Security audit of low-code applications with OWASP
One very important aspect in enterprise software development is security. Thus, low-code based applications need to be tested and audited accordingly. Simplifier now offers such measures for its customers
Reading time: Approximately 2 min.
Security matters a great deal in the creation of business applications: Before any such application can go live, a very necessary step needs to be taken: Security testing and audits of business applications are a crucial part of enterprise software development, and this applies to applications developed with low-code as well.
In general, when we look at the end-format of most business applications, we are talking about web technologies, especially web applications that need to be audited in terms of security aspects.
Penetration Tests of Web Applications based on OWASP
As we are looking at low-code applications built with Simplifier in this blog post, we are talking about HTML5 applications based on OpenUI5/SAPUI5 and restful backend services that need to be audited. This is where OWASP comes into play. So, what is OWASP all about:
The OWASP Top 10 and their implications on low-code
Looking at the OWASP Top 10 List is a good starting point for testing applications built with low-code. Just looking at the first 3 points on the Top-Ten shows the following:
Since a lot of enterprise apps include data entry and forms, possible injection vulnerabilities need to be checked. Also, authentication plays a major role within enterprise applications so checks for broken authentication and session highjacking need to be considered. Another critical point is exposure of sensitive data also plays a central role when developing enterprise applications.
Looking at the rest of the list, it becomes clear that security audits need to be planned, structured and standardized whenever possible to minimize the effort per application developed. To solve that problem for Simplifier customers, we have a new enabling offering that helps getting your apps security audited.
Existing customers with Simplifier enabling packages can now book our new security audit for Simplifier applications. Our experts will be checking all existing low-code applications for security-relevant criteria in accordance with OWASP Top 10 – adapted especially to applications built with Simplifier including a reporting as well as a certificate as whitebox test.
That means that we will also check the low-code configuration, roles and rights management and of course the top 10 security issues.
The security audit is based on a low-code specific security checklist.
Amongst other things, we will audit
Whether security relevant data are stored locally in the browser
Whether data can be manipulated
Whether data are encrypted or not
Whether Simplifier authentications are sufficiently restrictive