Application Security

Graphite GTC uses modern development and deployment strategies to eliminate vulnerabilities in the generated web-based applications.

Architectural Security

Code Quality

Quality of code is very important for security. Simple mistakes can easily be made opening the application to vulnerabilities. No-code platforms reduce the risk of errors by eliminating handwritten code.

Deployment Configuration

All generated applications will be configured with the appropriate settings based upon the user's needs, including SSL, timeouts, buffer length, service endpoints and database access. This configuration is encrypted and no longer human readable.

Model-View-Controller Pattern with N-tier Architecture

We've implemented the Model-View-Controller pattern with n-tier architecture to securely separate responsibilities of the generated application. The tier containing the View and Controllers can be deployed outside of the firewall to allow users remote access. The Model and Business logic tier, along with the database tier can be deployed behind the firewall. This protects your key business functions from being exposed.

Exception Handling

All exceptions are properly handled and logged for the system administrator to review.

Database Security

Data History

The generated database tables have associated history tables that record the creation, alteration, and deletion of every record in the database. This is in compliance with Sarbanes–Oxley Act and the Health Insurance Portability and Accountability Act.

Database Security and Encryption

During installation and setup of the database tier, the database is encrypted at rest. A new database user will also be created and given rights to run the generated application.

Concurrency Control for Data

Each entity has a timestamp to prevent one user from overwriting another user's changes adding an additional level of security.

SQL Injection Prevention

Inputs for dynamic queries are parameterized preventing unwanted access to the applications database.

User Security

User Authentication

We include the ability to seamlessly integrate with Single Sign-on, such as Active Directory or LDAP and an authentication library that utilizes our own Membership Service. Membership Service is a multi-tenant application that securely stores usernames and passwords in a separate database managed by the Membership Service.

Membership Service Features

Membership Service offers a range of common features to protect against possible user vulnerability. These features include: username length, password length, password complexity, failed login attempts, account lockout duration, password reset, password reset frequency, two-factor authentications, close account, and one-way encryption of stored passwords using PBKDF2.

Front-End Security

HTML Markup

Semantic HTML5 markup is used to present the user interface. The HTML5 markup is dynamically created using JavaScript.

Encrypted Identifiers

All identifiers that uniquely represent a record in our database are encrypted prior to serialization for the user interface.

User Session Token

User Session Tokens are time aware and halt processing during deserialization if users exceed idle timeout. The user interface keeps track of the idle timeout and logs the user out.

Cross-Site Scripting

All dynamic data that is acquired from user input or the database is encoded prior to serialization for the user interface, removing the ability to inject any HTML or Scripting into the generated application.

User Authorization

Role-base authorization setup is provided at runtime and can be managed via the web application within the administrator dashboard. Authorization rights are never hard wired or fixed with security annotations. By default, every screen and every element (along with its controller) on the screen are locked down.

Form Validation

All inputs are converted to the defined types during deserialization. Custom validations are used to ensure the user input is valid. Using this framework, all input data is validated for type, length, format, and range.

JavaScript and CSS

All JavaScript and CSS is minified and obfuscated, making it harder to understand the client-side code.