Citizen developers typically work outside of the IT department and have access to a visual integrated development environment. This low-code/no-code environment utilizes drag-and-drop application components, allowing people with little to no software experience to build applications that meet business needs.
The business appeal of this setup is obvious – if done well, it allows individual business units to build tools that solve their own problems while freeing IT teams to focus on other tasks.
Enter the security team. The developer fundamentally does not want to interact with security, because traditionally the experience has been, "Hey, as soon as security gets involved, it adds six to seven months of complexity to get them up to speed with what a developer is doing." And the security team is trying to have these conversations but are often unfamiliar with a developer landscape and what they have the capability of
doing.
What may happen is the Infosec team blesses the platform or solution when it's launched, but the developers, as time goes on, have the ability to change the rules and access controls, third party hooks, APIs, different apps that they're using, and evolve the cybersecurity posture away from that initial proof state with no interaction with security until there is a major event.
The potential security risks from this approach could be huge. So huge, in fact, that Forrester is predicting citizen development will lead to a headline security breach in 2023.
According to Forrester’s Developer Survey, in 2022, 39% of developers say their firm currently uses low- code to empower developers outside of IT through a citizen developer strategy, and another 27% plan to do so in the next 12 months. At the same time, early adopters of citizen development are just now reaching significant scale, with thousands of businesspeople creating new applications that wouldn’t otherwise exist and continuously adapting them. This means the surface area for potential security breaches is exploding, even when using mature low-code platforms. Remember, citizen developers are amateurs and unlikely trained on application security, secure coding, or data sensitivity. As such we expect a widely reported security breach at a major enterprise before the year is out.
And, many of these low-code applications are Git-based. This creates an additional level of concern, as GitHub users recently learned they had been exposed through a large security breach. On top of the security concerns, citizen developers are struggling with the requirements of the more technical solutions including Git, Jenkins, and Ansible.
The threat is real, but there are solutions savvy teams can use to protect themselves. Flosum is purpose built for citizen developers, and we're here to accelerate transformation and shift left with improved cybersecurity posture. We’re excited to explore this topic soon in an upcoming webinar. Join Flosum and guest Forrester for a free, interactive webinar on Dec. 1, 2022 where we’ll unpack the security risks of citizen
development and offer some practical tips teams can implement to help mitigate those risks.
Forrester blog: “Predictions 2023: Citizen Development And The Metaverse Stir Up Software Development” , Chris Gardner, November 17, 2022
Click here to view the webinar
