Our solution technology is implemented as a software platform consisting of a group of enabling capabilities. Each enabling capability serves to fulfill a defined core requirement of enterprise scale web applications for the targeted customer that we serve. We use this software platform to develop, deliver, and support all of our software applications.
Application Security is separated into three main concepts: Identity, Authentication, and Access Control (or Authorization). Together, they allow for secure system access that can be configured to control the various roles required by the business. Application Identity is tightly coupled to the authentication method to prevent spoofing attempts, and our access control options allow for authorized menus, tasks, forms, reports, folders, and data filters.
Our systems log application access activity, rules and metadata changes, and all meaningful business activity that updates portfolio data. If data changes in any of our systems, we have a log to record all of the relevant facts of the change (primarily: who, what, and when).
Our software does not allow access to any web page unless the end-user is authenticated and authorized. Any attempt to access a page without proper authentication/authorization, will direct the user back to the login page. Our web applications operate under a session context with a strictly controlled timeout for user interaction.
Our platform leverages various encryption techniques to protect passwords, URLs, Communication and Configuration Settings. Passwords are always protected in transit and in storage, they are never transmitted or stored as plain-text.
We have implemented numerous techniques to mitigate against SQL Injection and Cross Site Scripting (XSS) attacks from occurring. SQL Injection attacks are avoided by using formally typed parameters (to avoid buffer overruns) and using escape quote techniques (to avoid TSQL statement truncation). We never dynamically execute any TSQL statements directly from the application tier. We promote the use of HTTP POST to submit user entered sensitive data. Wherever the HTTP GET method is used, the URL is always encrypted and decrypted and verified at the server.
Our web applications do not use client side cookies and do not require any client-side plug-ins or OCX controls.
We digitally sign our assemblies with a Strong Name Key to ensure that if any assemblies are tampered with, the .NET framework will then refuse to run them.
Our applications have gone through numerous independent security reviews, code reviews, and penetration tests. We take an aggressive stance on all security findings and strive to meet the standards of our most demanding customers. This approach forces us to proactively address changing security standards, but doing so positions our platform to avoid the adverse findings in security assessments, which can easily disqualify otherwise acceptable solutions.
Configurable and Extensible
Software applications developed on our platform rely extensively on a metadata approach to control user interface and business rule elements to enable each implementation of an application to meet highly specific business user needs and preferences. All forms, tasks, edit checks, searches, menus, and workbenches use our Data Driven Interface (DDI) model, substantially reducing the need for any code to be written for elements which are subject to frequent change brought about by business requirements. Our primary goals for this attribute of our platform design is to reduce and eliminate where possible any artificial dependencies that our customers have on us to use the system on a day-to-day basis.
Our n-Tiered architecture allows for the separation of Presentation, Application, and Data tiers. Each tier can be then be scaled up and/or out to meet needs. The Presentation and Application tier can be configured using load balancing techniques to provide both reliability and capacity. As a result, our solutions have been implemented and used in environments with hundreds of concurrent users and multi-million row portfolio tables
Our platform is designed to produce applications that operate on the web and to provide end users with the flexibility to work wherever they can access your published website. This type of connectivity is great for remote workers, working from home, and simplifying disaster recovery planning. The only client-side requirements are a computer, browser, and data access. Besides your internal end-users, the web client approach allows you to expose the application to your customers and to promote highly productive customer self-help processes where applicable to the business. Processes (and related labor costs) that make a lot of sense to shift to this model include:
- Run Report
- File Upload
- Task Initiation
- Service Request
Data integration and interoperability with other enterprise systems are managed through automated workflows that are setup and configured from the Admin Toolkit. Workflows are scheduled (or triggered) automated processes executed and managed by our Automation Package. These workflows can be configured to handle operations such as: jobs, tasks, reports, importing records, moving files, and sending email notifications based on event outcomes. Web Service interoperability is available for both upstream and downstream enterprise applications.