It's never been easier to develop and deploy enterprise applications, but that may not be a good thing for enterprise security teams.
The prevalence of automated software development tools and platforms has given nontraditional employees the ability to build their own applications. This citizen developer trend puts considerable power in the hands of non-IT departments and lines of business to create the applications they need almost on demand, benefiting their productivity and agility.
However, the trend also adds more work for enterprise security teams; more applications are being deployed by employees who lack traditional development skills and certifications, and infosec professionals must track, vet and patch these apps before potential vulnerabilities are deployed by attackers.
There are lingering questions for many in the software and security communities about how the citizen developer trend may affect enterprise risk. Is the citizen developer introducing more security risks for organizations, or can it actually reduce the attack surface in some cases? According to experts and executives in these fields, there's no easy answer.
Bill Berutti, president of enterprise solutions at BMC Software Inc., said the citizen developer trend can make the software development process easier and more unpredictable at the same time.
"The citizen developers could be any of us sitting at this table," Berutti told SearchSecurity at BMC Day 2017 in Boston recently. "It could be new people inside a company that aren't traditionally trained developers [or are] part of the organization that develops code, but now they're in a business and they're developing new applications. And, as we know, there are lots of tools that help them do that. I think that both of those things do create more risk."
Berutti said there's another factor related to citizen developers that's complicating matters for infosec teams.
"I would couple the citizen developer trend with DevOps, as well," he said. "What I mean by that is, the velocity of new applications being developed obviously is increasing, and the people that are involved in the development process are becoming not only faster paced, but less structured. And, in a lot of companies, it's not just less structured, but ... I don't want to say more chaotic, but it's less organized, and there's less policy."
Jon Fraser, managing director of service management for Online Business Systems, an IT consultancy headquartered in Winnipeg, Manitoba, believes the citizen developer trend has accentuated existing problems with software security.
"It's a huge problem in the industry today, even with professional developers, forget about the citizen developers," Fraser said. "Our organization does secure coding training with a lot of companies today. It's one of the biggest and most emerging problems in the industry because there's so much open source development happening. And the open source code comes from just wherever they want to go; there's very little vetting of the code components they're using. So it really is a huge problem."
On the other hand, the automation tools and platforms themselves do provide benefits from a security perspective. Fraser, for example, said automation has become an indispensable part of keeping the citizen developer within the walls of acceptable coding practices.
"It enhances and enforces the efficiency and enforces rules, so you can bake the rules into the automation to make sure you're following the right steps. You're not leaving it up to humans anymore, and that's gigantic," he said.
Allison Cramer, director of solutions marketing at BMC, agreed and said automation tools that have built-in security controls can serve as a benign presence for enterprise security teams instead of a blocker of progress.
"That's how security is traditionally looked at," Cramer said. "You don't want to bring them into DevOps because the perception was that they would just say 'no' all the time, or ruin the code, or put in this draconian process that wouldn't help. Now, they're showing that they can be more flexible in setting those policies."
The automated development tools can include everything from open source code tracking to vulnerability scanning and compatibility testing. For example, Fraser said he uses tools from Flexera Software and Palamida (which was acquired by Flexera recently) to scan for open source components and potential IP issues.
Citizen developers can also take advantage of integrated development environments (IDEs), which often feature built-in automated development tools.
Kevin Walker, Juniper Networks Inc.'s security chief technology and strategy officer, said IDEs can often root out common bugs automatically.
"There are really a lot of good IDEs right now from a security perspective," Walker said. "There's almost zero reason to check in code that has a known security flaw. It's almost mind-boggling."
Jean Yang, assistant professor of computer science at Carnegie Mellon University, said there are more options for and awareness around automated development tools today than existed just a few years ago. (In 2014, Yang herself created the Jeeves programming language, which is designed to automatically enforce information security and privacy policies in applications.)
"The automated tools are much better today, and I think there's been an increase in use, especially with programming analysis tools," she said.
Jean Yangassistant professor of computer science at Carnegie Mellon University
But Yang said the idea of citizen developers building applications without the proper tools and security controls is a chilling prospect for infosec teams.
"It's a terrifying thing from a security perspective. There are so many things that can go wrong with coding," she said.
Fraser said these tools are crucial not just for citizen developers, but for the entire DevOps process.
"You can't rely on people to be secure in DevOps," he said. "You have to put some sort of sheriff in town, and the automation is the sheriff: it enforces the protection, it enforces the steps to be followed and it enforces the security scanning."
Code training and education
If there's one thing that software developers and security professionals appear to agree on when it comes to application development it's that code training and education are a must, no matter who is developing the application.
"My best dollar ever spent as a multiple-time CISO was on education," Walker said. "Not training -- education."
Specifically, Walker said security education that reviews applications for errors and known bugs has proven to be hugely beneficial.
"The question is, what made the systems that were attacked susceptible, whether it's either ones that were vendor-supplied or code that we wrote? What caused that developer to write the code the wrong way to begin with?" Walker said. "If you go back and you deconstruct the code and detune that problem and look at what compelled him or her to write the code [incorrectly] to begin with, it's amazing what results come back."
Walker said that, in Juniper's case, such education reduced self-imposed vulnerabilities by nearly 100%.
"Typically, you fix vulnerabilities and they come back. You fix them and they come back," he said. "But here, they stayed down. And the other part is, now the development teams have time back in their pockets because they're not reworking applications and detecting the bugs."
Fraser believes developers, whether seasoned or inexperienced, need some kind of development training to prevent them from pushing out insecure applications.
"You need some fundamental secure code training for your developers; they need to understand the potential risks that they're exposing. Whether they're developing small apps or enterprise-size apps, they need to understand the potential risks and security holes," Fraser said. "It's not rocket science; it's not hard, but [citizen developers] just don't have that training."
It's not just citizen developers that are short on education and training. Rick Howard, chief security officer at Palo Alto Networks, said there's a general lack of expertise around DevOps and security best practices, which poses a threat to enterprises.
"The problem is, everybody thinks they're a DevOps shop, and they're not. They've renamed their IT teams, but they don't get it," he said. "Most people think DevOps is just IT stuff. It is not. Every update you have to do for security, every vulnerability scan, every maintenance upgrade, every new tool has to be automated, and all that stuff is part of the cycle."
On the plus side, Howard said the move toward cloud services has given enterprises the opportunity to rethink software development practices, adopt DevOps and embrace automation tools.
"Going to the cloud is our opportunity to get it done because now we're changing how we do our business anyway," he said. "DevOps allows you to look at the entire deployment as a system, see where the problems are, make decisions as a system and not try to do it in black boxes. It's going to save us all."
Regardless of where and how applications are being spun up, the demand for more apps and the pressure to deploy them quickly show no sign of relenting any time soon, which will make proper development practices and automated development tools even more important, no matter who is doing the coding.
"The bottom line is, it's hard to have all the structure that you want around your client security and other guideposts and [to] move as fast as people want to move today with as little structure as they want in place," Berutti said.
Site Editor Peter Loshin contributed to this report.
How to create a DevSecOps plan
Think ahead when adding security to app development
Will runtime application self-protection be the answer to delivering secure apps