Power Platform Community Forum Thread Details

Hi,

I'm looking into detecting technical vulnerabilities in Microsoft Power Platform as early as possible, and patching any vulnerabilities that might pop up.

Our high-code teams are currently using software solutions like Mend and Sonarcube to get automated notifications in case security issues are detected.

My understanding is that in PowerPlatform, these issues are largely delegated to Microsoft. Looking at the source code of PowerApps, these are mostly just JSON configurations that manage the platform, not "real" code.

I'm aware that in custom code / components scenarios, we will have to use the above solutions to manage risks and dependencies. For PowerAutomate Cloud: technical vulnerabilities are mostly delegated to the connectors. The base assumption is that as long as the underlying service and authentication method is safe, there should be limited security implications. Similar reasoning for PowerAutomate Desktop: as long as the VM is secure (through DLP, limiation of IP's, websites to crawl,...) , PowerAutomate Desktop security issues are manageable.

My main question revolves around PowerApps, both Canvas and Modern. Microsoft has a "recommended best practice" to publish apps every six months to "ensure the best performance". But doesn't this mean that PowerApps do not get security patched either, if they use an outdated runtime?

I've browsed through a number of blog posts, but none of them mention this specific aspect of PowerApps, so I'm wondering if anyone covered this? If a UI component has a security flaw that can be exploited, my understanding is that it would not be patched until someone publishes a new version of that app.

Of course, if someone already has access to a button on a PowerApp, there are bigger concerns, but still...

Kind regards,

Wim

Categories:

Governance & administering

My confusion mainly came from the below blog post. It indicated that as from 2017, an app would not have product updates applied when new versions of the client are released. My conservative reading was that this would mean that an app was using the old client until it's published again.

Now I understand that I was misreading the blogpost. Before, they were updating actual app logic. As from 2017, they stopped doing that, meaning your app can theoretically break at any point in time if the client would be updated. I also understand that the "Power Apps release" column in de "App details" section is just FYI, and does not indicate the actual client version the app is running in. The client is always up-to-date.

This makes the six-month-republish-requirement a best practice, and not a security necessity. Updated my own thread just in case someone would find it at a later point in time.

Apps you’ve built and published will no longer auto-update - Microsoft Power Platform Blog