Hang tight while we fetch the video data and transcripts. This only takes a moment.
Connecting to YouTube player…
Fetching transcript data…
We’ll display the transcript, summary, and all view options as soon as everything loads.
Next steps
Loading transcript tools…
Tom Brand, Security best practices beyond Studio Pro Workshop | Mendix Stream | YouTubeToText
YouTube Transcript: Tom Brand, Security best practices beyond Studio Pro Workshop
Skip watching entire videos - get the full transcript, search for keywords, and copy with one click.
Share:
Video Transcript
Video Summary
Summary
Core Theme
This workshop focuses on implementing Mendix best practices for application security and scalability by configuring settings beyond the standard Studio Pro, emphasizing a holistic approach to secure development across multiple applications.
Mind Map
Click to expand
Click to explore the full interactive mind map • Zoom, pan, and navigate
Yes, we are.
>> You're live. Okay.
inception.
>> Yeah, I'm not turning on my volume.
>> And then if you talk then
>> I can check if it's really
So, just so you know, we'll be starting
a few limits just taking care of the
So, we'll wait until 7:30. It's two more
>> Yeah, but that's good, right? So, they know.
know. >> Yeah.
[Music]
A little louder.
So time to start. Okay,
Okay,
good evening everyone. We're starting
the workshop,
the workshop for Mendix best practices
beyond Studio Pro and so how you can
configure that to have a secure Mendix practice.
All right. So, I'm Tom. I've been
working with Mendix for about nine years
now. I've had the privilege of having
many roles within teams and uh currently
I'm mostly uh in the ro that um in the
role of team lead or solution architect
and um in then my responsibility is
these this practice scaling and um
taking care of safety and security of
the of the applications. And this is why
you often look beyond the single
application, beyond securing the
business logic and rather implementing
best practices across many applications.
And this is what you really want to look
beyond studio profile.
So normally I don't use table of content
but because we are touching on many
different subjects I thought I would
include it. So we start out with the
things that you can configure in the
menis printer like the network HTP
headers and control center. Then we will
look at some marketplace uh modules well
which you might use marketplace modules
for. And then we look into some uh
So everything good? Okay.
Okay.
So, um starting off um
um
I don't know if many of you have used
this yet, but on the Mendix uh cloud
environment, you can configure your
network. This is path based and so and
per environment.
the what you can then do there. For
example, if you've been uh doing the
challenges today, you might have um run
across one of these the rest dock,
you can constrain access on these paths
specifically. So, a simple one is like
either it's not accessible or accessible
to everybody. But you what you can also
do is configure uh access restriction
profiles. This you do at the application
level. So you create these once you you
say well we are interested in
restricting it to a certain IP range or
we enforce certain TLS certificate
and then you can go to a specific uh
environment and set this u restriction.
So for example,
if you have a menx application that is
used on a work floor, it's um
only used by employees on that site, you
might on the highest level uh constrain
on IP address but then say well our rest
operation that we have on the on the
application with which we want to
communicate with our partners, this one
we will leave open
or you don't put any um constraints on
most of most of your paths but if
companies want to consume your rest
service they require TLS certificate
so that's how you can be f flexible with that
so the HTTP headers also configurable
per environment but these really affect
your application behavior. So the last
one it simply restricts access. You can
either access it if you meet the
requirements or not. But once you start
uh configuring the HTTP headers, you
really um configure what you allow what
information you allow the application to
respond with. So it changes the behavior
of the application. But this is what you
have to look at if you want to improve
on the defaults, make it more secure.
So I would definitely if you want to
look into this, look at the
O WP cheat sheet
and um there's a couple of them that you
can just take over there like the ones
that you example that you see here, the
Xframe options and the ex uh content
type options. Those are you can quite
safely set without your application
getting messed up. But for example, the
content security policy is quite
involved. Mendix also has a very long
how-to on how to do this. You just have
to know that if you just simply set this
to the strictest setting, then your
applica application will likely not
work. And many of the widgets simply
don't work then anymore. And each of
those widgets like for example the rich
text editor or um the chart um widget
you have to apply um exceptions for when
you configure this content security policy
policy
that you could do a whole deep dive on
this and actually somebody is doing that
right now. So if you want more
information on this specifically, it can
be very powerful to apply, you can have
a look at the session that was held also
at 7:00
um in one of the other satellite locations.
So the control center was added to the
Mendix web interface in um I think 2021
about four or five years ago now and it
a lot of powerful uh additions have been
added since then. I think one of the but
it's something that most of you will
probably not interact with because it's
something that a admin at at a company
configures. they have access to this,
the other developers don't. So if you as
an external
for a company, you like access to this,
but it's probably good to know something
about this to advise the company on how
they can best use this. So one of the
ways uh one of the things that you
configure here is for example bring your
own IDP allowing people to use their
enterprise uh SSO solution to sign in to
to the Mendix web environment removing
another password that people can misplace.
misplace.
So software composition is another
addition that I think is really cool
because it can show you per application
what is the MX version and are your
components that you are using out of
date. This is not just the marketplace
modules it's also Java actions widgets.
