Quality of code is very important in security. Simple mistakes can be easily made with handwritten code which opens up the application to a variety of vulnerabilities. No-code platforms reduce the risk of human error by eliminating handwritten efforts.
All generated applications will be configured with the appropriate settings based upon the user's needs, including SSL, timeouts, buffer length, service endpoints and database access. This configuration is encrypted and no longer human readable.
Model-View-Controller Pattern with N-tier Architecture
We've implemented the Model-View-Controller pattern with n-tier architecture to securely separate responsibilities of the generated application. The tier containing the View and Controllers can be deployed outside of the firewall to allow users remote access. While the Model and Business logic tier along with the database tier can be deployed behind the firewall. This protects your key business functions from being exposed.
All exceptions are properly handled and logged for the system administrator to review.
All identifiers that uniquely represent a record in our database are encrypted prior to serialization for the user interface.
User Session Token
User Session Tokens are time aware and halt processing during deserialization if users exceed idle timeout. The user interface keeps track of the idle timeout and logs the user out.
All dynamic data that is acquired from user input or the database is encoded prior to serialization for the user interface, removing the ability to inject any HTML or Scripting into the generated application.
Role-base authorization setup is provided at runtime and can be managed via the web application within the administrator dashboard. Authorization rights are never hard wired or fixed with security annotations. By default, every screen and every element (along with its controller) on the screen is locked down.
The back-end code uses a strongly typed language. All inputs are converted to the defined types during deserialization. Custom validations are also used to ensure the user input is valid based on the business needs. Using this framework, all input data is validated for type, length, format and range.
The generated database tables have associated history tables that record the creation, alteration and deletion of every record in the database with the associated user in accordance with Sarbanes–Oxley Act and the Health Insurance Portability and Accountability Act. During installation and setup of the database tier, the database will be setup to be encrypted at rest. In addition, a new database user will be created and given rights to exactly what is needed to run the generated application.
Concurrency control for data
Along with the encrypted Identifier each entity has a timestamp that serves two purposes: It prevents one user from overwriting another user’s changes and adds an additional level of security. The timestamp is encrypted using MD5.
SQL Injection Prevention
At the repository layer inputs for dynamic queries are parameterized preventing unwanted access to the applications database.
We include the ability to seamlessly integrate with Single Sign-on, such as Active Directory or LDAP and an authentication library that utilizes our own Membership Service. Membership Service is a multitenant application that securely stores usernames and passwords in a separate database managed by the Membership Service.
Membership Service Features
Membership Service offers a range of common features to protect against possible user vulnerability. These features include: username length, password length, password complexity, failed login attempts, account lockout duration, password reset, password reset frequency, two-factor authentications, close account, and one-way encryption of stored passwords using PBKDF2.