Developer

The citizen developer: A security risk that can't be ignored

Businesses need to act to prevent corporate data being put at risk by the increasing number of non-programmers building their own apps.

It's never been easier for people to dip into software development, piecing together apps to make their day job easier using today's streamlined dev platforms.

By 2014, apps dreamed up by end-user developers will account for one quarter of all business software - according to analyst Gartner - as easy-to-use dev platforms lower the skills bar and the time needed to produce a tool.

Yet while these apps will make everyday workers more productive, they will also increase the risk to the business, by making sensitive information from corporate systems more widely available through apps outside enterprise control, the analyst house said.

Ian Finley, research VP with Gartner, said the advent of cloud-based application-development and deployment platforms, particularly high-productivity PaaS environments make it easier to build applications outside the firewall than inside it.

"While many of these platforms provide strong security capabilities, end-user developers don't necessarily use those capabilities effectively," he said.

A recent Gartner report goes further in its criticism of the security of these apps, saying citizen developers "tend to develop unsecure applications that hackers use as intermediaries for attacks".

Many of these cloud platforms restrict software development to little more than piecing together existing modules to form an app - reducing the scope for users to write apps that allow hackers to execute malicious code. But there is still a danger of these apps exposing information from back-end systems, according to information security company Integralis.

"A lot of apps have far more privileges than they need and have vulnerabilities that can be exploited no matter where or how they are developed," said Garry Sidaway, director of security strategy at Integralis.

Consequently, businesses need to ensure that citizen-developer apps are assessed and tested at each stage of their development, he added.

However businesses looking to protect against the risk of citizen devs opening up security holes shouldn't block end-user development because that would shut down a promising route for innovation, according to Gartner's Finley.

He cited research that shows there are four times as many people in the US who "do programming as part of their job" as professional programmers.

Instead, businesses should "channel end-user development in safer directions" by setting up schemes to advise these developers on how to build safer apps and to monitor security.

"Part of a citizen-developer program is providing development tools that end users like, but also giving IT the opportunity to monitor their activity for risks," Finley said.

"That way, end users don't go around IT because IT is slowing them down or preventing them doing what they need to. But IT gains visibility into end-user activity and can triage and target the biggest risks."

End-user development stretches back to the first PCs, Finley said, but it is growing as members of the general public become more comfortable with technology and are willing to be more adventurous about the apps they install or build themselves.

"Where few people dared to do anything but input data or run reports on computers in the 1980s, today nearly every employee feels comfortable downloading any app that intrigues them and using it with business data to help them with a business process," he said.

"That comfort comes from exposure to application development in the workplace, but also the consumerisation of technology and the availability of end user-friendly tools from vendors they already use, such as Microsoft and Salesforce.com.

"As the number of end-user applications living outside the enterprise firewall increase, the number of compromises is likely to grow proportionally.

"The genie has been out of the bottle for some time, but now it is too big and powerful for IT to continue to ignore."

About

Nick Heath is chief reporter for TechRepublic UK. He writes about the technology that IT-decision makers need to know about, and the latest happenings in the European tech scene.

Editor's Picks