We are living in an era where software development has evolved to a stage where it can be executed even by developers with very little technical know-how.
This also neatly dovetails with the fact that the demand for software programmers continues to be humongous and the salaries for programmers are among the highest across all sectors, except those that can bat better than .270 consistently against Major League pitching. Those athletes are paid even better, but I will not digress any more on that!
At the same time, the complexity of modern business applications has grown to the point where a number of IT departments in companies across the world are unable to build needed applications in-house.
The emergence of citizen developers
Although cloud computing has made some difference in terms of closing this gap, there is still a large gap that needs to be addressed with regards to the development of custom applications. All these trends are converging into a perfect storm of favorable receptivity for the notion of “citizen developers.” In short, a citizen developer is not a professional developer but an “amateur” end user who builds his own programs that will make his work easier. With low-code platforms concurrently picking up pace, the trend has only become even more pronounced.
However, what does this wave of citizen developer-driven development mean for your Enterprise’s IT security? Read on to find out.
Catalysts that support the citizen developer
Some factors are paramount for supporting citizen development. Enterprise IT can play catalytic role in this regard.
The rise of cloud computing has been instrumental in the opening up of citizen development. With the availability of cloud-based platforms, access to corporate data has been highly simplified. In the past, end user development had been limited to workgroup-based or single-user situations.
Now in an environment free of many of those restrictions, end users have the freedom to build enterprise, departmental, and public applications by using 4GL development platforms, cloud computing services, and shared-services platforms.
The availability of low-code platforms means that citizen developer projects can enjoy short cycle times and enable greater organizational agility. The low-code platforms support visual development and rapid prototyping.
It is critical to permit citizen developers only with the support of the IT team. If applications are allowed to be created using tools that are not approved by IT, then it amounts to shadow IT and not citizen development.
Just because the term used is “citizen development” and it indicates an open-access platform does not mean that you should allow your department to become the Wild West and ignore certain protocols. IT organizations can step forward in this regard by supporting open systems and technologies to enable citizen development in an elegant and secure way.
Implications of the citizen developer on enterprise IT security
The implications of citizen development on enterprise IT security are manifold and significant.
There can be significant risks of compliance and security-related problems if citizen development is not supported with an orderly framework. Low-code development tools should be carefully evaluated before being deployed for use. The tools should support governance and compliance-related functionality like access controls.
Even with access controls in place, citizen development has the capacity to open up newer attack points for hackers. When an organization’s IT department decides to enable citizen development, it would, in all likelihood, choose a cloud-based one with anywhere access and open systems. There is the unfortunate chance that there may be a number of new attack points for hackers to exploit, which is something to worry about.
Mitigating risks
It is highly recommended that organizations carry out a comprehensive security audit before enabling citizen development. Such a security audit would completely analyze all the attack points and expose all the vulnerable application access paths that would need to be sealed or protected.
Process compliance can be a weak point of citizen development, which can lead to the occurrence of hacker attacks and loss of data. This is particularly true for the user ID and password-related functionality. For instance, sometimes, when applications are developed in a citizen development model, hashing and encryption standards are not followed. This can lead to a large number of user IDs and passwords being compromised. It can also lead to loss of data.
It is imperative that citizen development projects are run, executed, and administered with process standards having the same rigor as for all projects in general. The ISO and British standards along with CMM provide an excellent framework on which apps can be developed.
Citizen developers need to be provided the same training as regular developers. Training should not only focus on the security and compliance aspects, but also emphasize the following of proper standards for requirement gathering, analysis, design, coding, and testing.
Simplicity is a salient aspect of an IT environment that needs to be taken care of to ensure that citizen developers are able to follow due standards of compliance. Of course, simple does not mean weak standards. The development platform should still incorporate robust security measures, and key security services should be made accessible via a simple API framework.
The only aspect of simplicity relates to the manner in which the controls are made accessible and intuitive to execute.
Enabling the citizen developer with in-house developers
It is rarely a prudent idea to entrust all of your organizations IT work to citizen developers. Always maintain a significant presence of your fulltime programmers. The involvement of fulltime programmers is essential for various purposes. Some of them are as follows:
- Fulltime programmers are able to understand the big picture of the application environment. This makes them invaluable, particularly during the time of analysis, design, and testing. During analysis and design, fulltime programmers should be given the tasks of reviewing documents, code, and designs. Their expert knowledge is needed to make applications robust.
- Fulltime programmers are critical to guide and handhold citizen developers where needed. They form a critical part of the interface and governance model that the IT department uses to work with citizen developers. They can also help enforce process standards in projects.
Some key points pertaining to citizen development:
- Data encryption is critical. Always enforce encryption standards for data transportation and storage.
- Provide mobile SDKs, which can be used to manage the applications in the right manner.
- It is highly recommended that you support memory-driven languages such as Java, as far as citizen development goes.
- Have a dedicated and designated team suited for citizen development-driven projects and to ensure that any application deployed without the knowledge of the IT department or this team is checked out for potential risks and brought into the purview of the citizen developer interface via due process.
Seize the opportunity
The advent of citizen development has brought forth an enormous opportunity for IT departments to streamline and speed up their app development process.
As is the case with most major trends such as BYOD, citizen development presents enormous opportunity combined with medium to high levels of risk. The risks can be carefully managed so as to ensure that the opportunity presented by citizen development can be utilized fully.
Photo credit: Flickr / Moominforest
we are just starting the journey. Good article, thank you!
Thanks Tom. OK, good luck. The economy is good, this is the time to try new things. I hope your week is going well.