Low Code in 30: Comprehensive Security | Mendix

Skip to main content

Site Search

Contact Sales
Try for Free

Low Code in 30: Comprehensive Security

Join Jeff Goldberg, member of the Mendix Evangelist Team, and learn about all the ways the Mendix platform keeps your apps secure in this rendition of Low-Code in 30.

Video topics

  • Transcript
    [00:00:01.199] Hello and welcome to low code and thirty. [00:00:03.459] I'm jeff goldberg, member of the evangelist [00:00:05.559] team at bendix, and in today's webinar, [00:00:07.860] we're going to spend the next thirty minutes discussing [00:00:10.269] security in the medics platform. [00:00:13.311] Loco ten thirty is run on a monthly basis, [00:00:15.922] and if this is the first time you've joined us, [00:00:18.292] we have covered a number of topics over the [00:00:20.323] last six months related to the medics application [00:00:22.882] development platform. I encourage you [00:00:24.972] to visit our youtube channel and view [00:00:27.021] our previous webinars and subscribe [00:00:29.051] to her channel so that you could get notified [00:00:32.332] as we add new content regularly. [00:00:35.631] Let's jump in with a quick overview of what [00:00:37.682] men dix is, and then we'll talk about the [00:00:39.731] comprehensive approach. Medics takes [00:00:41.822] two security afterward. We'll take a few [00:00:43.832] minutes for q and a [00:00:47.148] medics was born to help enterprises win [00:00:49.317] with apse because it's the fastest and easiest [00:00:51.707] low code platform to create and continuously [00:00:54.368] enhance any kind of app at scale, [00:00:56.728] including web aps, offline, first [00:00:58.777] mobile aps. [00:01:02.670] Rest a pea eye's micro services and [00:01:04.829] more to fit a variety of use cases [00:01:07.120] medics helps you achieve your goals through a [00:01:09.170] visual model driven development platform [00:01:11.870] enabling professional developers and stakeholders [00:01:14.530] in the blind of business [00:01:16.159] to collaborate throughout the entire application [00:01:18.799] lifecycle everything from requirements [00:01:21.069] gathering development [00:01:25.417] deployment [00:01:26.376] and finally operating are integrated [00:01:28.956] into the platform to help make developers [00:01:31.257] lives easier and to bring them closer [00:01:33.406] to their customers. [00:01:35.590] As a result, development is faster [00:01:37.629] and more efficient because the business [00:01:39.719] and combined their domain expertise [00:01:42.180] during application creation. Application [00:01:44.629] quality is significantly higher because [00:01:46.870] requirements and outcomes are in alignment [00:01:49.159] and total cost of ownership is lower [00:01:51.280] because adopting an agile and enter [00:01:53.640] of process [00:01:55.926] reduces rework after applications [00:01:58.206] go live. [00:02:00.909] Abso purity has been a top of mind [00:02:02.938] topic for a long time, and it [00:02:04.978] continues to be a top consideration [00:02:07.539] in choosing any platform or software [00:02:09.838] as a service at men. Dicks [00:02:11.938] security rest on four pillars [00:02:14.109] to insure aps built on the platform [00:02:16.378] are protected from end to end. [00:02:18.459] It starts with compliance. [00:02:21.633] An information security management system [00:02:24.133] designed in compliance with iso standards [00:02:26.832] to protect the platform and the customers [00:02:29.223] aps running on it from [00:02:31.293] would be attackers and threats. [00:02:34.534] Cloud security involves encrypting [00:02:36.764] information and communications exchange [00:02:39.395] inside and outside the platform, [00:02:41.835] along with other services to protect [00:02:44.145] cloud operations, platform [00:02:46.375] security handles authentication [00:02:48.625] and user rules, making sure users [00:02:50.814] have the right capabilities to contribute [00:02:53.044] toe app development. [00:02:56.743] And application security, controlling [00:02:58.933] app authentication users security [00:03:01.473] and module security, which control [00:03:03.764] aspects of the user experience as well [00:03:05.973] as the data and users interact with [00:03:08.183] during a session [00:03:09.313] today, will cover the first two in brief and [00:03:11.554] then dive a little deeper into platform security. [00:03:14.044] And then i'll go into the model er and show you how to [00:03:16.093] set up authentication, using o off [00:03:19.681] and authorization with user and module [00:03:22.042] security. [00:03:25.963] To provide the most secure environment possible. [00:03:28.433] Medics has implemented an information [00:03:30.493] security management system in accordance [00:03:32.794] with the s o. I'm twenty [00:03:34.843] seven thousand one standard. Instead [00:03:36.913] of relying on our cloud providers certification, [00:03:39.524] we've built our own framework of controls [00:03:41.663] for information risk management and [00:03:43.713] attained accreditation across [00:03:47.123] all the cloud infrastructure men dix [00:03:49.183] is available. [00:03:51.745] You can view our [00:03:53.014] twenty seven thousand won certification [00:03:55.375] within the medics platform evaluation guide. [00:03:57.865] In addition to the standard, [00:04:00.657] medics has several other assurance reports [00:04:02.796] confirming security controls management, [00:04:04.986] including thirty four [00:04:06.997] to type two [00:04:09.461] a sock, one type to certification [00:04:12.192] and starr certification. [00:04:14.262] Because we take security seriously, [00:04:16.692] we engage in periodic assessments of [00:04:18.771] the security controls we have in place to [00:04:20.791] make sure we evaluate and mitigate [00:04:22.961] information, security threats and vulnerabilities [00:04:25.831] systematically. [00:04:30.266] Medics, employees, several different configurable [00:04:32.846] measures to secure data and the [00:04:34.886] platform experience at the cloud [00:04:37.055] level, starting with security controls. [00:04:39.206] It begins with using t l s encryption, [00:04:41.466] using certificates to provide anto [00:04:43.675] and protection for data transporting [00:04:45.706] between the client and the application [00:04:48.245] to control inbound access to the app, [00:04:50.586] you may restrict can activity to an [00:04:52.656] i p address range or use a client [00:04:54.745] certificate or both. [00:04:59.285] While minutes provides certificates using [00:05:01.535] men dick specified domains, it is possible [00:05:03.995] to use a custom domain with full certificate [00:05:06.464] support to own the earl axis [00:05:08.935] management in medic starts at the cloud [00:05:10.995] operations level, [00:05:12.464] where a technical contact for each application [00:05:14.954] establishes control of their cloud [00:05:17.165] note and the roles for additional users [00:05:19.605] for cloud ops rules. [00:05:23.576] Users may have access to deploy aps [00:05:25.976] access. Backups have a p [00:05:28.026] i access and performance monitoring [00:05:31.790] for secure backup medics. Provides [00:05:34.110] several app backup options [00:05:36.221] with history in geographically dispersed, [00:05:38.411] secure locations to maintain [00:05:40.571] app integrity during disasters, medics [00:05:42.891] offers high availability through deployment [00:05:44.930] to multiple availability zones and [00:05:47.350] auto recovery. [00:05:49.139] In accordance with our certifications, we [00:05:51.160] perform disaster recovery tests [00:05:54.343] on the platform quarterly. [00:05:56.432] The medics platform provides extensive [00:05:58.533] logging throughout the whole application [00:06:00.682] life cycle, from design, [00:06:02.750] development to deployment [00:06:04.339] as well as run time. There is a full audit [00:06:06.449] trail of the activities performed in [00:06:08.490] the platform. [00:06:11.966] The medics. Cloud operates on the [00:06:14.007] basis of cloud notes run on cloud [00:06:16.336] foundry containers hosting autonomous [00:06:18.646] instances of the medics run time. [00:06:21.266] Each cloud note has separate test acceptance [00:06:24.057] and production environments. [00:06:26.016] Each environment and ap containers [00:06:28.047] there in [00:06:28.916] effectively shield each app from [00:06:31.197] one another from a resource and [00:06:33.297] a security perspective. To learn more details [00:06:35.906] about medics. Cloud security [00:06:37.857] review our extensive security section [00:06:40.206] in the evaluation guide [00:06:41.786] medics platform security is driven through [00:06:43.896] a provisioning service called mx [00:06:47.670] i'd mx. I'd handles authentication [00:06:50.189] to the platform for interaction during [00:06:52.220] the application development life cycle. In [00:06:54.310] addition, the platform portal provides [00:06:56.459] role based user access at the platform [00:06:58.819] and application level. [00:07:02.401] Company advance for a tenant [00:07:04.432] in the medics cloud have the ability [00:07:06.581] to manage users through their mx [00:07:08.591] id and configure their role based [00:07:10.651] access to environments to deploy [00:07:12.742] and manage aps. Each app has [00:07:14.872] its own security interface for creating [00:07:17.192] in