It is date based. So it is still good to
look at these security updates that you
get from Mendix if you're subscribed to
them because it will become more
critical as time goes by. But some of
these um updates done to marketplace
modules you of you of course want to do
right away as they happen because
there's for example a security fix in
the summer module. So then that is like
critical right away and not in 3 months,
right? So do know that the findings are
date based or when the module gets deprecated.
deprecated.
Then another thing that you can
configure are project roles. So
um a couple years ago the project roles
were something like scrum master and
business engineer and these were fixed
right. So you got this fixed set of
features that came with these roles. Now
per company you can um define these uh
project roles and they can be quite
specific. So what access you have on the
project level like for example are you
allowed to um
uh adapt the project code? Are you
allowed to um add uh user stories?
Are you allowed to add members to the
team? That sort of thing. but also on
their environment like are you allowed
to deploy are you allowed to to make backups
backups
and um I think it's really powerful that
me as for example external developer I
get a lot of access but I probably
should not be able to download a
production backup right so creating a
profile for that for somebody who has
all the access rights to to test in UT
and is able to work there very
efficiently but not get all your
production data. That's something you
>> So,
So the question was um is there something
something
this these functionality from the
control center are currently for menis
cloud and the question is whether this
is also available for applications run
in private cloud and I can't answer that
with 100% uh certainty so I will get
then I will continue with the session in
the section on users and um whether you
for example want to have local accounts
because you know it is easier to set up
if you generate your Mendix app basic
application it's right there
while configuring an SSO module can take
quite a bit of work.
Well, I would argue that once you are a
bit more mature, you would really should
focus on getting this OIDC or someone
module installed because it just comes
with a lot of built-in services that
your local accounts wouldn't have that
if you want to provide that it would be
quite a bit of work to make it as secure
as having an SSO, let alone having it
standardized and managed centrally
within your
So the the benefits are quite great and
enabling this
is really the best practice.
So because the IDP takes care of both
the authentication and authorization
that means within this um IM system so
identity and access management system
they can define who has access to your
application and they can define what the
roles are they they should be having and
this will not be somebody in your
application setting rights giving people
access roles. it's managed somewhere in
an app that is dedicated for your
company to do that.
So the
the messages that come in they they
provide these claims and then you can
add the logic in your application to the
determine the application roles.
Another best practice is to keep the
minimal number of roles that you can because
because
it's just better to keep it rather
simple than have people demand many
roles and uh then you get these uh
situations where you get unexpected behavior.
behavior. Um
Um
and then last thing on this is the
custom session timeout. This is
something that I often find with
pentesting you get remarks on that the
custom session timeout is too long,
right? And that uh the security experts
would like this to be as short as
possible. With Mendix, you have to take
a couple things into consideration.
The session length is by default
actually not that long. it it is about
10 minutes
and on mobile devices it might actually
be quite uh appealing to make it longer
right because people close their apps
the and and get sign signed out of their
uh application because that's the
session times out well if you have a
desktop application and you you keep
your browser open there's a secondary
mechanism that keeps this session alive
and So you might be working all day and
keep your session alive all day because
of the secondary mechanism. So
So
when you talk to these um security
officers, you really want to discuss how
they view this and how it would affect
the user experience of using your applications.
applications.
Now it seems rather cut and dry what I
just said about SSO and SL and having
these roles, but I was confronted very
on very early on in my career with an
application where I was working on where
we decided or somebody decided we needed
to use local accounts. And I wanted to
share this
situation so that it might create some
perspective on why you want to keep
things simple and why you would like to
use SSO.
So in this application
we had set up quite a number of roles
and the roles were part of the the
process that was handled in the
application. So some some people were
approvers and some people were
requesters and some people had more
rights and than others. So you already
had like four of access roles right
and they accounts were managed locally
by a functional administrator.
So the guy that on the department that
had the most IT knowledge like the the
department PowerBI guy was thrust on
this this responsibility
and so he became the functional
administrator and then what happened was
that every time that a colleague went on
leave somebody would go up to him and
say hey I can't do my work because my
colleague normally sitting next to me
would approve my
could you grant me this role please?
And so he would grant people additional
access and if at the beginning he would
also remove it again. But that's quickly
went away.
And after some time we got like bug
reports in our Jira board. All kinds of
unexpected behavior. And then we found
out that this situation had escalated
because he was getting tired of people
asking him for additional roles. So what
he did was he made everybody functional
administrator. So they they could just
give themselves the roles that they wanted
wanted
and everybody was functional
administrator and everybody had all the
roles and so yeah don't make people too
difficult and perhaps put the
responsibility where you want it in like
a real system created for that like an
identity access management system. Another
important topic secrets.
So the first thing where you really
really don't want to put your secrets
and I only was challenged on this once
is your microflows and your nanoflows
and your your business logic.
Only one time I had a um person
challenge me on this like that had
mostly just a hyro background that said
can't you make it part of the package
and just have a unique package per environment
environment
because those packages they are safe
they are stored in a safe location and I
just I couldn't believe it like I would
have to create a new package and
configure my passwords every time I
would like to deploy
and so we had a good conversation and
and we decided this wasn't the best road forward.
forward.
