Pro Coders Key to Stopping Citizen Developer Security Breach
Citizen development has been a buzzword since the emergence of low-code/no-code tooling, but adoption is just now reaching a significant scale. That’s led Forrester to predict this will be the year citizen development will create a headline-worthy security breach.
“Somebody who’s coming from the lines of business typically doesn’t have as much knowledge when it comes to security restraints and security controls, compliance, that sort of thing — but they do have a lot of interest in wanting to build out applications and systems,” said Forrester Research Director Chris Gardner. “Unfortunately, more developers and more apps equals a bigger attack surface area.”
Forty-five percent of organizations have adopted low code/no code, with 26% planning to do so in the next 12 months, Gardner said. In addition to citizen developers, 62% of developers are deploying with low-code/no-code solutions, he added.
While Forrester is predicting one major breach, Gardner said he wouldn’t be surprised if there’s more than one major breach, due to citizen developer environments often not having proper governance policies around them.
How Shell Shored Up Low-Code Security
The oil company Shell is an example of a company that does low code well, Gardner said. The research firm recently did a case study on what Shell calls its Do-It-Yourself (DIY) program. The company breaks out citizen apps into three categories: Green, yellow and red; with green being relatively low risk and red being high risk.
“Green applications are ones that are relatively low risk. If you build out the application, you’re expected to run it and manage it,” Gardner said. “Generally speaking, those are the applications that get stood up most rapidly.”
Yellow applications are where the creator needs to integrate with other systems, and those integrations might require an IT professional to configure, he added.
The red category allows a creator to build the apps but with guidance from IT in order to build it out. There may be integrations with core systems or dealing with systems that have sensitive data, he added.
“Without that green, yellow and red structure, you’re a lot more likely to have a breach; and most environments don’t have these landing zones set up that way for citizen developers,” Gardner said.
What Developers Can Do to Bolster Security
IT should review the roles and access given to citizens developers and create something similar to the Shell governance approach, he said.
Professional developers have a role to play in addressing the security threats citizen developers may create, he said.
“We don’t expect them [developers] to run into this problem as much, because they’re usually well-versed in security and data sensitivity, but they are going to be working alongside folks that don’t necessarily have that educational background,” Gardner said. “It’s going to be critical for them to teach the folks that are learning how to build out these applications in the business.”
Developer involvement will be particularly key when dealing when integration is involved.
“Those folks are going to be involved when you start getting into those higher categories of applications, the yellow and red, where you’re integrating with core systems and systems that have been managing critical systems of record for years, if not decades,” Gardner told The New Stack. “Those developers are going to be highly involved in making those connections and making sure that things get locked down properly.”
API Strategy Falls to Business Rather than IT
Another Forrester prediction that may directly impact developers is their forecast that enterprise business leaders, not IT, will direct more than 40% of the API strategies. That goes against conventional wisdom that IT drives the API strategy, Gardner noted.
“APIs have transcended from being just pure application or infrastructure APIs. There [are] now business APIs, there [are] ones that take advantage of data and take advantage of transactions, and essentially, enable the data economy,” he said “It’s not an IT conversation anymore. IT will make sure it stays secured and locked down and make sure that it’s tightly woven with everything else, but the business leader decides which ones are the most beneficial.”
API strategy is even becoming a board-level topic, as board members and C-level leaders have grasped that APIs can be a central part of the business strategy, he said. That makes sense because the greatest value of APIs comes when organizations use them to create new products, business models, and channels, according to Forrester. This means that leadership in the enterprise business organization should govern API strategy, the research firm said in its predictions.
API Shift Is Significant Change for Developers
Still, it’s a significant change for developers, Gardner added, since valuable information about how APIs are managed will now be coming from the business rather than just IT. IT will still oversee APIs that contain various layers, as well as interface and integration APIs, but increasingly developers will field API requests from business leaders.
“They’re going to start getting requests from the business saying […] ‘Build me that data API that I wanted, build me that transaction API that I wanted,’ and developers are going to be tasked to build those various pieces alongside the APIs that they’re working on,” he said.
“For the developer, this doesn’t change the fact that they’re building out their own APIs for purposes of application connectivity and infrastructure connectivity,” he said. “It does mean that they’re going to start building out APIs for business connectivity — and that’s going to be critical.”