As the Citizen Development Movement Grows, So Does Security Risk

A "citizen developer" wave is currently taking enterprises by storm. Largely driven by the ready availability of low-code tools, the need for agility, and the ever-present shortage of IT resources, citizen developers are helping enterprises develop apps more quickly, and with a better understanding of the business. But this often comes at a price – namely the risk to security, data governance, and integration – unless it can be managed as an integral part of the enterprise’s IT ecosystem.

What is a citizen developer?

Citizen development is a low-code approach to software development. It allows “citizen developers” to create software programs without needing to know anything about programming languages or how to write code by using low-code, icon-based, Lego-like development tools.

Previously referred to as "shadow IT," citizen development was often viewed negatively; now it is increasingly associated with how business gets done.

According to recent Appian research:

• Taking a do-it-yourself (DYI) approach to software development can increase agility and alleviate IT’s burden by harnessing the energy and business-specific knowledge of citizen application developers.
• It can also introduce considerable risk in terms of data integrity, app security, integration, and other important aspects of the enterprise’s SDLC framework.

Rapid “citizen app development” creates an IT security nightmare.

• The rapid rate of mobile app development has increased the rate of mobile breaches, as the creation of these apps is outpacing IT’s ability to secure them.
• Two-thirds of organizations have BYOD, a corporate-owned personally-enabled (COPE) environment, or a mix of these two approaches.
• Corporate data is accessible through mobile, and 95% of companies surveyed say this increases the risk of a security breach.
• 74% have experienced a breach caused by mobile apps containing malware, apps that contain security vulnerabilities, and unsecured Wi-Fi connections. 

On the flip side, citizen developers have an intimate knowledge of the business, its daily processes, and what is required in order to improve efficiencies within individual parts of the organization. Typically, this results in custom apps that are a better fit for the business than off-the-shelf apps, which take a one-size-fits-all approach.

Can we achieve the best of both worlds?

According to Gartner research, at least half of all new IT business applications will be created on low-code platforms by 2020.

“Many IT leaders believe citizen-developed apps cause integration and security issues, and they want a tech platform to allow the governance of citizen development.” 

Based on this looming reality, IT decision makers are coalescing around a few key truths:

• More than 8 in 10 (82%) believe it is necessary for companies to ensure secure and scalable citizen development.
• Over three in four (77 percent) believe having one enterprise low-code platform can ensure citizen developers are using the right data in their apps.
• Nearly half (46 percent) report new technology platforms and roles are key to keeping citizen development secure and scalable.

The bottom line

Clearly the critical importance of app security, coupled with the proliferation of low-code development tools and citizen developers, presents a formidable challenge for today’s enterprise.

• The coming years are set to see a surge in the growth of low-code development, sending a message of change to IT.
• Businesses will be able to create many enterprise apps without relying on high-priced and hard-to-find professional developers.
• IT organizations will need to manage these risks by educating citizen developers and offering platforms that enable transparency in monitoring, change control, and analytics.

Gartner predicts 70 per cent of businesses will have citizen development policies in place by 2020. However, for companies to adapt to this development, they must be open-minded to the opportunities presented by low coding and incorporate them into their wider business strategy.

The goal is an approach that:

• Enables IT to make sure integration with other systems is done properly.
• Provides application development teams and citizen developers with an enterprise low-code platform to quickly build useful business apps with little or no coding required.
• Enables faster time to market and faster time to change for enterprise applications.
• Gives IT the ability to easily add more power and sophistication to new apps, working closely with lines-of-business.

“A citizen developer support program that includes sanctioned platforms, just-enough governance, access to enterprise services, and IT guidance and monitoring can create a safe environment for end-user application development.”

WhiteHat Security announced a five-part developer training webinar series and certification program that introduces developers to application security, secure coding techniques and best practices in identifying and fixing security vulnerabilities.