The citizen developer: A security risk that can't be ignored

Businesses need to act to prevent corporate data being put at risk by the increasing number of non-programmers building their own apps.

It's never been easier for people to dip into software development, piecing together apps to make their day job easier using today's streamlined dev platforms.

By 2014, apps dreamed up by end-user developers will account for one quarter of all business software - according to analyst Gartner - as easy-to-use dev platforms lower the skills bar and the time needed to produce a tool.

Yet while these apps will make everyday workers more productive, they will also increase the risk to the business, by making sensitive information from corporate systems more widely available through apps outside enterprise control, the analyst house said.

Ian Finley, research VP with Gartner, said the advent of cloud-based application-development and deployment platforms, particularly high-productivity PaaS environments make it easier to build applications outside the firewall than inside it.

"While many of these platforms provide strong security capabilities, end-user developers don't necessarily use those capabilities effectively," he said.

A recent Gartner report goes further in its criticism of the security of these apps, saying citizen developers "tend to develop unsecure applications that hackers use as intermediaries for attacks".

Many of these cloud platforms restrict software development to little more than piecing together existing modules to form an app - reducing the scope for users to write apps that allow hackers to execute malicious code. But there is still a danger of these apps exposing information from back-end systems, according to information security company Integralis.

"A lot of apps have far more privileges than they need and have vulnerabilities that can be exploited no matter where or how they are developed," said Garry Sidaway, director of security strategy at Integralis.

Consequently, businesses need to ensure that citizen-developer apps are assessed and tested at each stage of their development, he added.

However businesses looking to protect against the risk of citizen devs opening up security holes shouldn't block end-user development because that would shut down a promising route for innovation, according to Gartner's Finley.

He cited research that shows there are four times as many people in the US who "do programming as part of their job" as professional programmers.

Instead, businesses should "channel end-user development in safer directions" by setting up schemes to advise these developers on how to build safer apps and to monitor security.

"Part of a citizen-developer program is providing development tools that end users like, but also giving IT the opportunity to monitor their activity for risks," Finley said.

"That way, end users don't go around IT because IT is slowing them down or preventing them doing what they need to. But IT gains visibility into end-user activity and can triage and target the biggest risks."

End-user development stretches back to the first PCs, Finley said, but it is growing as members of the general public become more comfortable with technology and are willing to be more adventurous about the apps they install or build themselves.

"Where few people dared to do anything but input data or run reports on computers in the 1980s, today nearly every employee feels comfortable downloading any app that intrigues them and using it with business data to help them with a business process," he said.

"That comfort comes from exposure to application development in the workplace, but also the consumerisation of technology and the availability of end user-friendly tools from vendors they already use, such as Microsoft and

"As the number of end-user applications living outside the enterprise firewall increase, the number of compromises is likely to grow proportionally.

"The genie has been out of the bottle for some time, but now it is too big and powerful for IT to continue to ignore."


Nick Heath is chief reporter for TechRepublic UK. He writes about the technology that IT-decision makers need to know about, and the latest happenings in the European tech scene.


One symptom of this phenomena is the still wide use of Visual Basic 6 (not dot net, before that) People actually think they can use and think can be secure programs written in a language that was retired 10 years or more ago. And with applications now possible in what is essentially a web page (the thing we used to call metro for instance) where the display is basically xml encoded html and javascript (the visual basic of the web) anyone can make a totally insecure application. But it pays the bills because eventually they have to turn to a real programmer to fix everything. If you are in IT what you need to do is get an application security scanner. If all else fails use at least Microsoft's Attack Surface Analyzer. Then gather all of the apps used by your people, use a tool that scans everyone's pc for what is running and then on a clean system test each one in turn. Charge the time to the people who made the app unless they have already done the test (and if they use a tool and it's good use their tool for everyone else's software.) It won't find everything but it will find enough to tell people to either get a professional or learn enough to fix the problems. Code reviews and QA are a must, introduce policies for minimum of development lifecycle tools like scm and testing.

Tony Hopkinson
Tony Hopkinson

No one has seriously latched on to the prevention market for yet another threat vector created by greedy incompetents. I'm sure it will come, once we've had a few incidents and someone can use them to get a good return on their investment.


How are they making their own apps, who gave them a dev platform and paid for licensing? Or are we talking about simple office macros and batch files? Because I am pretty sure the standard untrained programmer is not going to be making network aware applications. I wrote a chat program once in high school so I could work on our website project with the rest of the team. Is this the sort of thing we are expecting citizen developers to build?


" nearly every employee feels comfortable downloading any app that intrigues them and using it with business data to help them with a business process" That statement is false Not on most typical corporate desktops....not by a country mile. In my organization, the desktop policy and endpoint security blocks all this, and the HR policy strictly forbids it. Endpoint security solutions and group policy block users from downloading and installing applications, period. You will find these on most corporate PCs these days. HR policies also address this, but policies are not controls. So a typical corporate user cannot install an app on their PC, nor could they install an app used to develop apps (e.g. Microsoft Visual Dev). That leaves Spreadsheets. There are applications (e.g. Prodiance) that put version control and accountability into spreadsheets that are mission critical.

Marc Jellinek
Marc Jellinek

When HR puts employee reviews (or even better, payroll information and Social Security Numbers) onto Google Spreadsheets. After all, it's just as secure as putting in into an Office spreadsheet on a laptop, server or SharePoint site!

Editor's Picks