Shadow App Development: Insider Threat or Opportunity? | Threatpost

The demand for software within an enterprise is relentless. The typical enterprise is running hundreds of applications—perhaps thousands if it’s a global organization. And with the rapid digitalization of business processes underway, the amount of software in use in the typical business is only going to grow tremendously in the years ahead. The challenge for most enterprises is that the demand for software is so high that traditional development teams often can’t keep up.
Others in your organization are going to try to keep up with that demand, but this is where trouble can creep into your organization.
Historically, enterprise software—especially any mission critical software or customer-facing applications—were all managed within the formal purview of the IT department. But today, thanks to cloud, rapid development platforms, and even newer so-called “no code” development platforms, just about anyone in the organization can take it upon themselves to develop an application. These tools have become so easy and sophisticated that someone in marketing, sales, finance, and other departments, who has never written a line of software code, can develop an app.
This is, of course, phenomenal for productivity. Demand for development has never been higher. Enterprises need more mobile apps, software tools to manage more devices, software to engage with customers on an ever-growing list of communication channels, and software to effectively manage all the data they’re collecting. When users need an application, they typically go to IT, but they better prepare to wait—and wait. Thanks to citizen developers, there’s much less “wait.”
Risks of Citizen Developers
Of course, this creates increased risk. While it’s not a malicious risk or threat from an adversary, it is a risk from inside an organization, nonetheless. And it’s insider risk more enterprise security teams are finding themselves having to grapple.
There are two ways enterprises can deal with this risk. They can try to ban citizen development in their organization, and every time they uncover “rogue” apps being developed, they can try to shut them down and create a formal process under the IT department. The problem here is that developers are scarce and likely to remain so for a long time. According to the U.S. Bureau of Labor Statistics, the number of jobs for software developers is projected to grow 24 percent, considerably more rapidly than average job growth.
Managing Citizen Developer Risks
The second is to manage it. This is the more realistic approach. We’re moving into a new world where everybody is a coder. If security isn’t managed properly for these citizen developers, then organizations are going to have steep data security and regulatory compliance challenges. That’s why the wise organizations will encourage citizen developers while also putting into place the right tools to ensure their work is properly secured. This way, they will be able to help organizations be productive, alleviate application backlogs, and generally take stress off the software development team.
Maybe you’re asking, what could go wrong—these are developers making small apps, they aren’t working with big or backend enterprise apps. Well, citizen developers—well-meaning as they are—can create serious security issues. These security risks can range from requiring poor authentication procedures to perhaps even exposing regulated or confidential data. They may create simple web application software flaws that attackers can easily exploit. They may not be aware of certain regulatory rules and place an organization inadvertently at risk of ire from regulators. No one wants that.
Reaping the Rewards of Citizen Developers
There are a number of things organizations can do to minimize this risk. The first is to build security awareness. As citizen developers become more prevalent, it’s important that they also become aware of the jeopardy they can create and the insider risk they can pose.
Organizations with citizen developers also need to make available the right tools and training to those who will be developing applications. They need to be made aware of the type of data that is regulated and confidential so that after their app is complete, security can make sure the right controls are in place. Organizations can also provide primers on how to code securely. Many times this information can be found by aggregating materials the low-code platform providers make available; and organizations can, over time, add security requirements specific to their organization.
Keep in mind, these citizen developers don’t need to be made security or IT experts, they primarily need to be made aware of the issues so they can avoid novice mistakes. And they need to be prompted to notify IT about the apps they build so that the data can be properly managed, secured, backed up, and included in disaster recovery programs. There’s nothing worse than an organization suffering an outage and, because of some disaster, applications that were built rogue aren’t backed up although they are critical. When everyone is communicating, these things don’t have to happen.
This way the citizen developer, when properly cultivated, can help move the organization forward without unduly increasing security risks.
(About Rob Juncker, senior vice president of research and development and operations at Code42. His background is in security, cloud, mobile and IT management. Before joining Code42, Juncker was vice president of research and development at Ivanti, a leader in the security and IT management space.)
(Enjoy additional insights from Threatpost’s InfoSec Insider community by  visiting past contributions .)