Citizen developers typically work outside of the IT department and have access to a visual integrated   development environment. This low-code/no-code environment utilizes drag-and-drop application   components, allowing people with little to no software experience to build applications that meet   business   needs.

The business appeal of this setup is obvious – if done well, it allows individual business units to build   tools that solve their own problems while freeing IT teams to focus on other tasks.

 Enter the security team. The developer fundamentally does not want to interact with security, because   traditionally the experience has been, "Hey, as soon as security gets involved, it adds six to seven months of   complexity to get them up to speed with what a developer is doing." And the security team is trying to   have   these conversations but are often unfamiliar with a developer landscape and what they have the capability of

 What may happen is the Infosec team blesses the platform or solution when it's launched, but the   developers, as time goes on, have the ability to change the rules and access controls, third party hooks,   APIs, different apps that they're using, and evolve the cybersecurity posture away from that initial proof   state with no interaction with security until there is a major event.

 The potential security risks from this approach could be huge. So huge, in fact, that Forrester is predicting   citizen development will lead to a headline security breach in 2023.

 According to Forrester’s Developer Survey, in 2022, 39% of developers say their firm currently uses low-   code to empower developers outside of IT through a citizen developer strategy, and another 27% plan to do   so in the next 12 months. At the same time, early adopters of citizen development are just now   reaching   significant scale, with thousands of businesspeople creating new applications that wouldn’t otherwise exist   and continuously adapting them. This means the surface area for potential security breaches is exploding,   even when using mature low-code platforms. Remember, citizen developers are amateurs and unlikely   trained on application security, secure coding, or data sensitivity. As such we   expect  a widely reported   security breach at a major enterprise before the year is out.

 And, many of these low-code applications are Git-based. This creates an additional level of concern, as   GitHub users recently learned they had been exposed through a large security breach. On top of the   security   concerns, citizen developers are struggling with the requirements of the more technical solutions including   Git, Jenkins, and Ansible.

 The threat is real, but there are solutions savvy teams can use to protect themselves. Flosum is purpose built   for citizen developers, and we're here to accelerate transformation and shift left with improved   cybersecurity posture. We’re excited to explore this topic soon in an upcoming webinar. Join Flosum and   guest Forrester for a free, interactive webinar on Dec. 1, 2022 where we’ll unpack the security risks of citizen
 development and offer some practical tips teams can implement to help mitigate those risks.

 Forrester blog: “Predictions 2023: Citizen Development And The Metaverse Stir Up Software Development” ,   Chris Gardner, November 17, 2022
Click here to view the webinar

signup for our blog


“Flosum is the best native release management tool that you will fall in love with. I have gained confidence in my role and has given me the ability to view release management from a whole different perspective.”

Faizan Ali

Faizan Ali
Salesforce Consultant at Turnitin