pith. sign in

arxiv: 2605.16971 · v1 · pith:J6WW4TQNnew · submitted 2026-05-16 · 💻 cs.SE

Low-Code Paradox in DevOps: Security and Governance Insights from Practitioners

Muhammad Azeem Akbar , Saima Rafi , Arif Ali Khan This is my paper

Pith reviewed 2026-05-19 20:21 UTC · model grok-4.3

classification 💻 cs.SE
keywords low-code development platformsDevOpssecurity risksgovernance challengespractitioner interviewsgrounded theoryautomationcompliance
0
0 comments X

The pith

Low-code platforms in DevOps automate tasks but raise security risks and governance challenges per practitioner interviews.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper investigates how low-code development platforms intersect with DevOps by collecting views from twelve IT professionals through semi-structured interviews. It shows these platforms speed up task automation while also creating new security vulnerabilities and governance difficulties. A sympathetic reader would care because many teams are shifting to low-code tools for quicker releases, so the reported trade-offs affect daily operations and compliance efforts. The analysis uses grounded theory to surface themes that point toward the need for stronger practices and a security-focused mindset to manage the combination safely.

Core claim

Through interviews with twelve IT professionals experienced in low-code and DevOps, the study finds that LCDPs help automate tasks; however, they also increase security risks and governance challenges, highlighting the need for robust practices and a security-conscious culture. This suggests that the intersection of DevOps and LCDPs requires careful governance and proactive security practices to unlock potential while protecting resilience, compliance, and developer needs.

What carries the argument

Grounded theory analysis of semi-structured interviews with twelve IT professionals to extract emergent themes on automation benefits versus security and governance drawbacks.

If this is right

  • Organizations must apply careful governance when combining DevOps with low-code platforms.
  • Proactive security practices become necessary to reduce the added risks.
  • Teams need to build a security-conscious culture to handle the new challenges.
  • Successful adoption depends on safeguarding resilience, compliance, and developer requirements.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Low-code environments may require new training modules focused on platform-specific security controls.
  • Governance models could need updates to handle reduced visibility into code and dependencies.
  • Comparative studies of security metrics before and after low-code adoption in the same teams would test the patterns observed here.

Load-bearing premise

The perspectives from the twelve interviewed IT professionals represent the broader security and governance implications of low-code platforms in DevOps settings.

What would settle it

A larger survey or incident data review across many DevOps teams that finds no measurable rise in security breaches or governance failures when low-code platforms are used would undermine the reported risks.

Figures

Figures reproduced from arXiv: 2605.16971 by Arif Ali Khan, Muhammad Azeem Akbar, Saima Rafi.

Figure 1
Figure 1. Figure 1: Used research approach 4 Results The results and analysis are presented in this section. participants demographics details are presented in sub-section A. Emergence Categories are discussed in sub-section B, and sub-section C consists of security and governance practices and holistic framework. 4.1 Demographics The demographic details of participants are presented in [PITH_FULL_IMAGE:figures/full_fig_p002… view at source ↗
read the original abstract

DevOps has become a dominant paradigm in modern software engineering, while low-code development platforms (LCDPs) are increasingly adopted to streamline software development. The integration of these approaches promises efficiency gains but also raises critical concerns regarding security and governance. Despite their growing use, insufficient attention has been given to the implications of these platforms for security and governance in DevOps environments. This study investigates practitioners perspectives on the security and governance implications of LCDPs in DevOps environments. Twelve semi-structured interviews were conducted with IT professionals experienced in low-code and DevOps practices. The data were analyzed using a grounded theory approach to identify emergent themes. Findings reveal that LCDPs help automate tasks; however, they also increase security risks and governance challenges, highlighting the need for robust practices and a security-conscious culture. This study suggests that the intersection of DevOps and LCDPs requires careful governance and proactive security practices. Addressing these issues is essential for organizations to unlock the potential of LCDPs while safeguarding resilience, compliance, and developer needs.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper claims that while low-code development platforms (LCDPs) help automate tasks in DevOps environments, they also increase security risks and governance challenges based on thematic analysis from twelve semi-structured interviews with IT professionals using grounded theory.

Significance. This empirical study provides practitioner insights into the security and governance aspects of LCDPs in DevOps, which is an emerging area. The primary data collection is a positive aspect, offering grounded perspectives that could inform better practices if the sample is representative.

major comments (2)
  1. [§3] §3 (Methodology): The description of participant recruitment, interview protocol, coding process, and steps taken to achieve theoretical saturation or mitigate researcher bias is absent or insufficiently detailed. This directly affects the credibility of the emergent themes and the extrapolation to broader security and governance implications.
  2. [§4] §4 (Findings/Demographics): No table or text reports participant roles, organization sizes, experience levels, or diversity metrics. Without this, the claim that LCDPs 'increase security risks and governance challenges' rests on an uncharacterized sample of twelve interviews, weakening support for the stated recommendations.
minor comments (2)
  1. The abstract states the sample size and method but omits any reference to limitations; adding one sentence on scope would improve reader expectations without altering the contribution.
  2. [§3] Consider adding a short table summarizing interviewee characteristics (anonymized) to make the data collection section more transparent.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their constructive feedback on our manuscript. We have reviewed each major comment carefully and provide point-by-point responses below, including planned revisions to enhance methodological transparency and contextual details.

read point-by-point responses

  1. Referee: [§3] §3 (Methodology): The description of participant recruitment, interview protocol, coding process, and steps taken to achieve theoretical saturation or mitigate researcher bias is absent or insufficiently detailed. This directly affects the credibility of the emergent themes and the extrapolation to broader security and governance implications.

    Authors: We appreciate the referee's emphasis on methodological rigor. While the original manuscript provided a high-level overview of the grounded theory approach and the conduct of twelve semi-structured interviews, we acknowledge that the details on recruitment, interview protocol, coding steps, theoretical saturation, and bias mitigation were insufficiently elaborated. In the revised manuscript, we will expand the Methodology section to explicitly describe: recruitment via professional networks, LinkedIn, and industry contacts with inclusion criteria; the semi-structured interview guide including core questions on security and governance; the iterative coding process (open, axial, and selective coding); evidence of theoretical saturation (no new themes emerging after the tenth interview); and bias mitigation steps such as dual independent coding, reflexive memos, and member checking with participants. These additions will directly address the concerns and strengthen the credibility of the emergent themes. revision: yes

  2. Referee: [§4] §4 (Findings/Demographics): No table or text reports participant roles, organization sizes, experience levels, or diversity metrics. Without this, the claim that LCDPs 'increase security risks and governance challenges' rests on an uncharacterized sample of twelve interviews, weakening support for the stated recommendations.

    Authors: We agree that demographic characterization is important for evaluating the sample and supporting the generalizability of our findings. Although the original submission prioritized participant anonymity, we will add a table (or aggregated text description) in the Findings section reporting participant roles (e.g., DevOps engineers, security specialists, IT managers), organization sizes (SMEs to enterprises), years of relevant experience, and available diversity information. This will be presented at a level that maintains confidentiality while providing the necessary context to substantiate our claims about security risks and governance challenges. revision: yes

Circularity Check

0 steps flagged

No significant circularity in empirical interview-based study

full rationale

The paper reports primary empirical data from twelve semi-structured interviews analyzed via grounded theory to identify themes on LCDP security and governance in DevOps. No mathematical derivations, equations, fitted parameters, predictions, or self-citation chains are present that would reduce claims to inputs by construction. The central findings emerge directly from the collected practitioner perspectives rather than any self-referential or fitted process, making the work self-contained against external benchmarks with no load-bearing circular steps.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The study relies on standard assumptions of qualitative research in software engineering without introducing free parameters, new entities, or ad-hoc axioms beyond common methodological premises.

axioms (1)
  • domain assumption Grounded theory is an appropriate approach for deriving emergent themes from semi-structured interview data in this domain.
    Invoked when analyzing the twelve interviews to identify themes on security and governance.

pith-pipeline@v0.9.0 · 5706 in / 1383 out tokens · 61594 ms · 2026-05-19T20:21:57.084915+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

34 extracted references · 34 canonical work pages

  1. [1]

    and Vestergaard, O., 2018, August

    Kuusinen, K., Balakumar, V., Jepsen, S.C., Larsen, S.H., Lemqvist, T.A., Muric, A., Nielsen, A.Ø. and Vestergaard, O., 2018, August. A large agile organization on its journey towards DevOps. In 2018 44th Euromicro Conference on Software Engineering and Advanced Applications (SEAA) (pp. 60-63). IEEE

    work page 2018

  2. [2]

    Accelerate: State of devops 2018: Strategies for a new economy

    Research and Assessment. Accelerate: State of devops 2018: Strategies for a new economy. https: //devops-research.com, 2018

    work page 2018

  3. [3]

    IT Governance in a DevOps World,

    Alamin, M.A.A., Malakar, S., Uddin, G., Afroz, S., Haider, T.B. and Iqbal, A., 2021. An Empirical Study of Developer Discussions on Low- Code Software Development Challenges. arXiv preprint arXiv:2103.11429.M. R. Fox, “IT Governance in a DevOps World,” IT Professional, vol. 22, no. 5, pp. 54 –61, Sep. 2020, doi: 10.1109/MITP.2020.2966614

    work page doi:10.1109/mitp.2020.2966614 2021

  4. [4]

