In the realm of application security (AppSec), challenges abound. From difficult-to-use programs to overloaded staff working with inadequate budgets, the obstacles are clear. And communication with developers? That can be a whole other issue. These struggles have become all too common in the tech world. So, when a team of two individuals managed to address a staggering 70,000 security vulnerabilities in just three months, it was nothing short of astonishing.
But wait, it gets even more impressive. In reality, they actually discovered 80,000 vulnerabilities, fixing 70,000 of them within a 90-day timeframe. These numbers aren’t just a reflection of highly vulnerable apps; they symbolize a deep dive into the realm of development beyond the typical boundaries set between professional and citizen developers, often referred to as shadow IT.
The concept of citizen developers, individuals not formally trained in software development but deeply involved in creating applications, has become pervasive in large enterprises. Microsoft’s Power Platform, an increasingly popular low-code/no-code platform integrated into M365, has attracted over 33 million users, marking a 50% growth year over year. These users, who are part of various enterprises, are involved in developing crucial applications spanning finance, risk management, and customer service, driving digital transformation within the business.
Despite the growth and benefits of citizen development, it poses unique security challenges. The sheer scale of citizen development compared to traditional professional development is significantly larger, making it difficult to manage. Additionally, different business units within a large corporation may operate under distinct laws and regulations, each with varying risk appetites. Citizen developers themselves may lack in-depth security expertise, focusing more on advancing business objectives than on security protocols. Lastly, the rapid nature of citizen development can pose challenges, with changes often made directly in production environments without a structured software development life cycle.
Fortunately, emerging standards are providing guidance on categorizing and documenting security vulnerabilities in apps developed by citizen developers. To effectively address these challenges, an innovative approach to AppSec for citizen development is required. This approach emphasizes automation and self-service, streamlining processes and ensuring rapid responses to security issues.
Establishing a successful AppSec program for citizen developers involves creating a framework that incorporates automation, clear documentation, self-service portals for issue resolution, and enforcement of SLAs for vulnerability remediation. By maintaining a strong focus on tracking progress and reporting outcomes, organizations can effectively mitigate security risks associated with citizen development.
The success story of the team that tackled 70,000 vulnerabilities exemplifies the effectiveness of such an approach. By meticulously designing processes and adhering to best practices, they were able to significantly enhance security in their environment without disruption to business operations. While their achievements may be extraordinary, the principles they applied can be replicated in other organizations to achieve remarkable results and bolster overall security posture.