SBN

Citizen Developers and Securing APIs

Microsoft Build is where we get to explore the latest innovations in code and application development. This time around there were 55 sessions dedicated to Microsoft’s approach to low-code, including a keynote on day two with Julie Strauss and Karuana Gatimu. Organizations are increasingly adopting low code application platforms to fuse the worlds of citizen developers, professional developers, and the other parties instrumental in building and using applications. The goal is to quickly deliver new solutions and modernize business capabilities.

So what is low-code?

Low-code is a visual approach to software development. Rather than writing code, it allows you to essentially drag and drop objects and connections using a graphical user interface (GUI). It effectively abstracts the code from the application builder to significantly lower the barrier to entry. Gartner predicts 70% of new applications developed by enterprises will use low-code or no-code technologies by 2025. Up from less than 25% in 2020. 

Whereas 3rd party software can only be customized so much, low code applications are more closely aligned with an organization’s existing business processes. The starting point for low code applications is usually the process you are trying to automate, not the functionality of the software suite you purchased from your vendor.

Though low-code and no-code modular approaches allow professional developers to quickly build applications, more often we talk about low-code in the context of citizen developers. These developers could be business analysts, office administrators, small-business owners and others who are not actual software developers to build and test applications, because it requires little to no knowledge of traditional programming languages.

How the low-code revolution began

According to Microsoft, fundamental shifts drive this change in enterprise application development. It is described in 4 waves by Microsoft Corporate Vice President for Business Applications, Charles Lamanna;

Wave number 1: The changing workforce

There are people entering the workforce today who have grown up with high expectations of applications and application consumption. Traditional business applications, with their dozens of clicks, just don’t compare to intuitive modern phone apps. This has led to a change in the way applications are evaluated. 

Wave number 2: Surging digital demand

Microsoft predicts more than 500 million new applications will be built in the next 5 years. This is more applications than have been built in the last 40 years combined. The onus of these new apps will be mobile, outpacing what traditional applications organizations can deliver by 5x.

Wave number 3: Not enough developers

Just like in IT security, we are seeing a shortage of developers, with a shortfall of about a million in the US alone. 86% of Microsoft’s customers are reportedly struggling to hire enough developers to fulfill demand.

Wave number 4: Economic downturn

We continue to see the impact of the COVID-19 crisis, now compounded with the impact of the war in Ukraine, leading to a potential severe recession. This puts enterprise organizations under immense pressure to more efficiently leverage their existing resources, including staff, to keep outpacing their competitors.

Low-code has the potential to address these 4 waves for enterprise organizations. It enables everyone, in marketing, sales, legal, etc., to take control of their own destiny and increase their success.   

Low-code presents security risks

In the world of Microsoft, low-code development is achieved through their Power Platform, specifically Power Apps (including Power Automate and Dataverse). A free version of Power Apps is actually available with some Office and Dynamics license tiers.

power apps

 

In PowerApps, you can use connectors to various data sources, like Microsoft Excel Workbooks, SQL Server, or other Microsoft 365 apps. You can also use custom data sources – such as APIs deployed in your network or APIs or web apps hosted on cloud services such as Azure Web Apps, AWS, Heroku, Google Cloud etc. This feature is called Custom APIs in PowerApps

Custom APIs are a powerful way to connect to any existing API, hosted anywhere, from PowerApps. Custom APIs are RESTful endpoints that you can connect to and use from PowerApps. All you need is a Swagger definition file for your endpoint.

But just as PowerApps assumes citizen developers are no code experts, we should assume they are also not cybersecurity experts. Considering how easy it is to consume and potentially manipulate APIs, we need to ensure that this can be done as securely as possible. 

Right now the focus is on ease of use and the assumption that the underlying systems exposed via APIs are working as expected and secure. As demonstrated in this article, that assumption is not correct. More than 1,000 web applications collectively leaked millions of records containing sensitive personal data because of misconfigurations in Microsoft Power Apps. Among other data, 38 million publicly viewable records involving COVID-19 contact tracing information, social security numbers, and names, phone numbers, and email addresses. 

As you can see, the moral of this story is that despite simplifying the developer experience, the same rigor must be in place to manage security. If anything, more security controls need to be in place to train and monitor the influx of citizen developers. Cybersecurity should never be an afterthought, not even in the world of low-code. 

*** This is a Security Bloggers Network syndicated blog from Noname API Security Blog authored by Filip Verloy. Read the original post at: https://nonamesecurity.com/blog/citizen-developers-and-securing-apis