Automating App Security Integration Will Unleash the Citizen Developer
Nikfar Khaleeli | Oct 22, 2019
Low-code development, predominantly used for internal B2E (business-to-employees) apps, is now being adopted for the creation of B2B (business-to-business) and B2C (business-to-consumer) apps. Rapid application development (RAD) minimizes the need for IT developers and enables the citizen developer, who are arguably the ones who can best design purpose built mobile apps. Reducing the dependence on IT is the right strategy for organizations that want to make the digital first transformation. Gartner predicts that by 2021 the demand for mobile app development services will exceed IT’s capacity to deliver by a factor of three. Controlling app development costs will be a key consideration for organizations trying to harness the productivity benefits of always-on and easily accessible mobile and edge devices.
Enabling the citizen developer must also be a key part of an organization’s digital transformation strategy because by 2022, citizen developers will be building more than one-third of web and mobile employee-facing apps.
Integration of security controls in mobile apps, such as data encryption, access controls and remote wipe, is a fantastic candidate for RAD. Without confidence their data will be protected, , IT will halt the rollout of mobile apps that access sensitive corporate data. Consequently, this can be a showstopper for an organization’s mobility efforts.
Enterprise mobility management (EMM) vendors such as Microsoft and BlackBerry provide app security SDKs with their Unified Endpoint Management (UEM) offerings. These SDKs create app-level containers so that IT maintains control over data even when it’s being accessed through an app on devices that are not under IT’s control. The SDKs obviate the need for app developers to roll-their-own-security but even then, manually integrating app-level security is not trivial—and certainly not in the bailiwick of most citizen developers.
Even if you ignore the learning curve associated with these SDKs, manual coding also doesn’t guarantee data protection. For example, your organization’s data is at risk if an app developer forgets to replace an API in a subroutine that writes unencrypted data to storage with the secure version from the UEM vendor’s SDK. The use of unencrypted databases, unintentional or not, by end-to-end encrypted apps such as WhatsApp and Telegram is a headline grabbing example of leaving data exposed. Using these SDKs can also constrain the functionality that app developers want in their apps. For example, if an SDK relies on an old version of the HTTP stack, a developer who is manually integrating the SDK cannot use the latest HTTP stack in her app, even if it improves the usability of the app.
What this means is that planning for how data will be protected must be part of the app development process. App developers will need to plan where all in the app’s code—such as for data being written to storage, to the network or perhaps being shared between apps—to use the secure APIs to ensure comprehensive protection. That’s a whole lot of planning and is not something that Lines of Business (LOBs) and the citizen developer will be part of. Time to market is important for the LOB, which is also where the citizen developers sit. The LOB sets the requirements for these apps and as a result, many of these business leaders will bypass IT organizations when developing apps, without concerns for security and governance.
Automating the integration of app-level security keeps everyone happy. IT’s need to retain control over data wherever it is used will be satisfied by the use of UEM vendor provided app security SDKs. Automation will reliably integrate app security SDKs everywhere in the app, so that data everywhere is secured. Instead the focus can be on developing innovative apps that can be used anywhere and on any device to increase the organization’s productivity.