Security by Design with Mendix’s Low-Code Platform
Security by Design with Mendix’s Low-Code Platform by Frank Baalbergen
It’s about trust.
That’s Mendix’s philosophy when it comes to embedding security and privacy into low-code development. There’s a bond of trust between us, you, and your customers. When you develop an application with low-code, you shouldn’t just expect to develop faster and deploy sooner. You should be able to trust that your apps will be secure for you and your customers in every way possible.
That’s why at Mendix, we back up our philosophy with a concept called security by design—out-of-the-box security tools, development methods, and governance tooling to ensure that you and your customers’ data is secure, no matter who is building applications.
How does Mendix maintain low-code development security?
When building apps with Mendix, you can rest assured that your applications are secure, as the Mendix Platform handles this as a service.
Within the entire organization, the complexity of IT systems is constantly increasing and virtually never decreases. Companies are always adding new pieces of software all the time. For such complex and fragmented systems, it’s very hard to protect yourself from hackers and state-sponsored actors. Information threat is always a problem. For organizations, this means increasingly high costs and high risks.
Low-code development platforms, specifically Mendix, are a good solution to these challenges because you are able to standardize at a platform level where a lot of the security features are provided out of the box. Security is often very difficult for general users to understand and execute.
Mendix simplifies your huge patchwork of complex systems by providing an all-in-one solution to the current plethora of applications and technologies.
The Mendix Platform is a full-stack, low-code development tool that makes security simpler and safer to manage at a lower cost. Mendix provides you with security out of the box and also the ability to further configure security settings with guardrails to meet your specific needs and requirements.
The Mendix Platform is architected to mitigate risk regardless of who is using it. This is firstly done at the infrastructure and platform layer and then the server layer and then application layer that provides the business value.
At the infrastructure and platform layer, Mendix has the highest level of certifications accreditations.
We have 24/7 threat detection provided by both Mendix and Siemens by leveraging CrowdStrike, the leader in endpoint security software as a service. We also conduct monthly penetration testing complemented by thousands of clients doing their own penetration testing on their Apps. We have partnered with HackerOne for a vulnerability disclosure program opening up our product to the world’s best and brightest ethical hackers for crowd-sourced security. Mendix manages all of this out of the box for you.
On top of this, you can configure IP whitelisting, implement client certificates and role-based access as needed.
We have a dedicated offering called Mendix Cloud Dedicated where you get all the security features of the Mendix cloud but it’s dedicated for you and hosted on the AWS cloud. With Mendix Cloud Dedicated, it’s possible to connect your network via VPN so that it’s unreachable via public internet.
At the server level, we have the ability to align with your SSO policy – SAML, Open id, Azure ID, etc. We also provide a number of monitoring and insights for you and your Mendix apps. This year we are also releasing new ways of adding to your own central monitoring using Micrometer, an instrumentation facade that provides vendor-neutral metrics. This gives you enhanced intrusion monitoring.
Of course, this doesn’t take the responsibility of securing your applications out of your hands completely (nor should it, every business and application has its own specific privacy and security needs). For instance, application-level authorization and access rights need to be configured in an application model by a professional developer. But you’re not alone. The Mendix Platform provides your team all the standard tools to configure security at entity-, module-, and project-level.
How do you develop fast and stay secure?
With traditional software development, programmers need to specifically take into account security for aspects of their application. While the same is for low-code, the difference is what comes after. With Mendix’s low-code platform, you can build reusable components to an application. Once that component goes through its security checks, it can be used over and over again in other applications without having to be re-assessed. Until that is, your security protocols change, or an update to the component needs to be made. These components can be placed on your company’s private Market Place, where you can internally share apps and application components.
Traditional development requires the analysis of lines and lines of code. In Mendix, you’re writing less software, so subsequently, there are fewer security checks.
As an example, in traditional development, you have to set up an authorization scheme. There’s no single and clear source of truth. But in the Mendix Platform, you build a domain model, set up who has access, and it’s all in one place. With microflows, you can reuse entity access that you configured for specific access to a microflow. Or, you can define per microflow what kind of security should be added. Because your microflows can have names, you can create documentation that detail the privacy and security rules around that microflow, making it easily searchable and discernable.
While our platform is architected to mitigate risk at all levels, we also know that strong security requires great governance. Accelerating development speed generally means bringing more folks into the application development lifecycle to either tighten up feedback loops or turn business stakeholders into citizen developers who can build apps themselves. Of course, this means establishing guardrails that ensure they’re building in a safe manner.
At Mendix we recognize the need for good governance. We have a governance framework that’s tried, tested, and is aligned with our digital execution program. Considering the 4 Ps—People, Process, Portfolio, and Platform—in every aspect of your low-code platform can help you ensure that your developers (both citizen and professional) are creating applications that align with your company and industry’s guidelines and regulations.
But again, you’re not alone in this. To help assure adherence and maintain control, there is also out-of-the-box governance tooling that helps you manage your ever-growing application landscape.
Control Center provides for all activities in the Mendix Platform insights, overview, and control in one central place. You can assign and remove admins, get an overview of members and their projects, and get an insight into the active app projects and their status and last commits.
Mendix’s skill-based, two IDEs allow developers with a range of programming to build and deploy solutions in a collaborative manner.
The Mendix Application Test Suite gives you the tools to embed automated testing into your development lifecycle. Our portfolio quality monitoring tool, Mendix Application Quality Monitor (AQM) is a cloud service that performs a static analysis of Mendix application models based on the ISO 25010 industry standard for maintainability. Mendix AQM also helps you proactively identify what & where quality issues are. The same can be said for Mendix APM, a tool that records all levels of logging, analyzes the performance of your Mendix apps, and measures memory and CPU usage.
Security is Never Over.
Security is a big job. The last thing you want to do is impede business value creation, but you also need to ensure that your organization and your customers’ data is safe and sound. Balancing the need to develop more apps faster while also ensuring safety is a necessity. The most incredible application developed in the fastest time possible is useless if its security fails and data is lost.
We recognize this. That is why we designed The Mendix Platform to help you build and deploy faster, while maintaining control.
Trust us on that.