    Modelling in low -code development: a multi-vocal systematic review,

    A. Bucaioni, A. Cicchetti, and F. Ciccozzi, “Modelling in low -code development: a multi-vocal systematic review,” Softw Syst Model, Jan. 2022, doi: 10.1007/s10270-021-00964-0

    work page doi:10.1007/s10270-021-00964-0 2022

  5. [5]

    and Iqbal, A., 2023

    Alamin, M.A.A., Uddin, G., Malakar, S., Afroz, S., Haider, T. and Iqbal, A., 2023. Developer discussion topics on the adoption and barriers of low code software development platforms. Empirical software engineering, 28(1), p.4

    work page 2023

  6. [6]

    The Forrester Wave TM: Low -Code Development Platforms For...,

    R. Koplowitz and J. Rymer, “The Forrester Wave TM: Low -Code Development Platforms For...,” 2022. Accessed: Apr. 28, 2022. [Online]. Available: https://www.forrester.com/report/The-Forrester- Wave-LowCode-Development-Platforms-For-ADD-Professionals- Q1-2019/RES144387

    work page 2022

  7. [7]

    Low -Code Development Technologies Evaluation Guide,

    P. Vincent, M. Driver, and J. Wong, “Low -Code Development Technologies Evaluation Guide,” 2019. Accessed: Apr. 28, 2022. [Online]. Available: https://www.gartner.com/en/documents/3902331

    work page arXiv 2019

  8. [8]

    A qualitative study of DevOps usage in practice

    Erich FMA, Amrit C, Daneva M. A qualitative study of DevOps usage in practice. J Softw Evol Process. 2017;29(6):1-20:e1885

    work page 2017

  9. [9]

    and Porres, I., 2015, May

    Smeds, J., Nybom, K. and Porres, I., 2015, May. DevOps: a definition and perceived adoption impediments. In International conference on agile software development (pp. 166-177). Springer, Cham

    work page 2015

  10. [10]

    and Terashima, H., 2008, August

    Young, C. and Terashima, H., 2008, August. How did we adapt Agile processes to our distributed development?. In Agile 2008 Conference (pp. 304-309). IEEE

    work page 2008

  11. [11]

    DevOps Practitioners’ Perceptions of the Low -code Trend,

    S. Rafi, M. A. Akbar, M. Sánchez -Gordón, and R. Colomo -Palacios, “DevOps Practitioners’ Perceptions of the Low -code Trend,” in Proceedings of the 16th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement , New York, NY, USA, Sep. 2022, pp. 301–306. doi: 10.1145/3544902.3546635

    work page doi:10.1145/3544902.3546635 2022

  12. [12]

    Frachtenberg, and K

    Feitelson, E. Frachtenberg, and K. Beck. Development and deployment at facebook. Internet Computing, IEEE, 17:8–17, 07 2013

    work page 2013

  13. [13]

    and Veena, K., 2015

    Akshaya, H.L., Vidya, J. and Veena, K., 2015. A basic introduction to devops tools. International Journal of Computer Science & Information Technologies, 6(3), pp.05-06

    work page 2015

  14. [14]

    and Widhalm, J., 2018, November

    Shah, J., Dubaria, D. and Widhalm, J., 2018, November. A survey of devops tools for networking. In 2018 9th IEEE Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON) (pp. 185-188). IEEE

    work page 2018

  15. [15]

    and González-Prieto, Á., 2021

    Díaz, J., López-Fernández, D., Pérez, J. and González-Prieto, Á., 2021. Why are many businesses instilling a DevOps culture into their organization?. Empirical Software Engineering, 26(2), p.25

    work page 2021

  16. [16]

    and Gumaei, A., 2021

    Rafi, S., Yu, W., Akbar, M.A., Mahmood, S., Alsanad, A. and Gumaei, A., 2021. Readiness model for DevOps implementation in software organizations. Journal of Software: Evolution and Process, 33(4), p.e2323

    work page 2021

  17. [17]

    and Pigni, F., 2022

    Gall, M. and Pigni, F., 2022. Taking DevOps mainstream: a critical review and conceptual framework. European Journal of Information Systems, 31(5), pp.548-567

    work page 2022

  18. [18]

    and Gumaei, A., 2020

    Rafi, S., Yu, W., Akbar, M.A., Alsanad, A. and Gumaei, A., 2020. Prioritization based taxonomy of DevOps security challenges using PROMETHEE. IEEE Access, 8, pp.105426-105446

    work page 2020

  19. [19]

    and Shameem, M., 2020

    Khan, A.A. and Shameem, M., 2020. Multicriteria decision -making taxonomy for DevOps challenging factors using analytical hierarchy process. Journal of Software: Evolution and Process, 32(10), p.e2263

    work page 2020

  20. [20]

    https://www.fortunebusinessinsights.com/low-code-development- platform-market-102972

    work page

  21. [21]

