Security concerns and priorities when choosing your low-code platform.
If you are concerned about the security of your custom business application, you should consider using a low-code platform. A well-designed low-code platform will handle many aspects of security for you.
A well-designed low-code platform will allow you to focus solely on the business aspects of security. The technical aspects of security will be handled by the platform. This post will discuss some of the most important aspects of security.
Data access
Some low-code platforms allow access to your data by other means than through the platform. Means such as custom code extensions, custom database queries, or third party components. Other platforms generate program code, opening for developers to modify the code afterward, and thereby circumventing the platform altogether.
User identity
You should make sure your low-code platform supports secure authentication services, offering trust in that your users are who they claim to be. Your application should facilitate the process of keeping accounts updated and leave the rest to the platform.
Secure actions
Your next priority should be to check if the low-code platform supports the business process aspects of security, i.e., what actions are allowed by whom. The platform should offer easy to understand controls to build a secure actions scheme. This will enable business people and engineers to understand, discuss, and agree upon the design.
Strict global policy
Genus protects your data by enforcing a strict global policy. All access to your data is governed by the platform, and no custom code or third-party components are allowed. Further, there is no code generation. Genus is a metadata execution-platform only. Therefore, there is no code to be tampered with. Lastly, all database queries (SQL) are generated by the platform, without any possibilities for modification (SQL injection) by the user.
The latter is confirmed by Forrester Research in their report (requires an account at Forrester) “Don’t Ignore Security In Low-Code Development”:
Some low-code platforms such as Salesforce, Microsoft PowerApps, and Genus go even further and allow no direct database access through custom SQL at all. In such cases, the burden to avoid SQL injection rests entirely with the low-code platform rather than any individual low-code developer.Sandy Carielli and John Bratincevic, December 23nd., 2020. Don't Ignore Security In Low-Code Development, Forrester.
Our security measures may sound too strict. However, we claim that they will not prevent you from achieving the desired functionality. Instead, the strict measures will make you confident that your data is secure.
Please read our post on the paths to low-code to get a better understanding of metadata execution and code generating platforms.
Securely identified users
Genus supports a range of identity providers through industry standards like OpenID Connect or OAuth2. These services enable multi-factor authentication for your application. A Genus user must be properly authenticated through our secure gateway based on one of these standards.
Combining secure controls and securely identified users
The Genus platform offers a set of easily understandable controls to build a secure action scheme. The controls are Find and List, Read and Execute, Create, Modify, Delete, and more. By combining controls and connecting these to securely identified users, you can build both role-based and level-based setups, and many variants in-between. Finally, you will get a 360-degree secure application if you also utilize the rich auditing features of the platform.
You can also rest assured that most of the risks listed in OWASP Top Ten are taken care of by our platform. Be aware that some of them (like sensitive data exposure and broken access control) require a business effort, so make sure to do your part as well.
Genus, a highly secure low-code platform
The Genus platform is hardened over decades based on feedback from customers using the platform. These customers are in highly security-aware industries like public safety, insurance, banking, and finance. The hardening of the platform should make you confident that also your applications will benefit from using Genus as a low-code platform.
If you want a deeper dive into the security aspects of Genus you should read our evaluation guide: Developing in Genus and Identity and access management. The guide provides more details on how the security regime is implemented in the platform.
We also recommend reading Forrester Research’s report “Don’t Ignore Security In Low-Code Development”, as mentioned above. The report gives valuable insight into how security professionals could work with low-code developers and how to further manage the security benefits and risks of low-code development in an organization.
Reach out to Genus or one of our partners for help in designing your specific data access and secure actions setup. You should be ready for answering security questions about your business processes, but you may safely leave technical concerns to our platform.