Application Security

Graphite GTC uses modern development and deployments strategies to eliminate vulnerabilities in the generated web-based applications.

Architectural Security

Code Quality

Quality of code is very important in security. Simple mistakes can be easily made with handwritten code which opens up the application to a variety of vulnerabilities. No-code platforms reduce the risk of human error by eliminating handwritten efforts.

Deployment Configuration

All generated applications will be configured with the appropriate settings based upon the user's needs, including SSL, timeouts, buffer length, service endpoints and database access. This configuration is encrypted and no longer human readable.

Model-View-Controller Pattern with N-tier Architecture

We've implemented the Model-View-Controller pattern with n-tier architecture to securely separate responsibilities of the generated application. The tier containing the View and Controllers can be deployed outside of the firewall to allow users remote access. While the Model and Business logic tier along with the database tier can be deployed behind the firewall. This protects your key business functions from being exposed.

Exception Handling

All exceptions are properly handled and logged for the system administrator to review.

Front-End Security

HTML Markup

Proper HTML5 markup is used to present the user interface. The HTML5 markup is dynamically created using JavaScript.

Encrypted Identifiers

All identifiers that uniquely represent a record in our database are encrypted prior to serialization for the user interface.

User Session Token

User Session Tokens are time aware and halt processing during deserialization if users exceed idle timeout. The user interface keeps track of the idle timeout and logs the user out.

Cross-Site Scripting

All dynamic data that is acquired from user input or the database is encoded prior to serialization for the user interface, removing the ability to inject any HTML or Scripting into the generated application.

Role Authorization

Role-base authorization setup is provided at runtime and can be managed via the web application within the administrator dashboard. Authorization rights are never hard wired or fixed with security annotations. By default, every screen and every element (along with its controller) on the screen is locked down.

Form Validation

The back-end code uses a strongly typed language. All inputs are converted to the defined types during deserialization. Custom validations are also used to ensure the user input is valid based on the business needs. Using this framework, all input data is validated for type, length, format and range.

JavaScript and CSS

All JavaScript and CSS files are minified and obfuscated, making it nearly impossible to understand the client-side code even with the assistance of modern client-side development tools.

Database Security

Data History

The generated database tables have associated history tables that record the creation, alteration and deletion of every record in the database with the associated user in accordance with Sarbanes–Oxley Act and the Health Insurance Portability and Accountability Act. During installation and setup of the database tier, the database will be setup to be encrypted at rest. In addition, a new database user will be created and given rights to exactly what is needed to run the generated application.

Concurrency control for data

Along with the encrypted Identifier each entity has a timestamp that serves two purposes: It prevents one user from overwriting another user’s changes and adds an additional level of security. The timestamp is encrypted using MD5.

SQL Injection Prevention

At the repository layer inputs for dynamic queries are parameterized preventing unwanted access to the applications database.

User Security

User Authentication

We include the ability to seamlessly integrate with Single Sign-on, such as Active Directory or LDAP and an authentication library that utilizes our own Membership Service. Membership Service is a multitenant application that securely stores usernames and passwords in a separate database managed by the Membership Service.

Membership Service Features

Membership Service offers a range of common features to protect against possible user vulnerability. These features include: username length, password length, password complexity, failed login attempts, account lockout duration, password reset, password reset frequency, two-factor authentications, close account, and one-way encryption of stored passwords using PBKDF2.