion and simulation. New tests that exercise the 2D drafting mode within Solidworks. A still image from the new simulation tests within the SPECapc for Solidworks 2020 benchmark. Comprehensive performance testing The SPECapc for Solidworks 2020 benchmark includes 10 models and 50 tests exercising a full range of graphics, CPU and storage functionality. Model sizes range from 392 MB to 2.3 GB in memory.  The following models are included in the benchmark: Audi R8 (car)—7...
Read more