Power Platform Security Risks and Best Practices: What Every Enterprise Should Know

Nokod Security analyzed the Microsoft Power Platform landscape and discovered that untrained citizen developers are unknowingly introducing critical vulnerabilities like SQL injection and data leakage, effectively turning legitimate low-code applications and Power BI reports into unmanaged attack surfaces that can act as internal malware and bypass traditional security controls.

Introduction

The rise of low-code and no-code platforms has blurred the line between business and development. Employees can now automate tasks and build apps without code, but they often lack security training. This gap is why low code platform security and no-code security automation have become critical. Most organizations underestimate their exposure – seeing only a handful of apps when hundreds may already exist. Each app, flow, or report adds to your attack surface, often without visibility or governance.

The Promise and Risk of Low-Code and No-Code

Low-code and RPA (Robotic Process Automation) tools have become the backbone of modern enterprise productivity. They empower business users, known as citizen developers, to create apps, dashboards, and automations without needing deep technical expertise.

This new reality saves time and unlocks creativity. But it also introduces a dangerous paradox: the people building apps aren’t trained in application security. As a result, vulnerabilities creep into production systems faster than AppSec teams can react.

Most security leaders assume low-code environments are small, internal, and isolated. The reality is far more complex. Nokod’s own security assessments have shown that organizations often have 10 to 100 times more LCNC (low-code/no-code) apps than they think – and nearly 15% of them are exposed externally.

When you multiply that across departments, platforms, and users, you get a growing attack surface that’s invisible to traditional tools.

Real-World Risks Hidden in Power Platform

1. The HR App That Exposed Salaries

Consider a scenario involving a global company’s HR department. They developed a basic Power App to track T-shirt sizes, which appeared to be a harmless citizen development project. Yet, because the app relied on client-side data filtering, the security was superficial. An employee was able to use standard browser developer tools to edit an API call and strip away the filter, instantly exposing the entire database and sensitive salary data.

The fix: Move filtering logic to the server side, through Power Automate flows that validate user identity. This shift from client-side to server-side validation is one of the simplest yet most important low-code security steps.

2. The Form That Became a Phishing Tool

Another Power Platform flow combined Microsoft Forms and Power Automate. It automatically sent feedback results to an internal mailbox. Unfortunately, it inserted raw text directly into emails – without sanitizing inputs.

A malicious user exploited this to inject HTML and SQL code. The HTML rendered inside the email client, and the SQL injection revealed usernames and salaries.

What looked like a small automation turned into a full HTML injection and SQL injection vector inside the enterprise network.

The fix:

• Use parameterized queries in all Power Automate flows.
  
• Sanitize or escape user input before including it in messages or emails.
  

Internal automation doesn’t mean internal safety.

3. Power BI: When Internal Reports Go Public

Power BI reports are a growing risk because one simple click – “Publish to Web”, doesn’t just share a report. It exposes the entire dataset behind it. As our research team showed, anyone on the internet can pull hidden tables, non-displayed columns, and even filtered records that never appear in the UI. And because these public links often get indexed by search engines, they show up in Google just like any other webpage. 

For companies with thousands of reports, a tiny mistake rate still turns into hundreds of exposed datasets containing real employee, customer, or financial information. This is why the Power BI security problem keeps surfacing: the exposure is silent, easy to miss, and easier to exploit.

The fix: turn off anonymous publishing at the tenant level and use continuous scanning to spot public links. Also make sure report owners understand what’s actually being shared: “Publish to Web” exposes the underlying dataset model, not just the visuals. So if you need to publish aggregated insights built on sensitive data, the report should be connected to an aggregated/sanitized dataset (or curated semantic model) — not the raw tables. A security assessment tool should automatically look for exposed URLs and alert the team the moment a report slips outside the organization.

4. Power Automate as a Malware Platform

Perhaps the most surprising example came from Nokod’s own internal research team. They built what they called “Power Malware”, a proof-of-concept that used legitimate Power Automate functionality to mimic ransomware.

It started innocently: a vacation-planning app shared with employees. But once opened, it triggered a flow that exfiltrated OneDrive files through anonymous links, sent phishing emails internally, and encrypted copies of documents remotely – all using Microsoft approved actions.

The demonstration highlighted how RPA and low code features can be misused by attackers. Unlike traditional malware, this type of threat doesn’t rely on new code, it uses the platform’s own features against itself.

Why Traditional Security Tools Don’t Work

Most organizations already use code security tools or application security platforms, but these don’t fit low code environments. Traditional scanners look for vulnerabilities in source code, APIs, or dependencies. Low-code apps don’t have public source code, they’re built inside proprietary platforms like Power Apps or ServiceNow.

