Building secure applications with OutSystems
Table of contents
Most people in IT agree that application security is very important. This is easier said than done. For that reason, data breaches have increased in recent years. It is easy for developers to overlook something or to develop an application that is secure by yesterday’s standards (but not by today’s). It is also easy for developers and infrastructure managers to forget that there is no checkbox or 1-click button to make a system secure.
The OutSystems commitment to security
OutSystems is committed to continuously improving the security of the applications generated by our platform. Therefore, the OutSystems platform features mechanisms that empower developers to build secure applications with minimal effort.
OWASP Top 10 vulnerabilities
The Open Web Application Security Project (OWASP) is a free and open software security community. The OWASP Top 10 describes the major vulnerabilities that can be found with web applications. Here's how OutSystems helps developers build applications that do not have such vulnerabilities.
We don’t stop there, either. The OutSystems development environment also issues design-time warnings about application patterns that can lead to code injection attacks. This ensures that developers are aware of them before the application is deployed.
Broken authentication (A2)
By default, OutSystems ensures that:
- Session identifiers are not sent in URLs.
- Sessions time out at their expiration time.
- All password handling uses strong cryptographic algorithms.
Likewise, OutSystems ensures that the session identifier is transparently changed on each login and validates this for every request, thus preventing session fixation attacks.
Sensitive data exposure and security misconfiguration (A3, A6)
These two issues usually occur when the application is poorly designed or implemented. OutSystems, therefore, provides system administrators with clear and concise instructions on how to make the platform installation secure.
OutSystems includes complete error and exception handling in the generated code and never exposes sensitive information to users and browsers. Careful exception handling also applies to encryption, authentication, authorization, auditing, and logging.
At the same time, developers have what they need to ensure that any content is transmitted over a secure connection. Similarly, the OutSystems platform enables integration with existing cryptographic APIs to secure data stored in a database.
XML External Entities and insecure deserialization (A4, A8)
When building an application, you should always be careful when processing any kind of data input from external untrusted sources. These can be other services you don’t control or even the user browser and user inputs. In any case, OutSystems platform supports the use of the latest deserialization and XML processor library versions as well as SOAP 1.2.
Broken access control (A5)
While this issue is typically a problem related to the design and implementation of the applications, OutSystems enables developers to easily define which users are allowed to access which application resources such as:
- Defining which user roles are required to access a given screen or which users have access to a given application
- Disabling or hiding UI elements based on user permissions
- Validating user permissions when actions are executed
- Executing specific logic and accessing subsets of data, depending on user permissions
All OutSystems management consoles and APIs enforce strong validation of user permissions, thereby ensuring that only users with the appropriate level of privileges can perform each operation.
Cross-site scripting (A7)
Cross-site scripting (XSS) problems are handled similarly to Injection problems: OutSystems provides functions that encode and sanitize inputs. Unlike traditional development, our model-driven approach allows real-time analysis with warnings in the OutSystems visual editor at design-time to fix a security issue before developers deploy applications.
Additionally, architects, operators or administrators can use OutSystems mechanisms to define content security policies, that is, the domains from which application pages can retrieve resources (images, CSS, scripts, media). This setting can be configured for each environment, generically applying to all applications, or defined for specific applications. Limiting the sources from which the applications can load resources effectively mitigates XSS attacks, which require loading a script from a malicious site.
Content security policy can also be used to prevent application pages from being embedded in frames and thus prevent ClickJacking attacks.
Using components with known vulnerabilities (A9)
OutSystems performs regular scans and updates to all components of the stack (operating system, application server, database management system, runtime environments, libraries, frameworks and sample OutSystems applications), so customers can benefit from the security support from the stack vendor. An established patch management process, including customer communication, ensures vulnerabilities are addressed and communicated.
Insufficient Logging and Monitoring (A10)
OutSystems tracks the details of every access to application screens. These logs include the component and screen accessed, which users accessed it, when the access occurred, and exactly which node served the screen.
OutSystems also logs all access to external systems through web services or custom integration logic, as well as all web service requests to applications running inside the platform. The logs keep a record of who made the request, the request’s target, the method called, how long the request took, and the exact time of the request. This enables any security issues to be tracked down efficiently.
Customers who choose to manage their own OutSystems installation benefit from the OutSystems standard runtime architecture to leverage their know how and tools for logging and monitoring of all system components.
OutSystems cloud customers benefit from the logging and monitoring capabilities bundled in the service with a choice between the secure baseline of the standard configuration and the more advanced OutSystems Sentry offer: https://www.outsystems.com/sentry/