38 million records exposed by misconfigured Microsoft Power Apps. Redmond's advice? RTFM Forty-seven government entities and privacy companies, including Microsoft, exposed 38 million sensitive data records online by misconfiguring the Windows giant's Power Apps, a low-code service that promises an easy way to build professional applications. Security biz UpGuard said that in May one of its analysts found that the …
"... Tracy Barnes, chief information officer for the State of Indiana, ..."
Can someone start a public web site of "doesn't get security" CxOs? Just copy the pertinent bits of news and court reports. Or even just URLs to those.
Even with a disclaimer of " apparently doesn't get security", it would serve as a wall of shame.
And that's where it falls flat on its face.
Low code is a misnomer, a lie. Joe Public is going to believe that it will allow him to easily make the program he needs, but the provider is going to have 1000 pages of EULA to ensure that any cock-up is Joe Public's fault.
Just like a Tesla, actually. Except that, with low code, at least you won't kill yourself letting it drive itself.
> Marketing tries to make all things consumer
Indeed, and that's precisely the problem here: On the one hand everything is dumbed down, on the other hand it still requires the same situation awareness and analytical mind.
That's never going to work, people either pay attention or they don't. You can't dumb down the GUI and leave the underlying principles as complex as those of a full-fat system. That is valid for a huge range of things, from self-driving cars to all kinds of computer programs, websites, and all the other stuff apparently needing dumbing down to appeal to the idiots among the prospective clients.
Everytime I create a DB I create immediataley some roles also with the required permissions only, and developers get user with such roles assigned. Occasionally while creating a new table I may forgot to grant permissions to a role, and of course that breaks something until I fix it.
Developers immediately complain "why can't we have the database owner user, so permission are not an issue?" Guess why not...
‘Low code’ is a term that sounds like it was invented by Marketing and picked up by ‘fake it til you make it’ folk who have become responsible for ‘making stuff happen’ in an organisation dispute a good enough track record in the relevant areas.
A decent set of market requirements, a decent set of engineering requirements will guide the design and hence the most suitable tooling. But it seems the implementation paradigm is chosen very early. Also, seems that the engineering testing phase and documentation simply is crud in these projects - like ‘is data accessible from outside the system, test all the API endpoints as a non-authenticated user/getter.’
My guess is that a lot of these low code implementations lack proper development processes or governance and are put into service when they ‘work’ and IT supports it and that’s the end of the project. The users don’t know if it’s a mess of licenced blobs thrown together, and IT aren’t responsible for auditing the design or implementation of systems they are ‘given’ to support. And so the company bumbles along never checking how much technical debt or risk they are accruing until the wheels fall off completely in a totally inevitable way.
"a lot of these low code implementations lack proper development processes or governance and are put into service when they ‘work"
That sounds extremely familiar to me across the entire range of organisations I've consulted with. I've never encountered either an internal dev team that followed formally documented (or even rule of thumb standardised) development processes, or any organisation that exercised governance over the either the development team or its results.
In my experience, everyone just wings it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
