The five keys to securing the citizen developer

George V. Hulme

July 19, 2016

The five keys to securing the citizen developer

There’s a new kind of developer in town. These developers have no training in software languages, and no computer science degree. But they are building apps in the enterprise to get their jobs done.

We know that enterprise tech has been growing consumerized for some time. The Bring Your Own Device (BYOD) market hit $266 billion this year, according to market research firm Markets and Markets. The research firm Gartner expects about 35 percent of IT expenditures will be managed outside traditional IT, within this shadow IT channel.

But the consumerization of IT isn’t stopping with BYOD and cloud services. New “low code” development platforms are making it easy for anyone to be a developer. These amateur, or low code citizen developers are using low code visual coding platforms to build new enterprise applications for use in their organization. All of this is part of the broad Shadow IT trend, which we have written about extensively.

This is also happening for the same reasons Shadow IT happened: workers and business managers find themselves unable to do their job as effectively as they need, and IT takes too long to deliver the apps and resources they need.

According to Intuit QuickBase’s State of Citizen Development Report and based on results from citizen developer attendees at its user conference, 97% of respondents had traditional word processing and spreadsheet skills, 36% had front end web development skills in HTML, CSS, Javascript, and only 8% had traditional coding skills in Java, .NET, Ruby, PHP, C++

However, all isn’t rosy. IT needs to always ensure that all apps are created and used to policy, that regulated data isn’t being used out of an allowable scope for example, and that appropriate security controls – such as access to that data – are enforced.  

So it’s important that IT look out for these apps, then catalogue and manage them. When they are not up to policy, enterprise developers and other teams can work to get them there.

Monitor for citizen development

Security teams need to know what is going on. Not so much to stop citizen developers, but to make certain that confidential and regulatory protected data isn’t handled improperly. It’s important to monitor web and network traffic to identify these apps.

Cultivate and provide manageable development platforms

Provide a way for citizen developers to develop within, on sanctioned platforms and systems. Look for low code and visual development tools and provide access to these platforms.

Provide development training

IT should provide access to declarative, low code development training. This will help citizen developers to develop the apps they need, properly. And it will improve the quality of the apps and build security and compliance awareness.

Review for policy and security compliance

As these apps are identified and vetted, any that do touch confidential or regulated information need to be catalogued and made part of the standard security and regulatory compliance review.

Consider an enterprise App store

Consider instituting an app store or app catalogue where citizen-developed apps can be accessed by anyone interested in using them. This will help to avoid duplicate efforts, help the enterprise get more value from these apps, and create a central place where apps can be tested and vetted.

There’s no “one thing” with regard to securing citizen developers and, much like BYOD, there’s no sense trying to ban citizen developers. After all, the business needs to cultivate creativity. You need to make sure it’s all done securely.



George V. Hulme

George V. Hulme is an internationally recognized information security and business technology writer. For more than 20 years Hulme has written about business, technology, and IT security topics. From March 2000 through March 2005, as senior editor at InformationWeek magazine, he covered the IT security and homeland security beats. His work has appeared in CSOOnline, ComputerWorld, Network Computing, Government Computer News, Network World, San Francisco Examiner, TechWeb, VARBusiness, and dozens of other technology publications.

View all posts

You might also like