Citizen development and GenerativeAI (GenAI) make it easier and faster than ever to create powerful business applications and copilots. It’s helping users of all technical backgrounds spur innovation, automate mundane processes and improve efficiency. In fact, companies that have implemented low-code/no-code have seen 53% gains in process efficiency and 51% higher employee productivity. It’s democratizing how software and application development is done, and this certainly rings true within oil and gas companies across the world.
Shell, for example, launched a citizen development program in 2019 that has helped the company improve and simplify time-consuming maintenance procedures and other processes. At Chevron, more than 3,000 employees have already been reaping the benefits of low-code development.
GenAI stands to bring further benefits to oil and gas companies globally. It is estimated that the energy and materials sector could gain $390 billion to $550 billion in value in the coming years by incorporating GenAI into its operations. However, as business users build their own apps and copilots with GenAI, it also introduces new security and compliance risks that AppSec professionals must be mindful of, but careful so as not to stifle productivity.
New tech, new challenges
GenAI and citizen development present a number of security challenges, including:
- New developer persona – Professional developers typically work with security in mind, but those with less technical know-how (such as help desk agents and inventory managers, or even engineers working at a refinery) don’t tend to. As a result, it is very common for applications built with GenAI and low-code/no-code to have authentication misconfigurations, hard-coded secrets, and over-exposure to sensitive data that present risks.
- Out of IT’s control – The work of both professional and citizen developers creates shadow app development and a lack of visibility, as copilots and low-code platforms inherently evade the purview of IT and security teams. Because these tools allow anyone to quickly develop automations and applications, apps are proliferating rapidly and without any checks and balances – all beyond IT’s watchful eye.
- No code = transparency issues – Using copilots and low-code/no-code tools means there’s no code to scan, resulting in code scanning tools being made obsolete. This can hamper everything from debugging, troubleshooting and security analysis that lead to potential security and compliance worries.
- No SDLC – There’s no established software development lifecycle, so there’s also no consistency, clarity or accountability.
- Abuse of identity – Identity management may be another challenge. The primary security vulnerability stemming from citizen developers is providing the apps they build with too much access. Whether it be providing end users with a shared identity, or connecting an app to a sensitive data source that’s shared across boundaries or teams, the IT team can’t tell whether the citizen developers have broken corporate policy. For example, even if the team finds an anomaly, they will come after the owner of the borrowed identity because they can’t see that another person was borrowing it.
The main result of these inherent challenges is data leakage and exfiltration. This is an old challenge for app development, regardless of how it is developed, but citizen developers increase this potential due to the many conscious choices about how these apps/copilots are built that they are solely responsible for making. It’s quite easy to make mistakes like hard-coding a secret, misconfiguring how authentication happens, sharing the apps with people who don’t need them to do their jobs, or over-exposing data. The nature of applications and copilots is that they move and process data frequently from one place to another within an organization, which can (and does) break data barriers or boundaries with ease.
Also at risk are data privacy and compliance concerns. These applications inherently process, store, and access sensitive data, which, when not secured properly, can be accessed and manipulated by employees, guest users, or others. Building in proper access controls and credential security might not occur to business users who are building these apps and copilots, which can result in many other problems – including a lack of compliance. However, as previously mentioned, efficiency versus security/compliance is a false dichotomy; citizen development is a business boon when set up properly.
Establishing controls and visibility
A primary issue with low-code/no-code development, as noted earlier, is that the circumvention of security oversight leads to data moving through and between apps and people (including unwitting insiders and attackers). The identities of the citizen developers who are creating these apps can be embedded in the apps. That masks the identity of anyone who then uses that app, because it appears as if it’s the developer, which creates a security blindspot.
How, then, can security teams regain control and reduce risk? First, they need to examine everything that is being built across copilots and low-code/no-code development platforms within their organizations. This will help them determine who is in charge of these projects so they can steer them in the right direction. The goal isn’t to make them feel hampered or shamed; it’s to create a more secure process with guidance and education.
Visibility is essential for strong security. This requires the creation of an applications inventory and clarity about who is building apps, what those apps are and what they are meant to do within the context of the business. This will help mitigate risk and create seamless business operations; security and efficiency are both increased.
Security teams need to set up a framework and a culture for how to securely develop apps, including placing guardrails, technical controls and policies in place that are needed so that citizen developers can’t publish apps or copilots that are insecure and put the organization at risk. Even highly skilled developers can make errors when dealing with sensitive data and the lack of native controls across copilots and low-code/no-code platforms, and it’s even harder to mitigate risks with the less technically adept. However, with those guardrails in place, it will be harder for citizen developers to make those errors.
Greater speed, greater security
Copilots, low-code and no-code platforms have removed the manual coding barriers to successful and rapid innovation. That’s particularly helpful for companies focused on innovation and maintaining competitive advantage. These platforms enable people with little to no development experience to develop AI-based apps. Though this has democratized development, it has also introduced major security risks. Fortunately, security leaders don’t have to choose between cybersecurity and rapid development. Instead, they can partner with this new crop of developers to more quickly create secure new apps that benefit the business goals of energy and materials companies.
Ben is the CEO and co-founder of Zenity, with vast experience in the cybersecurity industry spanning over 16+ years. His expertise ranges from hands-on cyber security, team building and leadership through business strategy and management.
Oil and gas operations are commonly found in remote locations far from company headquarters. Now, it's possible to monitor pump operations, collate and analyze seismic data, and track employees around the world from almost anywhere. Whether employees are in the office or in the field, the internet and related applications enable a greater multidirectional flow of information – and control – than ever before.