Do Citizen Developers Pose a Security Risk?


The amazingly streamlined online application platforms available today make it easy for Citizen Developers to create their own business applications. Whether they want to streamline their processes or develop apps that could potentially add a new revenue stream to the company, Citizen Developers can do so without ever having learned to write code.

Supporting and encouraging Citizen Developers to get creative is becoming more standard in companies, but by allowing them unfettered access to your sensitive customer data, are you exposing your company to a security risk?

Are custom apps a security risk?

Analyst house Gartner has predicted that a quarter of all new apps will be created by Citizen Developers this year, but it does warn companies that allowing them to access online databases also poses a security risk (albeit one that can easily be mitigated).

Ian Finley is the research VP with Gartner and he is concerned that the advent of application development, particularly high-productivity PaaS environments, means these Citizen Developers may not always adhere to security policies: “While many of these platforms provide strong security capabilities, end-user developers don’t necessarily use those capabilities effectively,” he said.

The Gartner report goes on to explain that one of the problems is that Citizen Developers may not always know how to use security measures and this creates a weak link which hackers can exploit to gain entry.

However, there are two easy steps a company can take to ensure that their Citizen Developers do not introduce any new security risks:  One, involving your IT group in the process provides the right level of review from those IT professionals who think about security all the time.  Two, leveraging the right platforms that provide easy-to-implement security policies as well as robust, built-in security measures provides a significant measure of security and confidence without an excessive investment of time.

Citizen Developers don’t mean end of IT

Citizen Developers are an exciting and innovative way for companies to streamline processes, improve service, reduce overhead and create a better customer experience, and it certainly isn’t something that research organizations like Gartner are suggesting you stifle.

What the discerning manager will do is to encourage and support Citizen Developers at every turn, but have apps assessed to ensure that they work within company security protocols and don’t place sensitive data at risk.

This is the kind of assessment that can be handled by your IT department. Your IT department should be completely geared to provide Citizen Developers with the support they need. Most IT professionals have done the requisite training to get up to speed on application development platforms that enable Citizen Developers to create secure business applications. IT professionals should outline the security protocols (a.k.a. the rules of the road) for their company’s Citizen Developers and provide them with training to ensure they stay well within your security parameters.  

IT professionals also need the requisite skills to be able to effectively and accurately assess an application designed by a Citizen Developer at every stage of development to ensure that it is safe. The move to cloud computing and the advent of the Citizen Developer don’t spell the end of the IT department. While some IT professionals may need to retool, they are an integral part of your online security and can really help to support and guide your Citizen Developers.

“Part of a Citizen Developer program is providing development tools that end users like, but also giving IT the opportunity to monitor their activity for risks,” Finley said.

“That way, end users don’t go around IT because IT is slowing them down or preventing them doing what they need to. But IT gains visibility into end-user activity and can triage and target the biggest risks.”

While encouraging the development of applications in your own company, it’s important to remain cognizant of security at every turn. If you have several apps in use already, have them assessed by your IT department. The same goes for any applications that your employees use that were developed outside of your company.

Evaluate the platforms used by your Citizen Developers

IT’s involvement with Citizen Developers can also begin earlier: helping choose the right platform for the apps your Citizen Developers want to build.  The right platform will address your company’s security concerns in two ways:  One, easy-to-use tools to maintain security, and two, strong built-in security measures as part of the foundation of the platform.  There are a few key items to look for in each of these categories:

Easy-to-use tools:

  • Does the platform allow Citizen Developers to easily define the security policies their apps need?
  • Does the platform provide tools for granting to different users varying levels of access to various parts of your applications or your data?

Built-in security measures:

  • What are the platform provider’s policies on areas such as disaster recovery and backup security?
  • Does the platform provider identify any industry-standard, third-party security standards they comply with?
  • Does the platform provider have the right infrastructure in place to protect your data, both from potential intruders as well as potential disasters?

Learn more about TrackVia’s multi-layered security and data redundancy.