The demand for robust and efficient software applications has been steadily increasing and has in turn prompted companies to invest in rapid code development. Low-code has allowed organizations to incorporate citizen developers who do not have coding expertise to develop complex, yet scalable applications in a short amount of time through platform plugins and drag-n-drop widgets. This has enabled organizations to improve productivity between IT and business teams. However, due to the lack of development experience, there are many challenges organizations face when maintaining low-code projects programmed by citizen developers. Let us discuss these challenges and a few governance frameworks to manage low-code applications.

Who are citizen developers?

To identify the potential problems introduced by low-code applications, we must first understand the developers behind them: the citizen developers. Citizen developers are employees within an organization that range from business users all the way to junior developers with little to no coding experience. Organizations employ citizen developers as a method to close skills shortages when staffing a project. By having enough knowledge in technical concepts and a good grasp on business goals, citizen developers have a cross-functional advantage. However, projects developed by citizen developers may have security vulnerabilities due to the lack of expertise in development methodology and programming skills. These deficiencies can lead to an accumulation of technical debt due to the absence of proper software architecture.

Two Governance Approaches: Centralized vs Federated

How can you solve the shortcoming of an application developed by citizen developers? There are two approaches organizations can take to reduce the risks associated with low-code developed apps: (1) centralized and (2) federated governance.

Centralized Governance: Centralized governance is when a single organization or a group of people are responsible for all decisions, discussions, and development. In the case of low-code control, this centralized entity exerts consistent control across organizations and provides reliable regulatory compliance and security approvals. This entity may be the only source of approval across the entire organization. Although this approach will guarantee the coverage of security control from low-code apps, being governed by one team can create a bottleneck due to the team’s ability to handle all compliance requests if substantial amounts of sub-organizations require approval.

Federated Governance: The second approach, federated governance, aims at resolving some of the bottleneck issues seen in the centralized model. In federated governance, individual business teams have full freedom to govern their system while being responsible for controlling their own software quality and security risks. In low-code control, every team has its own approval body as opposed to a single centralized head within the company. The entirety of the production process for a low-code application is completely up to the teams’ discretion. Although this solves the problem of delivery bottlenecks from the centralized approach, each team may have their own security standards, risk analysis, and quality control which vary vastly across a single organization. This irregularity creates a quality control risk for the organization and makes it difficult to have a unified standard across the entire organization.

Here is a quick recap on each approach, their benefits, risks, and when to use them: