OutSystems Security Overview
Table of contents
OutSystems dramatically accelerates the development of secure applications, and their deployment in a secure runtime environment. OutSystems’ built-in application lifecycle management capabilities promote a clear assignment of responsibilities in the DevOps processes, laying the foundation for a secure Software Development Lifecycle (SDLC).
Applications built with OutSystems benefit from an extra level of security in the application code itself. As visual application models are translated into standard .NET code, OutSystems uses secure code patterns that protect applications from common web and mobile application vulnerabilities.
OutSystems allows developers to override the default secure code patterns for advanced customization scenarios. In this case, OutSystems security checks proactively warn developers of potential security issues as they publish their applications.
Unlike other low-code vendors, OutSystems generates standard code from the visual application models, enabling standard security assessment tools, such as static code analysis, to vet the runtime code.
To systematically ensure high-security standards for generated applications, OutSystems leverages security assessment tools as part of the automated quality assurance process for every product release. Integration with HP Fortify Static Code Analyzer has been set up for automatic code vulnerability scans during regression testing. These tests support an aggressive criteria for release acceptance, which requires fixes to all critical, high, and medium reported code vulnerabilities. This ensures that the generated code is inherently secure.
When new code vulnerabilities are found in generated code, fixes are included in subsequent releases of OutSystems. After upgrading their current OutSystems release, customer applications automatically incorporate the new security fixes, reducing the cost of maintaining OutSystems applications.
Additionally, OutSystems complies with and accelerates the implementation of common security requirements:
Application security checks
OutSystems visual editor warns the developer at design-time about potentially unsafe application patterns. Detected risks include code injection attacks, cross-site scripting, unvalidated redirects, and violation of data isolation when querying different databases.
OutSystems features built-in identity management and authentication allowing you to immediately integrate with your Active Directory or LDAP systems. With a simple configuration, all end-user authentication can be centralized with your identity management systems.
OutSystems end-user authentication mechanisms are also fully extensible, enabling integration with third-party identity management system, such as SAML or OAuth or customization of the password and account policies in the built-in end-user authentication mechanism.
Before implementing your connectors, check the Forge. Here are some connectors to identity providers built by the community:
- Okta iDP connector: use Okta as identity provider;
- iDP Connector: a generic implementation of a SAML 2.0 authentication flow.
Role-based access control restricts access to your application’s pages depending on specific application level roles. Developers define application-level permissions for roles using visual building blocks. As an example, a role might restrict access to every application page that involves changing a specific database table.
OutSystems makes it easy for developers to create application logic visually based on a user’s role. Where users are not authorized to access a specific resource, developers can set an error message or redirect the user to a different part of the application.
The example below shows how OutSystems enables teams to visually set user profile access rights and enable authentication, encryption, or both:
Once users are registered to use an application, role-based access control ensures that only authorized users are allowed to perform specific business functions.
Users can be provisioned and granted access to one or more roles. Users can be managed with OutSystems directly, or through applications using APIs that are available to developers. The definition of a user role is completely dynamic and independent of the application development phase.
The OutSystems single sign-on capability allows developers to easily unify logins across applications. A user is then able to move seamlessly between applications without requiring an additional login.
This example shows how end-user login can be unified across any number of eSpaces:
OutSystems enforces HTTPS/SSL encryption for native mobile applications, and recommends it for web and responsive applications. A system-wide setting allows to you either enforce HTTPS/SSL encryption for all web applications, or adjust it on each page or web service.
OutSystems Cloud allows full database encryption at rest. On customer-managed infrastructures, system administrators can use the database vendor’s technology to activate encryption of data at rest and while in transit to the database. Alternatively, developers may build encryption in sensitive fields and tables, typically leveraging Forge components, such as the Crypto API .
Auditing for integrations
OutSystems logs all access to external systems performed through web services or custom integration logic. OutSystems also logs all web service requests to applications running inside the OutSystems platform. The logs keep a record of who made the request, the request’s target, the method called, how long the request took, and the exact time of the request. This enables any security issues to be tracked down efficiently.
This example shows detailed logs of calls to external systems:
End-user access auditing
OutSystems also tracks the details of every access to application screens. These logs include the component and screen accessed, which user accessed it when the access occurred, and exactly which node served the screen.
Secure application deployment
The OutSystems deployment engine configures Microsoft’s Internet Information Services (IIS) security settings according to the most demanding application design and security best practices.
Secure software development lifecycle
The security model that supports application lifecycle and promotion is tailored to support patterns of both simple and complex software factories. Administrators can set restrictions on who is allowed to stage specific applications to the appropriate environment.
OutSystems includes access control management for all application resources, providing flexible permissions to define the access rights for any given resource. This helps organizations manage large teams with different profiles, as well as clearly separate the access to the platform's integration, assembly, and deployment and change services in multiple development, QA, and production environments. Moreover, it provides organizations with full access to the system audits required for IT-level SOX/ITIL controls.
Role-based access control
IT team responsibilities are defined based on roles and users can specify what each role can do in each environment. For example, the developer role might not be allowed to push applications to production, while the operations role can.
A role can have custom permissions for each application. Alternatively, teams can be defined as being responsible for multiple applications, and assigned role permissions valid for all the applications managed by the team. This flexible model means organizations can map to the way they manage the security of their software factory, simplifying the management of several applications and their teams of users.
The system log tracks every activity performed by developers, application managers, and system administrators, for future audit. Events tracked include:
- Store a new version of an application or component
- Delete an application or component
- Deploy a new version
- Modify user configurations
- Login to the system
Furthermore, the system audits and version control subsystems of the OutSystems platform allow auditors to identify when a modification to an application was applied, and by which user. The version control system even allows the inspection of the exact content of that change, using the OutSystems Service Studio visual difference and merge tool.
These resources in the reference documentation provide more information about security: