Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

The rising security risk of the citizen developer

George V. Hulme | April 18, 2017
Citizen developers may help enterprises to develop apps more quickly but what is it going to do to enterprise security?


While shadow IT was always a challenge for enterprise IT teams, it rapidly started to accelerate with the growth of the smartphone, and then cloud computing with the incredible expansion of public cloud infrastructure and software as a service offerings that made it as easy as providing a credit card to access a cloud service. Today, shadow IT has spread beyond smartphones, tablets, and cloud services and is rapidly extending into the domain of the enterprise developer.

The trend could create profound risks for enterprise security teams if these shadow, or citizen, developers, aren’t reined.

What is driving citizen development is sheer demand for enterprise apps. According to Gartner, the market demand for app development will grow five times more quickly than IT’s ability to deliver apps through 2021.

According to research from low-code development platform provider OutSystems, 62 percent of enterprises it surveyed reported deep app development backlogs, with a number having more than 10 apps waiting to be developed. Additionally, 76 percent of IT professionals surveyed said it takes an average of more than three months to develop a custom application. For about 11 percent of those surveyed, that time extends to a year.

■ RELATED: 11 software bugs that took way too long to meet their maker

With backlogs like that, it’s no surprise that business managers and staff at many enterprises are not happy with how long it takes for the apps they need to be delivered, so they are taking app development into their own hands by turning to platforms such as Appian, Kony, OutSystems, Mendix,, and others to build the apps that they need. These platforms make it relatively easy for nearly anyone, especially non-professional developers, to build and deploy functioning enterprise apps.

“The idea of having citizen developers, in general, is a good thing,” says Mike Thompson,  senior director, mobile application development middleware at mobile cross-platform development provider Kony. “When people very close to the enterprise's operations are empowered to innovate via mobile applications, their actions can be a key part of digital transformation."

There’s little doubt of that. However, enterprises must learn how to manage citizen developer efforts, or they risk not only losing control of the security of the applications employees use and regulated data ending up in apps and places it shouldn’t. “If business units are creating apps without the support from IT, it's unlikely they'll create an app focused on security - which can be pretty scary for enterprise security [teams],” says John Britton, director of security at VMware.

Britton shared an example. Some time ago his team was asked to clean-up a shadow IT application that had been deployed at a business. While the citizen developer did try to include security in the form of usernames and passwords properly hashed in a database: they failed to build a forgot password function. ”The developer eventually gave up resetting passwords and removed the password hash function and stored passwords in the clear. Anyone with access to this database probably had access to the employees' corporate password, since many people don't practice good password hygiene and reuse the same password everywhere. This is just one example of how a shadow IT app can seriously risk enterprise security,” says Britton.


1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.