Is the Mendix platform compliant with the OWASP top 10 for 2010?
One of our prospect demands for using our Menidix app is that the mendix platform is compliant with the OWASP top 10 for 2010. Does someone has any information about the Mendix OWASP compliancy? Which factors are handled by the XAS, and which factors should be handled by the application, which factors should be handled by the techn. infrastructure? Documentation at googlecode
At Mendix we value security highly. One of the examples is the improved Security DSL in Mendix 2.5.
As you already mentioned, security affects multiple levels:
Infrastructure level: a system administrators needs to make sure HTTPS is configured, IIS or Apache is configured well, the operation system contains the latest security patches, etc.
Framework level: the Mendix Business Server and Mendix AJAX client will take care of all technical security issues like injection, authentication, session management, etc.
Application model level: as a Mendix Business Engineer you should make sure to use the Security DSL to define user roles and access levels on your domain model and flows.
Again, security is seen as important and constitutes an important part of our test suite. However, we do not have a full report on OWASP compliancy. If you want us to create such a report please contact your Mendix account manager.