configuring user rolls. You invite [00:07:19.521] team members to the ap project, and [00:07:21.622] when you do, [00:07:24.278] you assign them a rule, granting them certain [00:07:26.458] permissions to access and control aspects [00:07:28.737] of the app [00:07:30.456] medics and forces segregation of duties. [00:07:32.966] Therefore, general management, think [00:07:34.995] of service accounts are not allowed. This [00:07:37.125] insures all actions are traceable to [00:07:39.146] a specific person. [00:07:42.494] It is possible to set up two factor [00:07:44.764] authentication with the medics platform. [00:07:46.853] We'll cover that in a future session. [00:07:52.262] Taking a few moments to look inside the platform [00:07:54.562] portal. There are a number of sections on [00:07:56.661] the side menu for administrating an [00:07:58.732] application. I'm going to walk through the team [00:08:00.862] section on lee today [00:08:03.278] because it's relevant to our security conversation. [00:08:05.889] The team section lists the users [00:08:07.959] with access to the application and the rules [00:08:10.319] they play as a member of the app development [00:08:12.579] team for this specific app. As [00:08:14.939] thie app owner, i have control over who [00:08:16.988] to invite to the application. [00:08:20.642] I want to invite my colleague simon and chris [00:08:23.023] to the project because i'll need their expertise [00:08:25.413] during the at build. [00:08:27.158] When i type in their names, auto complete [00:08:29.468] finds them for me because they have mx [00:08:31.487] idea accounts within my company. [00:08:33.567] In adding simon and chris, i'm prompted [00:08:35.618] to give them a role in the project. Each [00:08:37.918] medics app comes with six default [00:08:39.927] rolls to choose from, but you can create mohr [00:08:42.288] to fit your agile team more on that [00:08:44.518] in a minute. I can personalize a message [00:08:51.844] confirm [00:08:52.898] and i'm good. Simon and chris are added [00:08:54.947] to the ap. They'll receive an email with a clickable [00:08:57.197] link that will bring them to the medics portal [00:08:59.327] or the next time, when they go into the portal, [00:09:01.488] a notification will appear, prompting them [00:09:03.648] to accept the invitation. So what [00:09:05.677] do you do if you need to create custom rules [00:09:07.947] clicking on the manage team button? [00:09:13.059] And roll settings provides an interface for creating [00:09:15.450] new rules and editing existing ones. The [00:09:17.519] only one that can't change is the scrum master [00:09:19.899] role because it's [00:09:21.403] the boss roll. Creating a new role [00:09:23.552] enables you to set a number of permissions. And [00:09:25.702] there's a handy security guide to help [00:09:27.702] determine what level of access you may want [00:09:29.702] to give the role. With bendix, you [00:09:31.763] have complete control of the platform user [00:09:33.962] experience. Put another way, this is [00:09:36.023] the first level of access control to [00:09:38.082] determine the experience members of the development [00:09:40.363] team. We'll [00:09:43.860] have in the medics platform. [00:09:49.126] When we arrive at application level security [00:09:51.527] and bendix control becomes expansive [00:09:53.966] and layered [00:09:55.927] with applications security. You're covered [00:09:58.187] with authentication to the ap, [00:10:00.427] which is a distinction from platform authentication, [00:10:03.297] which is used to control access to the development [00:10:05.567] environment. [00:10:07.159] Application level user rolls you define [00:10:09.769] that are tied to module rolls established [00:10:12.409] in each module. [00:10:14.159] This enables plugin modules. Things [00:10:16.370] that you would grab from a public repository [00:10:18.730] or reasonable content [00:10:20.220] actually have their own security that can be [00:10:22.279] inherited by the parent application. [00:10:24.960] And then for each of those modules, you [00:10:27.120] define page, micro flow [00:10:29.379] and entity access [00:10:31.470] and assign module rolls [00:10:34.220] to those rules. And we're going to get into that [00:10:36.409] in a deeper level, in a more visual [00:10:38.519] level in a few minutes. [00:10:40.659] Depending on how authentication is set up in the [00:10:42.690] medics application, [00:10:44.360] it's possible to provisioned users based [00:10:46.570] on the attributes sent through during [00:10:48.759] the authentication process. [00:10:50.960] So let's jump into a demo where [00:10:53.200] we'll set up an oath connection, [00:10:55.419] and then we'll also establish some user [00:10:57.610] in module security in the app, [00:10:59.960] we'll log in and we'll review [00:11:02.009] the access based on that and see [00:11:04.350] what the user sees [00:11:09.961] has become a popular standard in the past [00:11:12.171] few years [00:11:13.000] as a way to limit storing passwords in applications, [00:11:15.971] thus giving developers a good balance [00:11:18.130] between usability and security. In [00:11:20.270] mende ix, implementing oh off or [00:11:22.350] samuel in your aps is pretty straight forward [00:11:24.921] through the medics app store. [00:11:26.794] The app store is an online repository of share [00:11:29.095] a bowl and reusable components you can download [00:11:31.455] directly into your projects [00:11:33.595] and begin to use. That said, you [00:11:35.725] may choose to rule your own authentication module, [00:11:38.315] and the openness and extensive ability of the platform [00:11:41.085] allows you to create java actions and [00:11:43.264] write custom java code to support your [00:11:45.355] needs. Once the module is built, [00:11:47.495] it could be shared on the app store in public [00:11:49.625] or private modes for the community [00:11:52.900] or your development team to benefit from. [00:12:02.980] So today i've taken the role my own approach [00:12:05.240] because i want to use the domain model to [00:12:07.320] store my oath configurations. [00:12:09.523] This will enable me to write less custom code [00:12:11.802] and it will make configuring new providers easier. [00:12:14.273] Let's start with the configuration. I've got the [00:12:16.413] app running on my local machine and i'm in [00:12:18.452] the configuration over view. You can see [00:12:20.753] i have configuration for octa and sales [00:12:23.003] force. When i opened the sails for century, [00:12:25.133] i'm able to set the appropriate attributes [00:12:27.302] i need to complete and a handshake. [00:12:32.933] To help connect to providers. I've [00:12:35.092] created a few java actions that read [00:12:37.123] the information in the configuration and help [00:12:39.363] make the [00:12:40.202] module flexible. In addition, i [00:12:42.222] have created a micro flow that returns [00:12:44.312] the configuration for the called upon configuration. [00:12:47.163] I'll deploy the project to eclipse where i [00:12:49.202] can code the remainder of the flow inside [00:12:51.653] of eclipse. [00:12:55.956] I have full access to the medics model [00:12:57.956] through the model s decay. This enables [00:13:00.009] me to use java and medics models [00:13:02.190] to create the solution i need in the most [00:13:04.200] efficient way possible to support [00:13:06.240] my oath configuration. I call the [00:13:08.250] micro flow from the java code and gain [00:13:10.350] access to all that information without [00:13:12.519] having to duplicate effort. Hand [00:13:14.549] coating what i need. Another cool thing [00:13:16.759] is once i'm in eclipse. [00:13:21.048] I could debug my application from here. [00:13:23.129] Let's check it out. I fire up the d bugger [00:13:25.369] and fire up the log in page. I've created [00:13:27.759] a simple one here that enables me to log [00:13:30.038] into sales force. When i click the button, [00:13:32.339] a clips pipes up because i set [00:13:34.448] a break point in the java code. Even [00:13:36.448] though i am running an application through men [00:13:38.538] dicks, i'm able to debug my custom [00:13:40.788] code when i click through. [00:13:46.778] I log into sales for us. [00:13:48.528] It sends me back to the home page for my ap. [00:13:50.798] Once the authentication is complete. Now, let's [00:13:52.839] go into securing the app. Once authenticated [00:13:55.158] users have entered. [00:14:07.847] We've taken a bit of a top down approach to [00:14:09.878] security governance throughout this webinar, [00:14:12.057] but now we're going to switch directions and talk [00:14:14.267] about user rolls and module rolls. [00:14:16.917] The diagram on display is a [00:14:18.927] representation of how users [00:14:21.106] are bundled into user rolls, [00:14:24.316] basically the equivalent of groups in [00:14:26.326] a directory service and in an application [00:14:29.096] the user rules that have explicit access [00:14:31.166] to modules. Within that application. [00:14:33.566] The distinction between user rules and [00:14:35.645] module rolls is made because we want [00:14:37.735] modules to be self contained [00:14:39.875] and independent from the project. [00:14:42.753] This promotes reusability and efficiency [00:14:45.283] because shared modules carry their module [00:14:47.842] rolls, [00:14:49.120] which can be added to the user rolls [00:14:51.460] of the main