1. The OutSystems enterprise security posture

As an organization, we make sure the entirety of our security posture is transferred to the platform used by our customers to build their web and mobile applications. Our low-code platform not only provides built-in protection against the top security threats identified by OWASP but also offers additional measures to enhance the security of your applications. These complementary mechanisms include:

  • Platform upgrades that make the security features and fixes available to all applications.
  • Pre-built components that simplify security-related tasks such as encrypting data at rest or integrating with Identity Management systems.
  • Role-based access to ensure the right team members have access to change and deploy applications.
  • An AI-based security tool (AI Security Mentor) that reviews code to identify vulnerabilities introduced during the development process.

Table of contents

Organizational-level security

At the organizational level, OutSystems prioritizes security, which is demonstrated by a comprehensive and holistic approach that establishes a secure foundation throughout the company.

OutSystems support services are ISO 27001 certified and our information security office is responsible for all internal cybersecurity and incident response activities, ensuring that:

  • OutSystems staff, policies, processes,practices, and technology proactively protect, shield, and defend the company from cyber threats, and prevent the occurrence of cyber security incidents.
  • OutSystems staff, policies, processes, practices, and technologies monitor ongoing operations and actively hunt for and detect adversaries, and report instances of suspicious and unauthorized events as expeditiously as possible;
  • Incident response is coordinated to minimize impact, and OutSystems staff, policies, processes, practices, and technologies are rapidly deployed to return assets to normal operations as soon as possible.
  • OutSystems staff, policies, processes, practices, and technologies provide ongoing oversight, management, performance measurement, and course correction for all cybersecurity activities.
  • Adequate response to security threats is continuous by managing compliance and risk management..

In addition, OutSystems maintains a robust set of operating procedures including:

  • Hiring procedures: Upon hire and prior to employment, OutSystems checks references and social networks for information about the candidates during every employee’s recruitment phase.
  • Background checks: Before the extension of the job offer, OutSystems completes background checks that include investigating finances and searching for criminal histories. These are repeated annually, are commensurate with the employee’s role and level of access.
  • Onboarding and training programs: OutSystems maintains country-specific forms, documents, and acknowledgements used in the new hire process that explain the security responsibilities assigned to individuals. These programs pursue the full adaptation of a new employee to the work environment. Among other security training programs, the OutSystems support team receives specific security awareness training.
  • OutSystems maintains formal job descriptions to ensure that employees are aware of their roles and responsibilities.
  • Termination and change procedures: OutSystems follows formal termination procedures to ensure that employees who leave the company no longer have access to our systems.

We pride ourselves on being the only vendor in the low-code space to have made a dedicated Trust Center available, where current and prospective customers can consult all of our platform’s security certifications. Because we know compliance is top of mind for leading businesses, we provide not only free access to an extensive list of security certifications but also to underlying technical documentation.

OutSystems software development best practices

To deliver the most secure software development platform, OutSystems has long embraced rigorous development practices. Here are some examples.

In our internal software development processes, we have implemented a robust Secure Software Development Framework (SSDF). This framework comprises a set of fundamental and secure software development practices, drawing on established guidelines from renowned organizations including BSA, OWASP, and SAFECode.

At OutSystems, we adhere rigorously to the SSDF practices. They serve as a reliable foundation for significantly reducing the potential impact of or even eliminating undetected or unaddressed vulnerabilities in the software we release.

OutSystems performs vulnerability scanning across multiple layers of its ecosystem. This includes API, system and patches, images, product software, compiled DLLs, third-party party integrations and more. OutSystems executes these scans throughout the software development lifecycle (SDLC). Combined with other mechanisms such as SSO implementation or data encryption, to name a few, it provides a security-minded platform to customers.

Platform security overview

In today's cloud-native landscape, securing applications has become increasingly complex. With applications exposed to a multitude of external endpoints, safeguarding sensitive information in the cloud presents many challenges.

OutSystems is more than just a powerful low-code application development platform. It is designed to empower enterprises with state-of-the-art, end-to-end security, and compliance capabilities. Using the platform's security features, organizations can confidently build robust and secure applications that meet the highest industry standards.

OutSystems takes a forward-thinking approach to technology adoption, ensuring that customers always have access to the latest features. We ensure that our platform keeps pace with evolving technologies, providing immediate access to new features while also ensuring the development lifecycle remains secure.

By incorporating application and data encryption, identity and access management, and other security features directly into the platform, OutSystems prioritizes the security of your applications. These robust security measures ensure the confidentiality, integrity, and availability of your data, safeguarding it from unauthorized access and ensuring compliance with industry regulations.

While many low-code platforms offer basic security features suitable for internal, tactical applications, OutSystems goes further. High-performance low-code is the driving force behind OutSystems. This means it is a low-code platform that provides comprehensive, enterprise-grade security capabilities necessary for building mission-critical applications. Additionally, OutSystems empowers organizations with enterprise-grade governance and compliance features, ensuring that the same policies and practices used in traditional development are seamlessly applied to the low-code development process.

With OutSystems, organizations can confidently embrace cloud-native application development, knowing that their applications are built on a foundation of security, compliance, and innovation. Here are some of the reasons why applications built with OutSystems meet the most stringent enterprise security requirements:

  • Architected to be secure by design - with hundreds of different security checks from design-time to run-time.
  • AI-based code analysis to identify code vulnerabilities introduced during the development process.
  • Additional specialized security add-ons specifically for mobile apps

In addition, because OutSystems is the only low-code platform that generates real code, you can use standard enterprise security scanning tools for static code analysis.

Platform compliance overview

The OutSystems platform has extensive security built-in to protect the entire app lifecycle. With the addition of the OutSystems Sentry, it sets a higher standard for low-code, thanks to security features specifically designed for the enterprise and those organizations working with sensitive, core, and customer data. This puts the burden of security administration and monitoring on OutSystems and allows your team to concentrate on other key activities.

OutSystems Sentry is an essential add-on that provides additional security, risk management, and monitoring to meet requirements of businesses that:

  • Deal with sensitive data, personally identifiable information (PII), or electronically protected health information (ePHI).
  • Have a cloud-first mandate.
  • Own apps that are available outside of their network.
  • Are replacing core systems.
  • Operate in highly regulated industries.
  • Lack the security resources, skills, and availability necessary for taking on a rapidly increasing number of apps.

OutSystems Sentry provides broad coverage of security regulations and is certified in the following categories:

  • SOC 2 Type II
  • ISO 27001
  • ISO 22301