3. Application security

OutSystems has implemented a range of measures to ensure that applications developed with the platform are protected against the security vulnerabilities detailed by OWASP.

With OutSystems, customers can leverage the power of low-code development to accelerate the creation of secure applications. Robust app security is achieved with significantly reduced effort compared to traditional coding methodologies. For example, each platform update incorporates the latest security features that become available as applications are transformed from low-code to the standard languages used at runtime without having to change the applications. Additionally, prebuilt components simplify security-related tasks, such as encrypting sensitive data or integrating with identity management systems, so customers don't have to do this themselves.

Role-based access ensures that only the right team members can change and deploy applications. Through our AI Mentor System, we offer an integrated AI-powered static analysis tool for the low-code language, which thoroughly analyzes the model for adherence to best practices in various categories, such as security. Applications built with OutSystems benefit from an extra level of security in the application code itself. For instance, OutSystems generates standard code in a way that protects against common vulnerabilities such as SQL injection and JavaScript injection.

OutSystems provides further protection by warning developers at design time about potentially unsafe application patterns. This includes detecting risks such as code injection attacks, cross-site scripting, unvalidated redirects, and violation of data isolation when querying different databases.

Table of contents

Vulnerability management

When using OutSystems to build and run your applications, you can rely not only on state-of-the-art security but also advanced vulnerability management mechanisms such as:

  • Proactive updating of operating systems and application servers with updates and patches, including notifying customers about security-related issues.
  • Frequent security assessments, such as penetration testing, a bug bounty program, in-house testing, and secure code reviews - all to help us identify and address potential vulnerabilities in the software.
  • Automated security testing tools that augment the manual efforts and enhance efficiency.

Software updates and patching

OutSystems frequently installs updates of the operating system and application server and reassesses, in the context of the OutSystems Cloud, the risk of vulnerabilities reported by third-parties. AWS automatically schedule security and durability related patches for the database, and we duly propagate such notifications to customers. We also proactively update our software, when required, to defend the security and/or availability of the OutSystems Cloud.

Secure software development lifecycle

OutSystems is designed to cater to the needs of high-performance apps that access sensitive data, operate in strict regulatory environments, implement core business processes, or play a critical role in the end-customer’s journey. The following capabilities underscore our commitment to a secure software development lifecycle (SDLC).

OutSystems automatically embeds security patterns as code is generated, eliminating the need for developers to explicitly protect applications against common vulnerabilities. Most vulnerabilities, including code injection, Cross-Site Request Forgery (CSRF), session fixation, and authentication and authorization of automatically generated back-end APIs, are automatically handled by the platform. These built-in security protections continuously evolve to adapt to emerging threats and undergo rigorous validation as part of the OutSystems SDLC.

Learn more about security best practices

OutSystems Cloud optionally includes an embedded Security Operations Center equipped with best-in-class tools, monitoring, and governance. This reduces the risk of security breaches and ensures immediate detection and full investigation capabilities for every security attempt.

OutSystems TrueChange embedded in the IDE, proactively warns developers about suspicious patterns, particularly when using the platform's extensibility capabilities to insert 4GL code snippets (e.g., SQL) into visual models. This alert mechanism prevents inadvertent security vulnerabilities during application development.

The OutSystems AI Mentor System analyzes every application developed with the platform, identifying problematic architecture and security patterns. App development managers can track the evolution of their app portfolio's security, enabling a proactive approach to address security concerns.

OutSystems operates on a standard architecture and generates intermediate 3GL code (for example, JavaScript, .NET). This generated code can be pushed to third-party Static Application Security Testing (SAST) tools, allowing organizations to conduct additional security analysis and validations.

The OutSystems platform allows customers to automatically flag unused applications or those without owners. This means they can take appropriate action for handling these apps, such as archiving or retiring them, to reduce potential security risks.

Learn more about managing the application lifecycle of your portfolio

Every platform operation, including changes to permissions and application promotions, is audited, providing a complete trail for accountability and transparency.

OutSystems allows administrators to specify default permission settings during platform setup and adapt them according to their desired level of control, ensuring access is granted appropriately. Administrators can set restrictions on application staging for specific environments. IT team responsibilities are defined by roles, allowing users to specify the actions each role can perform in each environment. For instance, developers may not have the privilege to push applications to production, while the operations teams can. Roles can have custom permissions per application, or teams can be responsible for multiple applications with role permissions valid across all managed applications. This flexible model simplifies security management for multiple applications and user teams, aligning with how organizations manage their software factory.

Secure DevOps and continuous integration/deployment (CI/CD)

OutSystems adopts a secure DevOps approach, seamlessly integrating development, security, and operations teams to prioritize security throughout the CI/CD pipeline. The platform empowers organizations to build, deploy, and maintain secure applications efficiently and effectively.

OutSystems provides fine-grained security governance for DevOps users, offering access levels for specific apps, services, or APIs, and defining privileges across environments. This allows for controlled and secure collaboration between teams during the deployment process. OutSystems offers APIs to enable organizations to automate and maintain proper governance externally. For instance, they can grant deployment privileges to specific developers based on a change management ticket, or manage application creation integrating with a business approval workflow.

OutSystems supports different deployment lines based on app criticality, allowing organizations to configure varying permissions for each stage from development to deployment based on teams and roles.

OutSystems includes the AI-powered TrueChange and impact analysis mechanism, which ensures error-free and consistent app builds and deployments. As a result, it minimizes the risk of security vulnerabilities due to misconfigurations or errors during deployment.

Via APIs, organizations can automate the full deployment pipeline using their CI/CD tool (for example, Jenkins or Azure Devops) without losing capabilities, such as impact analysis, while setting different security and quality thresholds on each stage.

Every deployment activity, including changes in permissions, is audited, providing a detailed record of who performed the action, when it occurred, and which application was promoted.

AI Mentor Studio API integration ensures teams can keep their governance guardrails in place even when the delivery process is managed by external tools. Organizations can also add, as part of their external CI/CD orchestration, extra secure validations using any third-party static application security testing (SAST) tools.

OutSystems allows an organization to run penetration tests and vulnerability scans, complying with regulations, while continuously improving the application's security posture.

The integration of Secure DevOps and CI/CD practices, combined with robust security features and comprehensive auditing capabilities, ensures that organizations can confidently use OutSystems to deliver secure applications to meet all demands while maintaining high development productivity.