By | Aug 25, 2021
CHANNEL: Information Management
In October 2020 I wrote an article on the risks and rewards of the citizen developer approach, urging proponents to put good governance practices in place. Almost one year later, cybersecurity firm UpGuard found an issue with default permissions in the Microsoft Power Apps environment which resulted in the exposure of upwards of 38 million records online.
To be clear, the vulnerability wasn’t inherent in the Power Platform architecture. What UpGuard found was, despite a warning in the documentation, users built a number of portals set to default permissions that created the hole and exposed the records. Microsoft has since made changes to close the hole and improve default security.
Don’t get me wrong. I’m a fan of the no-code/low-code citizen developer movement. Industry analysts see no-code/low-code as the only way to get around shortages of professional developers to support digital transformation efforts. Growing investment in this category of software has resulted in an increase in the number and flavors of offerings. Apparently this proliferation led to some confusion among buyers, as Gartner released a briefing note on the differences between no-code and low-code earlier this year. According to Gartner:
Gartner recommends any buyer evaluating such products ensure the approach, as well as the product, supports the skill set of your developers, whether they are citizen developers in a business unit, or professional developers in IT.
But the skill level of your developer won’t necessarily matter in cases like the one outlined above. The problem UpGuard found could show up in any no-code or low-code development platform that arrives with some loosey-goosey recommendations in the documentation, which developers easily ignore. Good governance processes, while not preventing all issues, will help organizations make the most of no-code/low-code tools in a safe and secure manner.
Related Article: Citizen Developers: Some Assembly Required
Last year’s message still holds true:
“Ideally you’ll have an organizational policy and framework in place for governance of app development. It should be straightforward and address the risks and controls put in place to manage them.”
Along with establishing the policy, organizations using no-code/low-code platforms for agility and driving business benefit should have a good QA process in place. Even if you have only five or six business units building their own no-code solutions, it is worthwhile to have QA engineers on hand who can review and vet them first. While this will require a little more investment in both time and budget, it will potentially save you the embarrassment (and potential legal headaches) of a simple misconfiguration leading to a breach of customer records.
Which leads me to another reason why I chose to revisit this topic. While I remain a huge fan of the no-code/low-code movement in general (including the Microsoft Power Platform) and I understand why evangelists and advocates believe this could be the way of the future, I have to question some of the internal decisions organizations are making around use of such tools.
If the business pain point you are solving for includes a public or customer-facing application, doesn’t that inherently involve more risk than an app deployed internally, within an organization’s firewalls and security perimeter? In which case, despite the advantages of agility and time to market, can you really accept the risk of citizen developers building a no-code solution that goes to market without being vetted and approved by IT? If your IT teams are using low-code platforms to support agile responses, rapid prototyping and speed to final solution, this doesn’t remove the obligations for good development practices, including code reviews and testing with a specific eye towards security.
Related Article: Is Low-Code Technology Right for You?
The UpGuard discovery has reminded us of the need for good governance around no-code and low-code development. Putting a policy in place does not need to slow processes down or make them more complex. Find the right balance that meets your risk appetite, but be wary of doing nothing, lest you find millions of your customers records being shared on the dark web.

Jed Cawthorne is Director, Security & Governance Solutions at NetDocuments. He is involved in product management and working with customers to make NetDocuments phenomenally successful products even more so.
Tags , , , , ,

View All Events Add Your Event Events RSS
SMG/CMSWire is a leading, native digital publication produced by Simpler Media Group, Inc. Our CMSWire and Reworked publications provide articles, research and events for sophisticated digital professionals. Our editorial team produces 150+ authoritative articles per month for our 3 million+ community members. Join us as a subscriber.
Read more about us or learn how to advertise here. We also have a Reader Advisory Board.
Monthly Editorial Calendar
Article Submission Guidelines
DW Experience Conference
DX Summit Conference
Advertiser Media Kit
Press Releases
© 2021 Simpler Media Group, Inc. All rights reserved.
Privacy Policy. Terms of Use.


Leave a Reply