So the secondary alternative that you
have is storing secrets in the database
because this is environment specific.
Per environment you can have a set of uh secrets
secrets
but generally you don't want to take on
all that responsibility for yourself,
right? Like have a table that has all
the functionality that it is actually
safe that it's not accessible to
anybody. But sometimes there are
situations where you have to have that.
I will get back to that in a minute. But
usually you just want to use your
encryption module to encrypt your
secrets and then send and then store
them in in the constants.
So that uh when you retrieve them as a
constant, you can decrypt them and then
use them in application.
So because the constants are a good
place to store secrets regardless
especially if they're if they if they
are encrypted and then secondly
um you can um use the constant mechanism
to actually use that for uh AWS secret
manager for example. So if you are
already using private cloud solutions
then you might also um use this cloud
functionality that uh you use the
constants but the constants are actually
a mechanism by mendx where um the
secrets are stored in AWS secrets
manager for example and you just pull
them through constants through constants
you can use them in your application
but there are situations where you can't
use constants when sequence are not just
environment specific But for example, a
data structure specific. So what if you
have uh departments or companies within
your app having their own secrets, then
you might really want to set up a good
secret storage in your database. Unless
you're looking for a more sophisticated
option with some kind of service or something.
Okay.
the monitoring.
So why are we doing monitoring? It's so
that when there are findings,
you can um provide proof but it's also
to prevent situations, right? So to so
to put alerts out for suspicious behavior
behavior
like user login attempts, API access
requests that are suspicious like um
user login attempts that keep failing.
But also you want to add some additional
custom logs to for example um if you
have authenticated the user but they
provide messages to your API that are invalid
invalid
then those logs are very interesting to
just see like what are people trying to
to to do this. Um it it is the best
practice to use uh APM tools, monitoring
tools like for example data dog because
these tools are very powerful to just
add all kinds of tags and alerts that
that allow you to um monitor these
without with minimal
u manpower behind it without minimal
looking through logs. Right? So you just
get these dashboards that really show
you the the critical situations
aside logging. Another way of you can do
monitoring is um monitor is a way of
monitoring user behavior with an audit
module for example. You can also build
this yourself but Mandx provides one in
the in the marketplace and this is a
good place to start.
So um
to to apply this module so if you want
to try it out um there's two ways to do
it. So either you uh use the audit uh
entity as an uh parent to the entities
that you want to monitor or you can have
a onetoone relation with it and then the
the the
events on the entity will take care of
of the rest.
I would advise to start with an
association uh unless you uh have a very
good reason not to for for performance considerations.
So to summarize
the the reason why I think it's it's
really important to look towards these um
um
security optimizations outside the
modeler is to get fewer incidents so you
get more maintainable applications
on the on these are often one-time
investments that take a lot a little bit
of effort figuring out how to work with
the HTTP headers quite can be quite a
bit of work. But once you have a good
how-to for your company, how to set this
up for for your applications,
the reduction in incidents can really
save you a lot of time.
Secondly, the accountability.
So uh implementing uh systems for
providing ev evidence really helps you
out during pentesting or during
application maintenance.
And then lastly, a lot of these uh
things that we have discussed during
this workshop really create a secure
maker space, right? So it by
standardization and by restricting
access, you make it a safer place for
developers to work. So even if you
sometimes make a little mistake,
the the whole system is set up for you
to make as little important mistakes as possible.
So the HTTP headers are set at the um at
the environment level.
>> Yes. So they they define what the
application can return.
So they they um so they li they for
>> They they will be added if you add them
to your configuration.
So they they have like default settings
and you on your environment set like no
I would prefer not to have this agent I
would set it to for example um you
cannot have an X frame or you are not
allowed to to so one of the options is
called no sniff so so no uh content is
being shared that sort of thing please
So
are there the question is are there like
um is there a set of advised settings
for the HTTP headers? Right. Okay. So
actually if you go to this cheat sheet
there are some advised values um on the
on this uh how to by Mandix it's it's
there for the content sec security
policy specifically
the the problem is that why so why is it
not as strict as possible right that
that's effectively also a question that
you could ask about this as well and the
reason is it constrains the possible
functionalities that you can have on the
these web applications, it makes
development on the applications more difficult.
difficult.
So um yeah,
so can it be more strict? Yeah. Can it
by by default be more strict? Sure. But
um quite a number of the both the menx
platform widgets and the widgets
provided in the marketplace by default
wouldn't work with more strict uh
settings. Should they uh work with those
settings? Maybe. But um for now this is
>> So that was it for the workshops for
today and now we have games.
>> Shall I end the stream
>> and workshops tomorrow? >> Okay.
>> Okay.
>> Yeah. Do you do you want to say a few
words about tomorrow workshops for days
Click on any text or timestamp to jump to that moment in the video
Share:
Most transcripts ready in under 5 seconds
One-Click Copy125+ LanguagesSearch ContentJump to Timestamps
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
Most transcripts ready in under 5 seconds
Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.