    F., 2020 blog enterprise.nxt: https://medium.com/enterprise- nxt/how-low-code-no-code-platforms-may-reinvent-devops- a9ecb549cbbd

    Ohlhorst. F., 2020 blog enterprise.nxt: https://medium.com/enterprise- nxt/how-low-code-no-code-platforms-may-reinvent-devops- a9ecb549cbbd

    work page 2020

  22. [22]

    and Ciccozzi, F., 2022

    Bucaioni, A., Cicchetti, A. and Ciccozzi, F., 2022. Modelling in low- code development: a multi -vocal systematic review. Software and Systems Modeling, 21(5), pp.1959-1981

    work page 2022

  23. [23]

    and Strauss, A., 1967

    Glaser, B. and Strauss, A., 1967. The discovery of grounded theory: strategies for qualitative research. EE. UU

    work page 1967

  24. [24]

    https://www.legitsecurity.com/aspm -knowledge-base/devops- governance

    work page

  25. [25]

    Challenges & opportunities in low -code testing,

    F. Khorram, J.-M. Mottu, and G. Sunyé, “Challenges & opportunities in low -code testing,” in Proceedings of the 23rd ACM/IEEE International Conference on Model Driven Engineering Languages and Systems: Companion Proceedings , Virtual Event Canada, Oct. 2020, pp. 1–10. doi: 10.1145/3417990.3420204

    work page doi:10.1145/3417990.3420204 2020

  26. [26]

    Say goodbye to shadow IT with low -code,

    R. Sasi, “Say goodbye to shadow IT with low -code,” Decode - A publication by Zoho Creator, Feb. 2022. https://www.zoho.com/creator/decode/say-goodbye-to-shadow-it- with-low-code

    work page 2022

  27. [27]

    Why DevOps Governance is Crucial to Enable Developer Velocity,

    A. Rozenberg, “Why DevOps Governance is Crucial to Enable Developer Velocity,” InfoQ, Jul. 2022. https://www.infoq.com/articles/devops-governance-developer- velocity/

    work page 2022

  28. [28]

    and Fanton, A., 2023

    Lombardi, F. and Fanton, A., 2023. From DevOps to DevSecOps is not enough. CyberDevOps: an extreme shifting -left architecture to bring cybersecurity within software security lifecycle pipeline. Software Quality Journal, 31(2), pp.619-654

    work page 2023

  29. [29]

    and Silva, M.J., 2024, May

    Domingues, R., Reis, M., Araújo, M., Marinho, M. and Silva, M.J., 2024, May. Tracking technical debt in agile low code developments. In Congresso Ibero-Americano em Engenharia de Software (CIbSE) (pp. 226-240). SBC

    work page 2024

  30. [30]

    and Regvart, D., 2024

    Dakić, V., Morić, Z., Kapulica, A. and Regvart, D., 2024. Analysis of Azure Zero Trust Architecture implementation for mid -size organizations. Journal of cybersecurity and privacy, 5(1), p.2

    work page 2024

  31. [31]

    Securing cloud-native infrastructure with Zero Trust Architecture

    Kodakandla, N., 2024. Securing cloud-native infrastructure with Zero Trust Architecture. Journal of Current Science and Research Review, 2(02), pp.18-28

    work page 2024

  32. [32]

    Ensuring component dependencies and facilitating documentation by applying Open Policy Agent in a DevSecOps cloud environment

    Tan, J., 2022. Ensuring component dependencies and facilitating documentation by applying Open Policy Agent in a DevSecOps cloud environment

    work page 2022

  33. [33]

    Next-Generation Software Engineering: A Study on AI-Augmented Development, DevSecOps and Low -Code Frameworks

    Kumar, V., 2025. Next-Generation Software Engineering: A Study on AI-Augmented Development, DevSecOps and Low -Code Frameworks. Next-Generation Software Engineering: A Study on AI - Augmented Development, DevSecOps and Low -Code Frameworks (April 24, 2025)

    work page 2025

  34. [34]

    and Krcmar, H., 2025

    Viljoen, A., Stelzl, B., Yang, M., Nguyen, J., Hein, A., Elshan, E. and Krcmar, H., 2025. Navigating Flexibility and Standardisation in Low- Code/No-Code Development. Information Systems Journal

    work page 2025