Quality of code is very important for security. Simple mistakes can easily be made opening the application to vulnerabilities. No-code platforms reduce the risk of errors by eliminating handwritten code.
All generated applications will be configured with the appropriate settings based upon the user's needs, including SSL, timeouts, buffer length, service endpoints and database access. This configuration is encrypted and no longer human readable.
Model-View-Controller Pattern with N-tier Architecture
We've implemented the Model-View-Controller pattern with n-tier architecture to securely separate responsibilities of the generated application. The tier containing the View and Controllers can be deployed outside of the firewall to allow users remote access. The Model and Business logic tier, along with the database tier can be deployed behind the firewall. This protects your key business functions from being exposed.
All exceptions are properly handled and logged for the system administrator to review.
The generated database tables have associated history tables that record the creation, alteration, and deletion of every record in the database. This is in compliance with Sarbanes–Oxley Act and the Health Insurance Portability and Accountability Act.
Database Security and Encryption
During installation and setup of the database tier, the database is encrypted at rest. A new database user will also be created and given rights to run the generated application.
Concurrency Control for Data
Each entity has a timestamp to prevent one user from overwriting another user's changes adding an additional level of security.
SQL Injection Prevention
Inputs for dynamic queries are parameterized preventing unwanted access to the applications database.
We include the ability to seamlessly integrate with Single Sign-on, such as Active Directory or LDAP and an authentication library that utilizes our own Membership Service. Membership Service is a multi-tenant application that securely stores usernames and passwords in a separate database managed by the Membership Service.
Membership Service Features
Membership Service offers a range of common features to protect against possible user vulnerability. These features include: username length, password length, password complexity, failed login attempts, account lockout duration, password reset, password reset frequency, two-factor authentications, close account, and one-way encryption of stored passwords using PBKDF2.
All identifiers that uniquely represent a record in our database are encrypted prior to serialization for the user interface.
User Session Token
User Session Tokens are time aware and halt processing during deserialization if users exceed idle timeout. The user interface keeps track of the idle timeout and logs the user out.
All dynamic data that is acquired from user input or the database is encoded prior to serialization for the user interface, removing the ability to inject any HTML or Scripting into the generated application.
Role-base authorization setup is provided at runtime and can be managed via the web application within the administrator dashboard. Authorization rights are never hard wired or fixed with security annotations. By default, every screen and every element (along with its controller) on the screen are locked down.
All inputs are converted to the defined types during deserialization. Custom validations are used to ensure the user input is valid. Using this framework, all input data is validated for type, length, format, and range.