Raising Security Awareness Among Citizen Developers
Citizen developers are now producing the types of applications once reserved for professional programmers. By using the low-code/no-code capabilities found in low-code application development platforms (LCAP), business workflow automation or RPA, they can bypass drawn-out development processes and reap the benefits of speed and efficiency. Perhaps even more significant is the resulting efficacy—because who knows better than the citizen developer what the company needs to solve its pain points?
Citizen developer platforms have opened up a new world for enterprises. At the same time, the rise of low code platforms has introduced new concerns connected to citizen developer governance and low code platform security.
With fewer security and compliance experts involved in the low-code development process, there are less security checkpoints from beginning to end. As a result, citizen developers must become more security aware and actively participate alongside the IT security and governance teams to mitigate risks. Let’s take a look at the background, the issues and how we can address them effectively.
The rise of citizen development
As the demand for software increases, business users have joined the ranks of developers to build applications for their companies and clients.
And why not? They’re on the ground, struggling to make sense of Google Sheets, waiting for IT, and feeling limited by the capabilities of their SaaS applications.
They’re also interfacing with clients and customers, fielding complaints, and trying to run department meetings with outdated data and unreliable metrics. They’re in the trenches, and they know exactly what they need to get their jobs done more efficiently.
Today, they are often much more than just business professionals.
They’re also—citizen developers.
Low-code security challanges
With the low-code/no-code (LCNC) revolution, these individuals are producing the types of applications that were once relegated to professional software developers. With so many citizen development platforms on the market, and sometimes hundreds of new applications being introduced every year within one company alone, businesses are transforming their legacy processes and joining the digital world at lightning speed.
This new digital business world appears idyllic.
And it is… mostly.
But there’s one glaring issue. Low-code security.
While citizen developers can whip up the most stunning apps without a single computer science course under their belts, most do not have any information security training. Many are unaware of the risks in web based application development. Monitoring low-code security policies on their own, or thinking out the potential security ramifications of connectors and integrations, just isn’t something with which they’ve had experience.
Additionally, CIOs and CISOs must now track the dozens, hundreds or even thousands of new apps their organization is producing. Because the low-code/no-code development pipeline moves faster and skips many of the steps in the traditional SDLC (software development lifecycle), there’s a greater need for security monitoring and governance.
Exacerbating the problem is the lack of governance and security tools for low-code/no-code. Without visibility, even the most experienced information security team finds their hands tied.
These low-code security challenges leave organizations and their clients vulnerable to inadvertent data leaks, data breaches, and malicious operations like ransomware attacks, phishing attacks and distributed denial of service (DDoS attacks).
How can an enterprise comfortably empower its citizen developers to innovate and build new and improved digital applications—with security in mind?
Step 1: Raise awareness
Ideally, citizen developers should be able to respond to the following questions:
- What does information security really mean?
- What are the ramifications of a security breach within our company?
- If a hacker wanted to attack the company through the last app you created, how would he do that?
Sure; it’s not comfortable to think about all the bad things that could happen. But sometimes the best way to appreciate information security is to practice thinking like a malicious hacker.
Veracode understood the significance of this approach and recently introduced a hackers game competition in universities to teach the importance of writing secure code. Once you have had hands-on practice in finding holes in code, you won’t ever look at code the same way.
While citizen developers are, by definition, not in computer science programs at universities, the same approach can be used for education within the framework of your organization.
Step 2: Think like a hacker
An ethical hacker is a professional, trained to find security holes in hardware, software, and system configuration. In fact, ethical hackers are often hired by companies to uncover and fix threats with penetration testing, vulnerability assessments, security audits and social engineering techniques.
As hackers, they are often the best ones to share that perspective and mindset with your citizen developers. Ethical hackers can educate citizen developers about potential risks in web based application development and how best to avoid them before, during and after the low-code/no-code development process. They can potentially design training for your business developers, giving them hands-on experience on what it would be like to try to break into a low-code app and where vulnerabilities can lie.
But advanced education is only part of the solution.
Step 3: Learn from mistakes
By “learn from mistakes,” we do NOT mean that your citizen developers should need to experience a data breach or cybersecurity attack in order to learn what not to do. (“It’s not worth it” is an understatement here.)
We mean that citizen developers should learn from security policy violations. If a citizen developer inadvertently creates an application that violates security best practices and opens the organization up to risk, they should be informed about the issue and how to resolve it.
For example, if a citizen developer using Workato creates a Slack bot which allows employees to book their vacation days, the employee’s personally identifiable information (PII) is stored in that account’s storage. This violates security best practices as it sets up a weak point from which malicious actors would have an easier time gaining access to the app and its permissions.
When the organization’s InfoSec or AppSec professionals catch the issue, not only should they remediate it, but they should include the citizen developer in the remediation process, and invest the time to explain why this was a problem. You can bet that citizen developers will take that knowledge with them and apply it in the future.
Giving IT and security the tools to help citizen developers
The big issue with that last step is that up until now, InfoSec and AppSec have lacked appropriate governance and security tools for low-code/no-code platforms for citizen developers. Without visibility, they are unable to pinpoint vulnerabilities, much less educate citizen developers on how to remediate and avoid those vulnerabilities in the future.
As security technology advances and focuses on the vulnerabilities associated with citizen development platforms, information security professionals will be able to better help their business developers become part of an organization-wide governance and security effort.
With citizen development on the rise, it behooves any company to not only provide its citizen developers with information security awareness and education, but to make them partners in securing their organization’s business growth.