Blogs - Articles - Flosum - Continuous Integration, release management

The Unintended Security Threat of Citizen Development

Written by Admin | Nov 11, 2022 3:13:17 PM
 

 As organizations strive to enhance their digital capabilities and do more with less, the concept of citizen   development has become increasingly popular.

 Citizen developers typically work outside of the IT department and have access to a visual integrated   development   environment. This low-code/no-code environment utilizes drag-and-drop application   components, allowing people   with little to no software experience to build applications that meet   business needs.

 The business appeal of this setup is obvious – if done well, it allows individual business units to build tools   that solve  their own problems while freeing IT teams to focus on other tasks.


 Enter the security team. The developer fundamentally does not want to interact with security, because   traditionally   the experience has been, "Hey, as soon as security gets involved, it adds six to seven months of complexity to get   them up to speed with what a developer is doing." And the security team is trying to   have these conversations but   are often unfamiliar with a developer landscape and what they have the capability of doing.


 What may happen is the Infosec team blesses the platform or solution when it's launched, but the   developers, as   time goes on, have the ability to change the rules and access controls, third party hooks,   APIs, different apps that   they're using, and evolve the cybersecurity posture away from that initial proof   state with no interaction with   security until there is a major event.


 The potential security risks from this approach could be huge. So huge, in fact, that Forrester is predicting   citizen   development will lead to a headline security breach in 2023.


 According to Forrester’s Developer Survey, 2022, 39% of developers say their firm currently uses low-   code to   empower developers outside of IT through a citizen developer strategy, and another 27% plan to   do so in the next   12 months. At the same time, early adopters of citizen development are just now   reaching significant scale, with   thousands of businesspeople creating new applications that wouldn’t   otherwise exist and continuously adapting   them. This means the surface area for potential security
 breaches is exploding, even when using mature low-code platforms. Remember, citizen developers are   amateurs   and unlikely trained on application security, secure coding, or data sensitivity. As such we   expect  a widely reported   security breach at a major enterprise before the year is out.


  And, many of these low-code applications are Git-based. This creates an additional level of concern, as   GitHub   users recently learned they had been exposed through a large security breach. On top of the   security concerns,   citizen developers are struggling with the requirements of the more technical solutions   including Git, Jenkins, and   Ansible.


 The threat is real, but there are solutions savvy teams can use to protect themselves. Flosum is purpose-   built for   citizen developers, and we're here to accelerate transformation and shift left with improved   cybersecurity posture.   We’re excited to explore this topic soon in an upcoming webinar. Join Flosum and   Forrester for a free, interactive   webinar on Dec. 1, 2022 where we’ll unpack the security risks of citizen
 development and offer some practical tips teams can implement to help mitigate those risks.

Click here to view the webinar.