Share
Report
9Hi,
I'm looking into detecting technical vulnerabilities in Microsoft Power Platform as early as possible, and patching any vulnerabilities that might pop up.
Our high-code teams are currently using software solutions like Mend and Sonarcube to get automated notifications in case security issues are detected.
My understanding is that in PowerPlatform, these issues are largely delegated to Microsoft. Looking at the source code of PowerApps, these are mostly just JSON configurations that manage the platform, not "real" code.
I'm aware that in custom code / components scenarios, we will have to use the above solutions to manage risks and dependencies. For PowerAutomate Cloud: technical vulnerabilities are mostly delegated to the connectors. The base assumption is that as long as the underlying service and authentication method is safe, there should be limited security implications. Similar reasoning for PowerAutomate Desktop: as long as the VM is secure (through DLP, limiation of IP's, websites to crawl,...) , PowerAutomate Desktop security issues are manageable.
My main question revolves around PowerApps, both Canvas and Modern. Microsoft has a "recommended best practice" to publish apps every six months to "ensure the best performance". But doesn't this mean that PowerApps do not get security patched either, if they use an outdated runtime?
I've browsed through a number of blog posts, but none of them mention this specific aspect of PowerApps, so I'm wondering if anyone covered this? If a UI component has a security flaw that can be exploited, my understanding is that it would not be patched until someone publishes a new version of that app.
Of course, if someone already has access to a button on a PowerApp, there are bigger concerns, but still...
Kind regards,
Wim
Categories:
I have the same question (0)
All responses (
Answers (
