If you read UpGuard report on PowerApps Portals security which came out a few days ago, you might start panicking, and, I’d say, rightfully so:
https://www.upguard.com/breaches/power-apps
Danish has already covered the technical side in his blog post, so there is no need to discuss the technicalities here.
But, then, on the high level, what did I actually learn from that article by UpGuard?
To put is simple, I learned a few things:
Having a low-code code platform at your disposal does not mean that you can ignore all the standard /best practices you would normally follow in the pro-code world
As in, security testing is not something you would normally ignore, so how come you would not do this kind of testing in the low-code world? The explanation is, likely, extremely simple, even if it is quite concerning: low code allows you to develop things quickly, and it’s almost encouraging you not to spend as much time on testing as you would do otherwise. It’s been mentioned many times that citizen developers are not very likely to follow the same practices pro developers would, so it’s not that surprising certain things are ignored. And it just so happens that security/vulnerability testing is one of those.
Going by analogy, you would take some precautions not to cut your finger when using a knife. And you would not saw the branch you are sitting on. And you would probably wait for the coffee to cool down a little bit before drinking it.
Of course some folks would sue coffee chains for making coffee too hot, but I will leave it to you to decide whether this makes any sense to start with.
Long story short, low-code makes it easier to develop applications for non-developers, but it does not necessarily mean you can just go wild with this and let everybody do whatever they want.
That said, I’ve also learned something else.
There is multitude of clients who are using PowerApps Portals, and there are some big names there
UpGuard has a bunch of those names in their article, so this really made me thinking. See, due to the somewhat cumbersome licensing model (per login fees? Come on, this essentially eliminates a lot of portal scenarios), and, in general, due to how portals are supposed to be developed / maintained, I have never considered them as important as model-driven or canvas apps. But, given the scale of the clients mentioned in that UpGuard post, and keeping in mind the number of records that may have leaked (and assuming that’s the smaller part), apparently portals do have an important place in the PowerPlatform ecosystem.
Of course the fallback from that post will, likely, continue for a while. Eventually, clients will learn their lessons, Microsoft will enable security by default, UpGuard will get some additional publicity, and, then, things will settle down. But, if there is anything I’m going to take away from this story it’s this:
- This is a great example of why “pro” developers are still relevant in the Power Platform world
- This is also a great motivation for those of us who has not spent too much time working with PowerApps Portals to start ramping up the skills
- And, finally, this is a great list of “reference projects” we all can use now if a prospective client wanted to get some examples of the “PowerApps Portal projects”