Platform Security

As part of the Mendix Cloud, Mendix provides a user management and provisioning service called MxID. Because it is built on the Mendix Platform, MxID inherits all the security measures from the platform. MxID also provides an administration portal for the management of user access and authentication.

How Does the Mendix Platform Manage My Identities?

Mendix supports the definition of Mendix Admins who can assign permissions to users following a delegated administration concept. One or more administrators can be identified per tenant who, in turn, can perform administrative tasks in the tenant according to the permissions granted.

The Control Center is the administrative hub providing the Mendix Admin with a single overview of their app landscape, members, and cloud environments.

Managing and monitoring the app portfolio and member access are the core governance activities on the Mendix Platform. In the Control Center, Mendix Admins can view the app portfolio and team member activity, and they can perform these administrative tasks:

  • Get an overview of users throughout the company level, including their status (internal or external), Mendix certification level, and the apps to which they have access
  • Deactivate members they identify as a security risk
  • Get an overview of apps built throughout the company, including who created the apps and when they were last modified
  • Deactivate apps they identify as a security risk

How Can I Administer My App Within the Mendix Platform?

The Mendix Developer Portal allows administrators to manage users (defined in MxID) and configure role-based user access to environments to deploy and manage apps. The Developer Portal security interface is integrated into the app project dashboard, so you have a 360° view of all the access rights for a specific person within the context of an app. Mendix enforces the segregation of duties between (at least) the developer and application administrator, whose roles are both safeguarded using personal accounts. Mendix will not allow you to configure a general management account, to ensure that all actions are traceable to a person.

In the Control Center, Mendix Admins can configure the default app team roles assigned for every new app created in their company.

For more information, see App Roles in the Mendix Developer Portal Guide.

How Does the Mendix Platform Support Multi-Factor Authentication?

Two-factor authentication can be enabled within the Mendix Cloud for sensitive activities. It can also be added anywhere within a Mendix application to further secure access to the app or parts of the app.

What Kind of Logging & Audit Trails Are Provided in Mendix?

The Mendix Platform logs relevant activities during the app delivery cycle, from requirements management and development to deployment and application monitoring. This is to ensure compliance with customer requirements for auditability and logs may exported for additional analysis.

What Kind of Security Tests Are Performed on the Mendix Platform?

An independent auditing firm periodically performs security audits of Mendix, which are reported through our ISO/IEC 27001, ISO/IEC 27017, 27018, and NEN 7510 certificate, PCI DSS Level 1 Service Provider Attestation of Compliance, ISAE 3000 Type II attestation report, ISAE 3402 Type II attestation report, SOC 1 Type II attestation report, SOC 2 Type II attestation report, SOC 3 Type II attestation report, and HIPAA assurance letter.

In addition, a leading IT security firm performs penetration tests on the Mendix Platform on a monthly basis. These penetration tests are based on the Open Web Application Security Project (OWASP), Information Systems Security Assessment Framework (ISSAF), and Open Source Security Testing Methodology Manual (OSSTMM).

For vulnerability management, a program is in place for continuous monitoring of the security posture of the Mendix Platform. Before a release is shipped, the release is scanned by Snyk, Veracode, and SonarQube.

What Kind of Encryption Is Provided by Mendix?

The Mendix Platform encrypts data at rest and data in transit out of the box.

print