Analysts Frank Domizio and Paul Swider collaborate to discuss citizen developers and what they mean for a company’s security.
Citizen developers are non-professional developers who use low-code or no-code platforms to create custom applications and solutions. They often do this as a means of automating business processes or creating custom tools that meet their organization’s specific needs. With the rise in hybrid development, low-code and enterprise developers have started forming project teams to create solutions.
While citizen developers can be a valuable asset to an organization, they also present some unique security risks that chief information security officers (CISOs) need to manage. For example, today, many finance, insurance, healthcare, and health life science organizations collect personal information, including medical or clinical data. A CISO is responsible for securing protected health information (PHI). What if low-code teams were involved with this data collection? The CISOs would need to communicate with and guide the low-code teams and confirm the appropriate compliance tools are in place to assist with data breaches or leakage.
In this analysis, we’ll discuss the risks involved with having citizen developers in your environment and how CISOs can help them be successful. We’ll also discuss some ideas around governance and compliance, third-party apps, and workflows that will help make sure you have success with low-code solutions.
The Risk of Citizen Developers
The primary risk associated with citizen developers is their lack of formal training in secure coding practices. Many may not have a computer science or software engineering background, and as such, may not be familiar with best practices for writing secure code. This can lead to vulnerabilities being introduced into custom applications, which can be exploited by malicious actors.
Another risk is that citizen developers may not be aware of the various security controls that are available to them when building custom applications. For example, they may not realize the importance of proper authentication and authorization control implementation, or of protecting sensitive data in transit and at rest.
How CISOs Can Guide Citizen Developers
CISOs can lessen the risk that comes with citizen developers by giving them strong guidance. Guidance can take the form of training on secure coding practices, as well as providing access to resources such as secure coding standards and guidelines.
In addition, the CISO can work with citizen developers to establish a secure development lifecycle (SDL) for custom applications. This can involve establishing a set of security standards that must be followed when building custom applications, as well as providing guidance on how to deploy applications in a secure manner.
It is also important for the CISO to establish clear communication channels with citizen developers so that they can seek guidance and ask questions as needed. This can help to ensure that citizen developers are aware of the latest security best practices and that they are able to incorporate these practices into their custom applications.
Governance and Compliance
Some organizations may have already developed a team responsible for low-code governance and compliance. Sometimes the compliance and governance teams may be different groups. It is strongly recommended that the CISO have visibility into any existing compliance and governance efforts related to low-code to ensure the group efforts match the current compliance and governance of the broader organization’s infosec policies. In addition, these governance and compliance groups can help facilitate communication from the CISO to the low-code developers.
Usually, when dealing with compliance issues and low-code, organizations turn to tools that assist with data leakage and data sharing. Compliance concerns might include visibility into both the apps the organization creates and any third-party low-code solutions.
This is a critical conversation for both the low-code teams and the CISO, but often overlooked. Questions that must be asked include: What third-party apps are we using to build low-code solutions, and what are the capabilities or risks of these apps? Who can create an app? What are the appropriate processes and tools for SDL? Where should data be stored, and how should it be accessed?
Governance plans, centers of excellence, and third-party tools tend to address some of the above- mentioned issues but, to ensure their directions are implemented, there need to be solid communication channels between the CISO and development teams.
Another use case is when the organization purchases a third-party industry low-code solution as a SaaS package. Low-code SaaS solutions may require external contractors to access internal data and networking resources, and the CISO should have access to these details.
The CISO should also consider communicating with vendors working on low-code solutions. Often low-code developers will be internal to the organization; however, some organizations will hire contractors or vendors to build solutions.
Another consideration for the CISO is that many low-code platforms implement workflows and business processes using connectors or adapters to other systems. Low-code workflows and business processes can include email or omnichannel for notifications, credit checks and banking processes, collaboration software, databases, and more. The CISO should ensure there is a process to vet any low-code workflow connectors, especially connectors that extend to third-party apps.
As low-code teams build apps and integrate with enterprise line-of-business apps, the risk of downtime increases, and system downtime can be a security risk. Communication between the CISO and teams is critical in these scenarios. Ask the low-code teams what core line of business systems they are integrating with or extending to.
Sometimes, the communication needs to be bi-directional. Many low-code platforms run mostly in the cloud and are layered on existing technology stacks. SAP, Oracle, Microsoft, and Salesforce are some examples. Suppose an organization uses a low-code platform layered on a vendor’s cloud stack. In this case, the CISO should consider implementing a communication process to alert developers of any security bulletins from the underlying cloud provider.
Don’t be lulled into thinking that low-code assets are the only assets that require security vigilance. The CISO should ensure that any assemblies, database functions, or other back-end code created by enterprise developers adhere to established best practices.
Overall, citizen developers can be a valuable asset to an organization, but it is important for the CISO to provide guidance and support to ensure that custom applications are developed in a secure manner. By providing training and resources, establishing an SDL, implementing governance, and considering the implications of third-party relationships, the CISO can help to minimize the security risks associated with citizen development and ensure that custom applications are a benefit rather than a liability.
Which companies are the most important vendors in cybersecurity? Click here to see the Acceleration Economy Top 10 Cybersecurity Shortlist, as selected by our expert team of practitioner-analysts.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: