Since the Power Apps portals data leak reported last week, we’ve been asked questions on the security of low-code platforms. In this context, some common-sense points must be made:

  • Low code is not inherently less secure than any other software. Low-code platforms provide visual tools and building blocks for speeding and simplifying app development and can actually make it easier to develop technically secure apps than traditional coding. But, like professional coding tools or other software products, low code still can be misconfigured (as in this incident) and the security defaults may be insufficient or different than you assume.
  • Most (if not all) portal vulnerabilities in this case were introduced by IT teams, not citizen developers. How do we know this? 1) In our experience, many firms disable the ability to create public-facing portals in their low-code platforms that businesspeople are allowed to use; 2) the scale and flavor of use cases identified in the vulnerability sound more like IT projects (e.g., the dealer portal for a large auto manufacturer) rather than citizen developer projects; and 3) the specific vulnerability was based on enabling an OData API — a feature that a nontechnical citizen developer is unlikely to use.
  • Citizen dev tools require security by default even more urgently than pro-coder tools. Pro coders frequently make security mistakes — businesspeople will do no better. This incident hammers home the necessity for security experts to review the security defaults and configurable guardrails of low-code platforms aimed at scaled citizen developer programs, as well as ensure that security awareness is part of any citizen development strategy.

For more information, read our report: Don’t Ignore Security In Low-Code Development.

Also, be sure to check out the agenda for our Security & Risk event November 9-10.