In October 2020 I wrote an article on the risks and rewards of the citizen developer approach, urging proponents to put good governance practices in place. Almost one year later, cybersecurity firm UpGuard found an issue with default permissions in the Microsoft Power Apps environment which resulted in the exposure of upwards of 38 million records online.
To be clear, the vulnerability wasn't inherent in the Power Platform architecture. What UpGuard found was, despite a warning in the documentation, users built a number of portals set to default permissions that created the hole and exposed the records. Microsoft has since made changes to close the hole and improve default security.
The Full Promise of No-Code, Low-Code Won't Be Realized Without Governance
Don't get me wrong. I'm a fan of the no-code/low-code citizen developer movement. Industry analysts see no-code/low-code as the only way to get around shortages of professional developers to support digital transformation efforts. Growing investment in this category of software has resulted in an increase in the number and flavors of offerings. Apparently this proliferation led to some confusion among buyers, as Gartner released a briefing note on the differences between no-code and low-code earlier this year. According to Gartner:
- No-code is a marketing term. It is used to imply the tool or tool-set in question is aimed at non-professional developers
- Low-code, however, suggests support for scripting or other capabilities that extend beyond a pure no-code approach.
Gartner recommends any buyer evaluating such products ensure the approach, as well as the product, supports the skill set of your developers, whether they are citizen developers in a business unit, or professional developers in IT.
But the skill level of your developer won't necessarily matter in cases like the one outlined above. The problem UpGuard found could show up in any no-code or low-code development platform that arrives with some loosey-goosey recommendations in the documentation, which developers easily ignore. Good governance processes, while not preventing all issues, will help organizations make the most of no-code/low-code tools in a safe and secure manner.
Related Article: Citizen Developers: Some Assembly Required
A Governance Framework and a Question of Risk
Last year's message still holds true:
“Ideally you'll have an organizational policy and framework in place for governance of app development. It should be straightforward and address the risks and controls put in place to manage them.”
Along with establishing the policy, organizations using no-code/low-code platforms for agility and driving business benefit should have a good QA process in place. Even if you have only five or six business units building their own no-code solutions, it is worthwhile to have QA engineers on hand who can review and vet them first. While this will require a little more investment in both time and budget, it will potentially save you the embarrassment (and potential legal headaches) of a simple misconfiguration leading to a breach of customer records.
Which leads me to another reason why I chose to revisit this topic. While I remain a huge fan of the no-code/low-code movement in general (including the Microsoft Power Platform) and I understand why evangelists and advocates believe this could be the way of the future, I have to question some of the internal decisions organizations are making around use of such tools.
If the business pain point you are solving for includes a public or customer-facing application, doesn't that inherently involve more risk than an app deployed internally, within an organization’s firewalls and security perimeter? In which case, despite the advantages of agility and time to market, can you really accept the risk of citizen developers building a no-code solution that goes to market without being vetted and approved by IT? If your IT teams are using low-code platforms to support agile responses, rapid prototyping and speed to final solution, this doesn't remove the obligations for good development practices, including code reviews and testing with a specific eye towards security.
Related Article: Is Low-Code Technology Right for You?
UpGuard Provides a Timely Reminder
The UpGuard discovery has reminded us of the need for good governance around no-code and low-code development. Putting a policy in place does not need to slow processes down or make them more complex. Find the right balance that meets your risk appetite, but be wary of doing nothing, lest you find millions of your customers records being shared on the dark web.