project in a couple of clicks, [00:14:54.159] it sounds a bit confusing. [00:14:57.591] But what i'm going to do is review [00:14:59.741] the user and module roll section [00:15:02.081] of the training management app that [00:15:04.211] you have the opportunity to build in [00:15:06.322] the become a rapid developer training [00:15:08.682] on the medics academy website. [00:15:13.038] Medics. Ab security has three levels [00:15:15.258] you can set for the project [00:15:17.738] prototype and production. I'm setting [00:15:20.008] the project to production because i want to [00:15:22.077] build out and test access control [00:15:24.077] for pages, micro flows and [00:15:26.207] entities. [00:15:29.605] Prototype enables the first two [00:15:31.754] page and micro flow security, but [00:15:34.075] not entity level security. Once [00:15:36.235] i flipped the bit to production, the window [00:15:38.455] expands to show page and mike flow [00:15:40.764] access are incomplete. This is happening [00:15:43.225] because certain pages and micro flows [00:15:45.384] do not have roles assigned. [00:15:50.187] And roll assignment is a requirement for [00:15:52.236] aps deployed into production. [00:15:55.047] Before we address that, [00:15:56.647] we need to add a trainee user [00:15:58.697] rule to reduce the access of users [00:16:01.047] will be taking classes [00:16:02.787] toe on ly, be able to sign up and view [00:16:04.996] those classes we don't want them creating. [00:16:07.876] When i create the trainee role, i choose [00:16:10.246] which module rules it will have access [00:16:12.307] to in the project. [00:16:16.611] Here. I'm keeping it out of some modules [00:16:18.991] completely and adding it as a user [00:16:21.261] to the administration module. [00:16:23.111] So users with that role will be ableto log [00:16:25.481] into the app. [00:16:30.000] Now that the trainee roll exists, [00:16:32.500] real time air checking has kicked in because [00:16:34.909] it's seen that there are [00:16:36.940] aspects of the model that [00:16:39.059] don't have assignments [00:16:41.100] to the trainee roll. So we need to take care [00:16:43.289] of that to secure the app. And now that i know [00:16:45.460] what i need to fix, i can double click [00:16:47.659] on one of the errors and will take me right [00:16:49.789] to the issue for now. [00:16:54.471] I'll open the module security from [00:16:56.871] my module using the project explorer. [00:16:59.613] Each tab has a detailed matrix of [00:17:01.613] their object relative to the user roll. [00:17:03.972] When i make the adjustments and exit the screen, [00:17:06.633] all the errors disappear. [00:17:15.153] The last thing i'm gonna do is at a role based [00:17:17.364] home page for the training. I don't wantto [00:17:19.824] have access to the main home page with the buttons. [00:17:25.977] And then earlier i created some demo [00:17:28.037] users for the teacher and trainee to [00:17:30.196] test user module security. Before [00:17:32.477] i deploy, i'm going to put the tap back [00:17:34.836] into prototype mood because it enables [00:17:36.936] me to easily switch between these users [00:17:39.297] during testing. Alright, i'm set to prototype. [00:17:44.554] We've deployed the app. [00:17:46.134] Let's go ahead and check it out when i log in is [00:17:48.273] the admin. I have a fully rendered home [00:17:50.413] page of actions i can perform. When [00:17:52.493] i switched to the teacher, the home page appears, [00:17:55.203] but the button creating a training event [00:17:57.294] is gone. When i switched to the trainee [00:18:12.429] i'm presented with a different page altogether. [00:18:17.781] User and module security provide [00:18:19.882] me as a developer very fine [00:18:22.061] level of access control on the app side [00:18:24.231] build segregating module security [00:18:26.592] from the project to ensure ease of reusability [00:18:29.442] of the modules i build, however, [00:18:32.386] giving me the ability to wire them back [00:18:34.636] into a project easily [00:18:36.416] because i can use pre defined roles [00:18:38.717] in those plug in modules [00:18:40.686] to define what users have access to [00:18:43.126] recapping what we've covered today. [00:18:44.926] Medics delivers comprehensive security [00:18:47.237] at multiple levels to deliver a [00:18:49.267] platform for building apse with confidence [00:18:52.146] from industry standard compliance for cloud [00:18:54.416] operations to the specific activities [00:18:56.737] users may perform when interacting [00:18:58.906] with an app. [00:19:02.442] Medics provides a visual and streamlined [00:19:04.832] approach to implementing security with [00:19:06.951] low code.

Choose your language