Mitigate Security Risk

Governance is about optimizing value with an acceptable risk depending on your risk tolerance. Security risk is one of the categories in the Mendix Governance Value Framework. Mitigation of security risk is about ensuring your landscape doesn’t contain known vulnerabilities and abides by policies to keep your software up to date.

Who is the default point of contact to get notified about any critical security issues?

You can assign a Security Contact for the Mendix platform in Control Center. Control Center is the key umbrella tool to help manage and govern an app landscape. Mendix admins have access to Control Center. They can provide a specific Security Contact who is informed if there are critical security issues with the Mendix platform and platform-supported Marketplace components. Mendix strongly recommends applying a team email address or a functional mailbox instead of a personal individual email address.

How can platform user activity be audited across the app landscape?

Under the Security page in Control Center, the Security History tab provides an audit trail of security-related changes made in projects and member accounts within your company. These can be easily audited with in-platform searches and filters or exported in Excel.

How can my apps’ incoming and outgoing traffic be monitored to ensure they are secure?

Firstly, Mendix protects malicious internet traffic to Mendix apps out of the box via Web Application Firewall (WAF) rules. WAF is a security service that protects applications from malicious and unwanted internet traffic without modifying your application code. WAF addresses various attack categories including many high risk and commonly occurring vulnerabilities described in OWASP publications such as OWASP Top 10.

In addition to the above, Mendix provides comprehensive logging of application and access. The latter can be used to determine from where the apps are accessed. You can access these detailed logs via the Mendix Portal.

What security is provided on API access to the platform?

Mendix provides you with various APIs to access the public Mendix platform. These APIs are secured by either API-keys or Personal Access Tokens (PAT). Both mechanisms allow clients such as a CI/CD pipeline to consume the platform APIs on behalf of the platform user who created the token, applying the user’s privilege restrictions.

The advantage of PAT over API-keys is that the platform user can restrict the scope of delegated access to specific APIs, by selecting so-called ‘scopes’ during creation of the PAT. API-keys and PATs can no longer be used if the user who created them has been deactivated, which contributes to your objective of having a short ‘access removal time’ for your Joiners/Movers/Leavers process.

Further information can be found in the Security section of this Evaluation Guide.

How are security advisories generated and published by Mendix?

Mendix publishes security advisories on Mendix-owned components by leveraging Siemens ProductCERT, which is a dedicated team of security experts that manages the receipt, investigation, internal coordination, and public reporting of security issues related to Siemens products, solutions, and services.

Mendix adds the CVSS score and CVSS vector for security vulnerabilities described in the Studio Pro release notes. Mendix also adds the Mendix-specific CVE IDs when they become available. The security advisories are available in the documentation, via a subscription RSS feed as well as on vulnerability databases such as NVD.

How can the impact of security vulnerabilities be assessed across the app landscape?

Log4j-like critical security vulnerabilities can happen. With Software Composition visibility across the application landscape, you can determine the application environments using a vulnerable component to help you easily assess the impact radius. The affected application’s technical contacts can be notified and asked to remediate the vulnerability. Meanwhile the admins can continue to monitor the component’s usage until all applications make the necessary remediations or upgrades.

Can I use third-party Static Application Security Testing (SAST) tooling to scan Mendix apps?

Mendix provides Quality and Security Management (QSM) out of the box for Static Application Security Testing purposes. QSM provides a comprehensive view into the Open Source Health of an application. Mendix also allows you to use specific third-party tools for SAST scanning purposes; customers today also perform SAST via tools such as Snyk, VeraCode, and SonarCube.