What Application Security Within Shadow IT Looks Like

• Application Security
• Insider Threats

News, news analysis, and commentary on the latest trends in cybersecurity technology.

What Building Application Security Into Shadow IT Looks Like

AppSec is hard for traditional software development, let alone citizen developers. So how did two people resolve 70,000 vulnerabilities in three months?

Michael Bargury, CTO & Co-Founder, Zenity

June 24, 2024

4 Min Read

Source: David Grossman / Alamy Stock Photo

LinkedinFacebookTwitterRedditEmail

Application security (AppSec) programs are difficult to use and filled with vulnerabilities. Overloaded staff face an inadequate budget. Communication with developers is challenging. These sayings are so true, so ubiquitous, that they’ve become tropes. This is why meeting a team of two who managed to resolve 70,000 security vulnerabilities in three months made me gasp.

70,000 Vulnerabilities? Really?

Actually, they found 80,000, 70,000 of which they were able to fix within 90 days. These numbers do not indicate particularly vulnerable applications. They indicate taking a real look in the mirror, beyond the usual lines drawn in the sand between professional development and citizen development, which we sometimes call shadow IT.

Citizen developers are now embedded in every part of large enterprises. Yes, that includes yours. Last year, Microsoft announced that Power Platform, its popular low-code/no-code platform built into M365, had surpassed 33 million users, growing 50% year over year. These users work for the enterprise — your enterprise. They build critical applications, from finance to risk and customer care. It’s a real boost to digital transformation, for the business and by the business (user).

Citizen Development Security Challenges

A few aspects of citizen development make building an AppSec program around it particularly challenging:

• The scale of citizen development is between 10x and 100x that of professional development, whether you measure it in terms of numbers of developers, number of applications, or any other metric.

• The variance of business units can be so big that it is easier to think of some business units as separate entities. Indeed, in a large enough corporation, some business units fall under different laws and regulation and have a different risk appetite.

• Citizen developers, as business users, are not security-savvy. If you try to explain injection attacks to a business user, it would probably not be a fruitful conversation or a good use of anyone’s time. Citizen developers should do what they do best: move the business forward.

• Finally, the lack of process can be tricky — citizen development is all about moving fast. You edit right in production, adapt quickly, and move forward.

Fortunately, some standards have emerged that document and categorize the security vulnerabilities in low-code/no-code apps built by citizen developers.

AppSec for Citizen Development

The good news is that the unique challenges of citizen development force us to think outside of the box. Any manual review or process goes out the window. Blocking business users from developing software is never a real option, even when we pretend it is.

Building a successful AppSec program for citizen developers requires heavy reliance on automation and self-service. We need to design a process, think about the edge cases, and automate it completely. For example, when a developer says they have fixed an issue, can you retest to confirm? Is there a clear route for escalation and asking for exemptions? What happens when service-level agreements (SLAs) aren’t met? We have answers to all of these questions for traditional AppSec, relying on the software development life cycle and years of working with developers. Though none of the established processes work as is with citizen development, we can use our learnings from pro developers to design a solution that does.

To build your program, start with the basics:

1. Inventory. Know what you have, but don’t stop there. Ask: Who is the owner for each app?

2. Policy. Clarify your risk appetite. Which applications are outside of your accepted use cases? Which should never have been built?

3. Security assessment and retesting. Know your risk, and have a way to automatically test whether this risk has been mitigated.

4. Self-service. Provide clear documentation. Create a self-service portal where citizen developers can learn about issues and how to fix them, where they can ask for clarification or exemptions.

5. Enforce SLAs. What happens if a vulnerability isn’t fixed under an SLA? Take preventive action where possible.

6. Track and report. Ensure you get and maintain executive tailwinds by keeping everything informed on progress.

7. Management buy-in. Making progress at a fast pace requires strong tailwind from management. Clarify the security risk you are mitigating, and tell an enablement story rather than a blocking story.

The team I mentioned at the beginning of this article followed all of these points and more. They invested time in designing the process, down to its nooks and crannies. This gave them the confidence to hit “play” on the campaign and drastically reduce the security risk in their environment.

It’s an incredible success — two employees, three months, 70,000 vulnerabilities, no business disruption. Those results may be exceptional, but you can achieve incredible results at your business as well.

LinkedinFacebookTwitterRedditEmail

About the Author

Michael Bargury

CTO & Co-Founder, Zenity

Michael Bargury is an industry expert in cybersecurity focused on cloud security, SaaS security, and AppSec. Michael is the CTO and co-founder of Zenity.io, a startup that enables security governance for low-code/no-code enterprise applications without disrupting business. Prior to Zenity, Michael was a senior architect at Microsoft Cloud Security CTO Office, where he founded and headed security product efforts for IoT, APIs, IaC, Dynamics, and confidential computing. Michael holds 15 patents in the field of cybersecurity and a BSc in Mathematics and Computer Science from Tel Aviv University. Michael is leading the OWASP community effort on low-code/no-code security.

See more from Michael Bargury

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

More Insights

Webinars

• Think Like a Cybercriminal to Stop the Next Potential Attack Jul 22, 2025
• Elevating Database Security: Harnessing Data Threat Analytics and Security Posture Jul 23, 2025
• The DOGE-effect on Cyber: What’s happened and what’s next? Jul 24, 2025
• Solving ICS/OT Patching and Vulnerability Management Conundrum Jul 30, 2025
• Creating a Roadmap for More Effective Security Partnerships Aug 14, 2025

More Webinars

Events

• [Virtual Event] Strategic Security for the Modern Enterprise Jun 26, 2025
• [Virtual Event] Anatomy of a Data Breach Jun 18, 2025
• [Conference] Black Hat USA - August 2-7 - Learn More Aug 2, 2025

More Events

You May Also Like

---

Application Security

‘Void Banshee’ Exploits Second Microsoft Zero-Day

Application Security

Microsoft VS Code Undermined in Asian Spy Attack

Application Security

Hackers Use Rare Stealth Techniques to Down Asian Military, Gov’t Orgs

Application Security

Microsoft Talks Kernel Drivers Post CrowdStrike Outage

Latest Articles in DR Technology

• AI Driving the Adoption of Confidential Computing Jul 16, 2025 |

4 Min Read

• Cognida.ai Launches Codien: An AI Agent to Modernize Legacy Test Automation and Fast-Track Test Creation Jul 16, 2025 |

3 Min Read

• MITRE Launches AADAPT Framework for Financial Systems Jul 15, 2025 |

1 Min Read

• Digital Fingerprints Test Privacy Concerns in 2025 Jul 10, 2025 |

4 Min Read

Read More DR Technology

Cookies Button

About Cookies On This Site

We and our partners use cookies to enhance your website experience, learn how our site is used, offer personalised features, measure the effectiveness of our services, and tailor content and ads to your interests while you navigate on the web or interact with us across devices. By clicking “Continue” or continuing to browse our site you are agreeing to our and our partners use of cookies. For more information see Privacy Policy

CONTINUE

Cookie Policy

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

More information

Allow All

Manage Consent Preferences

Strictly Necessary Cookies

Always Active

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms.    You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

Always Active

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.    All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.

Functional Cookies

Always Active

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages.    If you do not allow these cookies then some or all of these services may not function properly.

Targeting Cookies

Always Active

These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites.    They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Back Button

Cookie List

Search Icon

Filter Icon

Clear

checkbox labellabel

ApplyCancel

ConsentLeg.Interest

checkbox labellabel

checkbox labellabel

checkbox labellabel

Confirm My Choices

Direct Link