Enabling Bizzomate DevTools on PROD as a debug help tool
0
Hello everyone ;) I would like to know your opinion on this simple topic / idea. I would like, from a developer perspective, to enable this Bizzomate Tool Mendix Marketplace - Bizzomate Mendix Dev Tools on the productive environment of my application. I really see the utility in fixing issues & bugs because I can see all the underlying data and further more I have multiple search options / possibilities. I can search for data by multiple types of associations, I can filter objects if they have an empty attribute, I can look at the browser state and so on. However, because this extension communicates with the XAS endpoint and creates an easy to use interface on top of it, it is considered to be a security vulnerability regarding my company security policies and I am not allowed to use it. I wanted to bring this up as a discussion with the argument for it that with this extension and in general by using the XAS endpoint as a user you can only see the data for which the access rules allow so. In my opinion, even if you use the bizzomate or not, if the access rules are misconfigured, anyone can make malicious use of the PROD environment of the app. What do you think? Thanks ;)
asked
Marcian-Petrut Bondoc-Popescu
1 answers
0
The bizzomate tool is not a security vulnerability. It only shows you the mistakes you made in setting up the security. And it does not matter if your company allows it or not because there are versions of this tool that works on any Mendix application.
But if you install it on a production environment anybody can use alt-b to use the tool. And that is not the most wise decision imho. So I would install the module only in pre deployment, do the checks and remove it before you create a deployment package.