Citizen Development Risks – Dave Hatter
The Privacy and Security Risks of “Citizen Development”
Marc Andreessen, founder of Netscape and a well-known technology investor, famously said “‘Software is Eating the World” way back in 2011 and it’s obvious now that he was right. We live in a Software Defined Everything (SDE) world where even your coffee maker is “smart”, and the trend of software in everything shows no signs of slowing down. In fact, it’s estimated there will be 76 billion Internet of Things (IoT) aka “smart devices”, each driven by software, online by 2025, and Microsoft has said there will be a whopping 500 million new apps built over the next five years.
All this software is driving the rapid digital transformation of our world and while the demand for software development has never been higher, it greatly outstrips the available supply. Gartner reported that demand for software development will grow five times faster than conventional IT departments and the average IT project backlog is between 3 and 12 months per Appian.
Compounding the issue is the growing shortage of software developers. Forrester has reported that there will a shortage of 500,000 developers in the United States by 2024 and IDC has reported the shortage of software developers may reach 4,000,000 worldwide by 2025.
To quench the demand for software development and to accelerate value delivery many organizations have embraced “Citizen Development”. Citizen Development democratizes software development by allowing “Citizen Developers” – individuals with little or no programming experience – to use low-code or no-code (LCNC) tools to quickly build and deploy software applications. LCNC tools are rapidly growing in popularity, Gartner predicts that by 2025, 70% of enterprises will use LCNC tools and LCNC platforms expected to reach $187 billion in sales by 2030 according to Research and Markets.
This is a fundamental shift in how organizations build and maintain software applications. Individuals without an extensive technical background can build business ready applications using visual interfaces and pre-built components with little or no coding required. Readily available LCNC tools such as Microsoft Power Apps, Appian, Zoho, Quickbase, and Salesforce Lightning allow business professionals with domain knowledge to create applications tailored to their specific needs without waiting for or relying on traditional software developers in the IT department or at an external consulting company.
The reasons for the growing popularity of Citizen Development include:
- Speed: Citizen developers can build and deploy applications very quickly compared to traditional approaches.
- Agility: Non-technical people can meet business needs and address challenges themselves. Additionally, these solutions are typically easy to modify as business needs evolve.
- Empowerment: Virtually any knowledgeable and motivated employee can contribute directly to digital transformation efforts.
- Cost: Organizations can reduce their reliance on professional programmers, cutting costs and allowing better use of resources.
- Innovation: Domain experts can quickly build prototypes or fully working applications with little effort or risk.
As a result of the exploding popularity of LCNC tools and the benefits they deliver, organizations of all sizes may find themselves leveraging LCNC tools. And while the democratization of software development can significantly speed project delivery and reduce demand on traditional IT departments, like many “Shadow IT” solutions that originate outside the IT department, Citizen Development introduces privacy and security concerns for organizations that employ it. For example, non-technical users might not be aware of privacy concerns or security best practices, leaving their applications more susceptible to attacks or leaks. Increasingly frequent and increasingly devastating cyberattacks demand that organizations understand and address these concerns. Let’s examine each in more detail.
Citizen Development Privacy Risks:
- Compliance Issues: Privacy regulations such as GDPR, HIPAA and CCPA require organizations to protect personal data. Lack of compliance creates the potential for large fines.
- Data Leakage/Theft: Citizen developers may inadvertently expose sensitive data through misconfigured access controls, misconfigured platforms or by sharing data with unauthorized users. This can result in data breaches, regulatory fines, and reputational damage.
- Lack of Encryption: Citizen developers may not understand and/or prioritize encryption when designing applications, leaving data vulnerable to interception or theft.
Citizen Development Security Risks:
- Authentication and Authorization Issues: Citizen developers may not be aware of best practices to secure user access or may not understand the sensitivity of data leading to unauthorized access and/or data breach.
- Patch Management: Citizen developers may not keep tools updated with the latest security patches. This can leave applications exposed to known vulnerabilities.
- Software Vulnerabilities: Citizen-developed applications may be missing proper security measures, making them susceptible to all-too-common vulnerabilities such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).
- Integration Risks: Integrating citizen-developed applications with existing systems can introduce security vulnerabilities that cascade across systems.
- Backup and Disaster Recovery: Citizen developers may not understand the terms of service of LCNC platform-as-a-service (PaaS) offerings or prioritize continuity of critical systems which could lead to gaps in data protection and downtime.
- Vulnerabilities in Third-Party Components: LCNC platforms often rely on third-party components and integrations whose lineage and security posture are unclear. Security vulnerabilities in third-party components can expose applications to attacks. This speaks strongly to the need for a Software Bill of Materials (SBOM) to understand dependencies and lineage.
- Limited Testing: Citizen developers may not have the expertise or resources to conduct thorough security testing.
Organizations should ensure they address the following to reduce the risks of Citizen Development:
- Training and Awareness: Require training programs to educate citizen developers about privacy and security best practices to ensure they take prudent steps to protect the privacy and security of LCNC applications.
- Secure By Design: Security should never be an afterthought or retrofitted to existing applications. Ensure that citizen developed applications are secure by design. Involve security professionals to provide guidance and to design security into applications.
- Access Controls and Permissions: Ensure that developers understand the sensitivity of the data they have access to and implement robust access controls and permissions commensurate with the data sensitivity. Regularly review and update permissions.
- Integration with Identity and Access Management (IAM): Integrate LCNC platforms with organizational IAM systems to ensure that user identities are managed securely and consistently. For example, Single Sign On (SSO) with Active Directory.
- Encryption: Encourage the use of encryption for sensitive data at rest and in transit.
- Regular Auditing and Monitoring: Continuously monitor and audit citizen-developed applications for unusual activity or unauthorized access. Implement automated alerts for anomalous behavior.
- Centralized Governance: Establish a governance framework to centralize control over citizen-developed applications including approval processes, version control, maintenance, and compliance checks.
- Vendor Assessment: Assess vendor security and compliance measures to ensure they meet organizational standards and compliance requirements. For example, review their SLA/SLO’s, ask for an independent SOC 2 Type 2 audit, and request a Software Bill of Materials (SBOM).
- Data Lifecycle Management: Define clear data retention policies for citizen-developed applications.
- Penetration Testing: Conduct regular penetration testing to identify and correct vulnerabilities.
- Leverage existing resources: The Project Management Institute (PMI) has excellent vendor-agnostic educational resources and tools for Citizen Development. I recently completed the PMI Citizen DeveloperTM Practitioner course and recommend it for those looking to engage in Citizen Development. You can learn more here.
The advent of LCNC platforms has revolutionized the way software is developed and it offers immense potential for organizations seeking speed, agility and efficiency.
However, the convenience and accessibility of citizen development brings inherent privacy and security risks that must be addressed proactively, and organizations should strive to strike a balance between fostering Citizen Development and safeguarding sensitive data.
A well-executed citizen development strategy can empower employees, drive innovation, and significantly contribute to the overall success of digital transformation initiatives. By investing in training, robust security, trustworthy platforms and a good governance framework, organizations can leverage the power of Citizen Development while minimizing the associated risks.
Dave Hatter –CISSP, CISA, CISM, CCSP, CSSLP, PMP, PMI-ACP, PMI-PBA, PSM 1, PSD1, ITIL