Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/19/2017
10:30 AM
Mike Lemire
Mike Lemire
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

4 Steps to Securing Citizen-Developed Apps

Low- and no-code applications can be enormously helpful to businesses, but they pose some security problems.

IT security, at its best, is about enabling the business and its employees to operate securely without unnecessarily straining productivity or the bottom line. However, as more companies push technology-driven initiatives such as digital transformation, many are struggling with balancing the two.

One of the key areas where this is playing out is with applications developed by business users, sometimes referred to as citizen-developed apps. These applications are built by regular employees using little to no code, and deployed through a cloud-based application-platform-as-a-service (aPaaS) model. Citizen-developed apps are growing in popularity; according to Forrester, the low-code market will grow from $1.7 billion in 2015 to more than $15 billion by 2020. Companies use these apps for everything from procurement and order management to tracking who will bring secret Santa gifts for the office Christmas party.

While organizations are realizing massive gains in productivity and cost savings by leveraging low- or no-code development tools, it may come at a cost. Since apps can be built and deployed with limited (or no) involvement of IT, many organizations have concerns over user and data governance. However, the issue is not necessarily about the tools themselves but about how the organization manages them. While that list of holiday gifts doesn't pose a high security risk, others that contain sensitive corporate information can.

The good news is that security and IT leaders can determine exactly how much power and freedom they want to give citizen developers and, conversely, how much control they need to avoid the perils of shadow IT. Here are some best practices for securing citizen-developed enterprise applications.

Update your policies: While most companies have security policies in place, these policies now need to specifically address use of cloud services, including aPaaS. Beyond documenting the policy, it's important to educate employees on data and user governance guidelines. What data is OK to store in cloud services and what is not, and with whom can data be shared? Regulatory requirements also affect the types of applications they develop and how they use them. For example, in the US, protected health information is subject to HIPAA, credit card data is governed by PCI, and education records are subject to FERPA. Similarly, policies and guidelines around citizen development are getting more popular. According to Gartner's Strategic Planning Assumption, by 2020 at least 70% of large enterprises will have established successful citizen development policies, up from 20% in 2010.

Classify and risk-rank your data: The Data Classification Matrix instructs users on sensitivity levels of data: commonly public, internal use, and confidential. Consider the type of data that users intend to upload to applications and adjust security measures from there. "Riskier" data might include personal information such as Social Security numbers, company financial information, details on proprietary technology, and so forth. Instituting data classification schemas can ensure that users know exactly what information is completely confidential, internal only, or open to the public. By classifying information, app builders will be able to handle data in accordance with security policies.

Enforce (and review!) role-based access: In aPaaS, as with other IT services, role-based access is important to utilize. One way to ensure certain applications are accessed only by authorized users is to implement single sign-on and utilize security groups. For example, if the finance team is working on a project involving sensitive financial data, add everyone involved to a finance security group and quickly assign permissions to the finance team via a group. For applications involving sensitive employee data, you might utilize a user group so that only people in the HR department can access that information.

Once you have set permissions and access rights to your applications, review who has access to what at least once a quarter, making sure that new hires, departures, and employees whose roles have changed have the appropriate access.

Review and implement security settings for app access: Security is a balance between usability and security. Finding the right balance for your organization largely depends on what data types will be processed and stored. Review the security enhancements and options available for locking down citizen-developed apps from your aPaaS vendor, including network, authentication, and session settings. You may consider IP filtering such that the aPaaS can be accessible only from your corporate office. Pay particular attention to strengthening authentication controls by requiring two-factor authentication and strong passwords. For applications that aren't storing sensitive data, you may consider less-strict security measures, which will also keep citizen developers and users as productive as possible.

The rise of citizen development will grow over the next several years, and organizations can realize the potential it offers while maintaining user and data governance. Security oversight may be different for every company, but as long as there is a clear alignment among end users, developers, IT, and security leaders for where along the productivity-control spectrum you want to be, your organization's needs can be met from both ends.

Related Content:

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Mike Lemire is the Compliance and Information Security Officer at Quick Base, the platform for app enabled business. Previously, Mike managed the Information Security and Compliance programs at Yesware, Acquia, Pearson Higher Education, and RiskMetrics, and has held ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...