Application Security Verification Standard Compliance Analysis of a Low Code Development Platform

Low-code development platforms (LCDPs) are software development platforms that use artificial intelligence to help automate simple and routine tasks and make the software development process faster. By 2024, 60% of application development expect to be done using these platforms. Even though these platforms are gaining popularity, they have not been popular research topics, and their security features have not been assessed. One way to conduct such an assessment is by using Application Security Verification Standard (ASVS). ASVS is a community-driven security standard for web applications and services. ASVS is made of three requirement levels, and the security controls become more strict when moved up. ASVS is designed to give organizations a tool to develop and maintain more secure applications. One example of an LCDP is OutSystems, which is said to be “designed for the developers, by the developers”. OutSystems belongs to the Leader category in the 2021 release of Gartner® Magic QuadrantTM for Enterprise Low-Code Application Platforms. In this thesis, we will conduct a first of its kind compliance analysis between OutSystems and ASVS levels 1 and 2 to find out if and how compliant OutSystems is with the standard. This kind of compliance analysis has not been done before. Based on our analysis, we will do a “lessons learned” and write a guideline on how to evaluate LCDPs’ security features in the future. The results themselves show that OutSystems, for the most part, is compliant with ASVS. The biggest deficiencies in OutSystems are with authentication and input validation. We show that the deficiencies with authentication are trivial to fix, but meeting the requirements with the input validation requires some work. From the assessment, we learned that assessing LCDPs is not completely similar to a traditional security assessment. We learned that some functionalities are pre-made, and the developer can not customise them. We found that it is easier to evaluate first if the platform meets the requirement. If not, then see if the developer can do something about it

Asiantuntijafysioterapeutti niska-, päänsärky- ja huimauspotilaan hoitoketjussa

Fysioterapeuttien suoravastaanotot ovat Etelä-Karjalan sosiaali- ja terveyspiirissä vakiinnuttaneet asemansa. Nyt on kehitetty uusia toimintatapoja, joiden tavoitteena ovat oikea-aikaiset ja laadukkaat hoitoketjut myös erikoissairaanhoito huomioiden