Platform Security
As part of the Mendix Cloud, Mendix provides a user management and provisioning service called MxID. Because it is built on the Mendix Platform, MxID inherits all the security measures from the platform. MxID also provides an administration portal for the management of user access and authentication.
How Can I Administer My App Within the Mendix Platform?
The Mendix Portal allows administrators to manage users (defined in MxID) and configure role-based user access to environments to deploy and manage apps. The Mendix Portal security interface is integrated into the app project dashboard, so you have a 360° view of all the access rights for a specific person within the context of an app. Mendix enforces the segregation of duties between (at least) the developer and application administrator, whose roles are both safeguarded using personal accounts. Mendix will not allow you to configure a general management account, to ensure that all actions are traceable to a person.
In the Control Center, Mendix Admins can configure the default app team roles assigned for every new app created in their company.
For more information, see App Roles in the Mendix Portal Guide.
How Does the Mendix Platform Support Multi-Factor Authentication?
Two-factor authentication can be enabled within the Mendix Cloud for sensitive activities. It can also be added anywhere within a Mendix application to further secure access to the app or parts of the app.
What Kind of Logging & Audit Trails Are Provided in Mendix?
The Mendix Platform logs relevant activities during the app delivery cycle, from requirements management and development to deployment and application monitoring. This is to ensure compliance with customer requirements for auditability and logs may exported for additional analysis.
What Kind of Security Tests Are Performed on the Mendix Platform?
An independent auditing firm periodically performs security audits of Mendix, which are reported through our ISO/IEC 27001, ISO/IEC 27017, 27018, and NEN 7510 certificate, PCI DSS Level 1 Service Provider Attestation of Compliance, ISAE 3000 Type II attestation report, ISAE 3402 Type II attestation report, SOC 1 Type II attestation report, SOC 2 Type II attestation report, SOC 3 Type II attestation report, and HIPAA assurance letter.
In addition, a leading IT security firm performs penetration tests on the Mendix Platform on a monthly basis. These penetration tests are based on the Open Web Application Security Project (OWASP), Information Systems Security Assessment Framework (ISSAF), and Open Source Security Testing Methodology Manual (OSSTMM).
For vulnerability management, a program is in place for continuous monitoring of the security posture of the Mendix Platform. Before a release is shipped, the release is scanned by Snyk, Veracode, and SonarQube.
What Kind of Encryption Is Provided by Mendix?
The Mendix Platform encrypts data at rest and data in transit out of the box.
Identity and Access Management capabilities for platform users are described under Mitigate Platform User Risk