AI is rapidly changing the way people develop and build their own applications, automation and copilots, helping businesses improve efficiency and results without further burdening IT and the help desk. While this levels the playing field for software development, it also brings increased cybersecurity risks.
It’s important for security leaders to understand this new wave of business application development and artificial intelligence and the resulting risks – and have a game plan to address them. The good news is that you don’t have to choose between AI-driven development and security/compliance.
The rise of artificial intelligence in a no-code/low-code system
AI, low-code and no-code platforms have become the default for democratizing development; they give every business user the power of a developer, regardless of whether they know how to code or not. Stemming from a combination of lack of internal resources, time constraints, and the need for constant innovation, organizations increasingly depend on these technologies to make business users more efficient and productive.
Gartner predicted that low-code/no-code development will be responsible for more than 70% of all new applications by 2025. The analyst firm also predicts that by 2026, over 80% of organizations will use GenAI application programming interfaces (APIs) or models and /or GenAI-enabled applications in production environments. This will represent a huge shift since less than 5% did so last year. So-called “citizen developers” create data flows, automation, applications and more by asking the co-pilot – the GenAI conversational interface – to build it. They can also now even build their own copilots which can then be shared publicly in development platform ‘stores’.
Productivity increases, but safety remains a catch-up game
There are two main risks here. First, there are no longer tens or even hundreds of applications being introduced into production environments, but tens and hundreds of thousands of new applications, connections and automations created by users of all technical profiles. It only increases the threat. The primary threats include data leakage and account spoofing, which I’ll explain shortly. Second, there are many defaults that platforms have included that are well-intentioned to make it easier for everyone to build their own apps. However, it also makes it easier to make mistakes in the development process, which can keep security professionals up at night.
Typically, when companies have security and compliance programs, they target the work done by traditional professional developers. But today, with AI, anyone can be a developer. People are now building applications and automation outside of IT’s purview. They can build what they need without the necessary technical knowledge, and that’s a big change.
These activities that take place within business lines are not always monitored or monitored – and this creates a problem when it comes to security, because one of the biggest needs to truly protect everything within a company is visibility. You can’t protect what you can’t see.
This is a problem for almost all companies, but especially for those in highly regulated industries like finance and healthcare that are subject to rigorous regulations and compliance standards. As more people create apps and use AI, more systems require access to sensitive data. Without thorough inspection of who is creating what and determining which applications are accessing truly sensitive data, this can leave them open to new fines and increased regulatory scrutiny.
Taking back control without sacrificing productivity
It might be tempting to try to completely ban employees and third-party users (known as guests) from using these tools to avoid security challenges, but that’s not realistic. People will find ways to access the tools they need; banning these tools is unlikely to succeed and could stifle innovation, hinder efficiency and slow productivity. Security leaders increasingly need to demonstrate that they are part of the business strategy, not gatekeepers.
Instead, it’s about making the use of these tools safer. As with most security, gaining visibility is the first step. Your security team needs to know about the tools being used and the applications being developed, while gaining a deep understanding of the business impact each application has on the enterprise.
Achieving that visibility—and ensuring that the security team remains engaged and able to process and act on those insights—requires the following elements:
- Identify each instance where the application contains artificial intelligence and/or where artificial intelligence was used to help build the resource. In addition, develop a knowledge base regarding the business context of each of these resources. This includes who the users are, why they use the resource, what data they interact with, and so on.
- Ensure that automation and applications that need to access sensitive data have the right data sensitivity flags, as well as the right authentication protocols, identity, anomaly detection, and access tools.
- Assess each threat resource to help security teams know how to prioritize breaches, alerts and more.
- Make sure each app is shared only with the appropriate people. Many modern development platforms use default permissions that allow anyone in a tenant or directory to access and use these applications.
- Prioritize security; set rules and connect with real and citizen developers to ensure they meet the organization’s standards as they develop with GenAI.
- Implement continuous vulnerability scanning to detect misconfigured and/or insecure applications as they are being built.
Strategy of secure development
Civic development offers a lot of opportunities for companies in various sectors, but it can also bring new security risks and compliance concerns, especially now that artificial intelligence is so readily available and used. As these technologies become the norm, organizations need to know who is developing what in order to maintain security and compliance. Visibility is key, so use a checklist to ensure not only security and compliance, but productivity and efficiency as well.