The security of low-code applications is a key issue, especially in financial institutions. In the Meltemee platform world, application security is ensured at the level specified in the OWASP ASVS Level 2 standard.
The OWASP ASVS L2 standard sets much higher requirements than the commonly found TOP 10 on the market. The L2 level includes 19 chapters and 146 subsections describing the principles of designing, building and testing web solutions, technical security controls, secure architecture, secure systems lifecycle, threat modeling, and CI/CD. The low-code designer in the Meltemee production environment does not have to worry about the security of the emerging application as it is provided by the platform at a level that allows the processing of sensitive and legally protected data. Meltemee's compliance with the OWASP ASVS standard at L2 level enables applications to meet high security requirements, as well as the ability to implement complex authorization policies according to the organization's requirements.
The Meltemee platform provides permissions according to the ABAC — Attribute Base Access Control model. In the case of ABAC, the user is granted access depending on the specific attributes of both the user and the process. User attributes can include, but are not limited to, an individual's assignment in the organization, the level of authority within the organization, the level of authority within the process, location, and many other factors. Process attributes, on the other hand, can include the importance level of the process step, the level of decision, tasks, resource entitlements, task completion time, and various other relevant characteristics. The ABAC model reveals its strength in complex, distributed and multi-stakeholder organizations, but also works well in smaller companies.
In our series about the Meltemee platform and low-code applications, we discuss selected examples of solutions. One of the applications worth mentioning is 360° view.
Personal data changes - customers change names, place of residence, contact points, telephones and email addresses. How can you handle all this changing data? The answer is 360° view constituting the only source of truth about customers in your organizations. A source of truth that can be seen in a unified view of the customer. This solution can be one of the CRM modules, it can be a module of a central customer base or function on its own. Assignment 360° view is to provide application users with a single source of truth about customers. The system presents all the collected data about the client, including the customer's personal data, current contact details, a list of products used by the customer with an indication of the source system in which the transaction was registered, the history and plan of contacts, a list of consents to the processing of personal data in accordance with the requirements of the GDPR.
Thanks to complete information about the customer, including information on consents, processing grounds and processing activities, the system can determine whether the authorisation to process certain data is still valid or whether it is necessary to delete unnecessary data. Properly parameterized algorithms identify retention periods for individual objects associated with the client, and in case of expiration of the retention period - the application sends requests to the client's domain systems processing personal data. The process of retaining personal data in the customer's domain systems can be fully automated or under the control of the administrator.