Even when data is accessible, it’s often abstracted in JSON or visual models, making static analysis nearly impossible. Manual reviews aren’t scalable either; citizen developers can create hundreds of flows in days.

This is where low code security automation becomes essential. By connecting directly to the platform APIs, tools like Nokod Security can automatically extract configuration data, map connections, detect misconfigurations, and highlight real risks.

How Nokod Security Solves the Problem

Nokod Security was built for this exact challenge. It’s a low-code/no-code security automation platform that delivers continuous visibility, governance, and protection for LCNC environments.

It connects to platforms such as Microsoft Power Platform, UiPath, OutSystems, and ServiceNow to:

1. Discover and Inventory all apps, automations, Power BI reports, and RPA bots across the organization.
   
2. Detect and Assess vulnerabilities like hardcoded secrets, data leakage, injection risks, and unpatched connectors using Nokod’s security assessment tools.
   
3. Enforce Policies to align citizen development with enterprise security and compliance standards.
   
4. Remediate Automatically, sending one-click fixes or detailed instructions directly to the app creator.
   

The platform’s intelligence engine continuously learns from each scan, flagging recurring low-code risks and recommending preventive policies.

It’s not just for LCNC, Nokod’s technology extends to GenAI security, prompt injection detection, and AI agent security, making it one of the few code security platforms that unites LCNC and AI security posture management in a single solution.

Where RPA Meets Low-Code Security

RPA security presents similar risks. Flows often store credentials, manipulate files, or trigger automations without oversight. When combined with low-code workflows, they form complex dependencies that are difficult to monitor.

Key RPA risks include:

• Over-privileged service accounts that can access confidential data.
  
• Hardcoded secrets within scripts.
  
• Insecure connectors or shared drives.
  
• Third-party package vulnerabilities (e.g., CVE-2023-36019).
  

By integrating RPA systems like UiPath into the same visibility layer, Nokod Security helps teams enforce low-code compliance, eliminate shadow automation, and reduce exposure.

Building a Secure Program: Low-Code/No-Code Best Practices

Security teams shouldn’t fight citizen development, they should support it safely. The best approach is structured, automated, and educational. To truly secure the environment, organizations must adopt core security best practices that address both the “low-code” developers and the “no-code” business users.

A successful LCNC security plan focuses on three phases:

1. Discover – Run a security assessment to inventory all Power Apps, flows, and reports. Tag app owners and classify sensitivity levels. You cannot secure what you cannot see.

2. Secure – Establish a proactive baseline by implementing these specific Low-Code/No-Code Best Practices:
   • Environment Strategy: Strictly segregate Development, Test, and Production environments. This prevents citizen developers from unknowingly altering live data or exposing experimental no-code apps to the wider network.
   • Data Loss Prevention (DLP): Refine DLP policies at a granular level to block specific connectors from sharing data with non-business services (e.g., ensuring critical SQL data cannot be piped into unmanaged social media connectors).
   • Automated Checks: Apply automated validation for HTML injection, unencrypted data, and exposed Power BI dashboards.

3. Govern – Maintain compliance and operational continuity.
   • Service Principals: Transition production automations to Service Principals rather than relying on individual user credentials. This ensures workflows remain secure and operational even if an employee leaves the organization.
   • Continuous Scanning: Use continuous scanning to trigger alerts for new public links and deliver ongoing feedback to creators.

Within weeks, this approach reduces risk, restores control, and enables the business to keep building – safely.

The Bigger Picture

This shift isn’t just about apps. It’s about responsibility. The rise of low-code has blurred ownership lines between IT, business, and security. Everyone is a builder now, but not everyone thinks like a security engineer.

Enterprises must adopt the mindset that every Power App, every Power BI report, and every automation is an endpoint, one that deserves the same protection as a production system.

And that’s the mindset behind Nokod’s mission: to secure the jungle built by no-coders.

Final Thoughts

Low-code innovation has transformed how work gets done. It has also introduced one of the largest unmanaged attack surfaces in the enterprise. The answer isn’t to slow down innovation, it’s to secure it through automation, visibility, and smart policies.

Nokod Security brings all of that together. From discovery to remediation, from low-code RPA to Power BI security, it gives you control over what used to be the wild west of citizen development.

If you’re serious about protecting your digital transformation journey, it’s time to see what’s really happening inside your LCNC environment.

👉 Request a free security assessment from Nokod Security and uncover your blind spots before attackers do.