OWASP Citizen Development Top 10

OWASP Citizen Development Top 10

stars slack

Overview

Since Gartner introduced the term “Citizen Developer” in 2009, advances in platforms such as Microsoft Power Platform, SAP, ServiceNow, and Salesforce, along with AI assisted tools like Base44, Cursor, and Replit, have enabled people across all backgrounds to build sophisticated software at scale.

This movement has accelerated innovation but also raised new concerns around security and governance. The OWASP Citizen Development Top 10 Project addresses these challenges by identifying the most pressing risks that arise from citizen development of software built with Low Code No Code, AI assisted coding, and AI agent technologies.

Scope

Citizen developers can be business users improving efficiency in their daily work or hobbyists creating entirely new applications. By lowering barriers to entry, business innovation platforms and AI assisted technologies have redefined how software is created, removing long standing resource constraints from traditional development teams.

This expanded ability to create at scale introduces unique risks for organizations. Originally focused on Low Code No Code platforms, this OWASP project broadened its scope to reflect the wider landscape of citizen development and the technologies that enable it. The Top 10 risks therefore cover threats introduced through business innovation platforms, AI assisted coding, and AI agents.

Audience

The OWASP Top 10 Security Risks for Citizen Development is primarily aimed at security professionals who are tasked with enabling safe adoption of these technologies. They provide the critical guardrails that balance rapid innovation with secure practices.

The project also speaks directly to citizen developers, giving them an understanding of how their work may create risks and how to avoid common pitfalls. Governance bodies gain structured recommendations to align oversight with organizational goals and regulatory requirements, strengthening accountability across citizen development initiatives.

The key crossover focus for this document is to facilitate collaboration between the business and security and governance.

Mission

The mission of the OWASP Citizen Development Top 10 Project is to help organizations identify, prioritize, and mitigate risks tied to citizen development. The list explains how these risks manifest across various technologies and offers concrete mitigations to reduce them.

By providing accessible examples and guidance, the project equips both technical and non technical creators to make secure by default choices. Its goal is to establish the foundations that allow innovation to thrive while maintaining strong security practices.

The List

  1. CD-SEC-01: Blind Trust
  2. CD-SEC-02: Account Impersonation
  3. CD-SEC-03: Authorization Misuse
  4. CD-SEC-04: Sensitive Data Leakage and Handling Failures
  5. CD-SEC-05: Authentication and Secure Communication Failures
  6. CD-SEC-06: Vulnerable and Untrusted Components
  7. CD-SEC-07: Security Misconfiguration
  8. CD-SEC-08: Injection Handling Failures
  9. CD-SEC-09: Asset Management Failures
  10. CD-SEC-10: Security Logging and Monitoring Failures

How to contribute

Involvement in the development and promotion of OWASP Top 10 Low-Code/No-Code Security Risks is actively encouraged! You do not have to be a security expert in order to contribute.

Here are some ways you can help:

  • We are looking for organizations and individuals that will provide vulnerability prevalence data
  • Translate the top 10 to non-English languages
  • Review, critique and suggest improvements to the Top 10 list
  • Star the GitHub Project
  • Contribute real world examples to categories in the Top 10 list
  • Add your Success Story - tell us and the world how you’re using the Top 10 list

Individuals and organizations that provide a significant contribution to the project will be listed on the acknowledgments page.

How to reach out:

Got an idea?

Got any ideas on how to make this project better? These guidelines will help with how to get involved:

  1. Join the conversation on email or Slack to find collaborators or see if others have a similar interest.
  2. Search the project’s GitHub issues for related proposals. Found one? Join it!
  3. If you haven’t found a relevant issue, create one! Clearly specify why your proposal is important and which changes are proposed. Advertise your proposal to others to find collaborators. See examples: Add descriptions for business users, Add product-specific examples.

Getting Started with your first Pull Request

A Pull Request (PR) can be created by following these steps.

Remember to:

  1. Fork this repository.
  2. Create an initial draft implementing your proposal and submit it for review as a PR. Don’t let perfect be the enemy of good.
  3. Advertise your proposal to others and ask for reviews.
  4. Once your PR is merged, continue to submit PRs to fine-tune and improve on previous versions.
  5. Congrats and thank you!

Contributors

Individuals that provided a significant contribution to the project:

Name Contributions Affiliation Contact
Michael Bargury Project founder Zenity Twitter LinkedIn
Ory Segal Project founder and leader Palo Alto Networks Twitter LinkedIn
Don Willits Core contributor Microsoft LinkedIn
John McTiernan Core contributor DT Group LinkedIn
Yianna Paris Core contributor Xebia LinkedIn
Kayla Underkoffler Project leader Zenity LinkedIn
Ziv Daniel Hagbi Project leader Zenity LinkedIn

Sponsors

The OWASP Top 10 Low-Code/No-Code Security Risks project is supported by Zenity
Zenity.io

Watch Star