Developed Code - Security request

Developed Code - Security request

  
Hello,

I would like to know if OutSystems garantees these two points in terms of the developed code:

- Mitigate the OWASP top 10 (2013 version)
- Make sure the application is Level 1 - Opportunistic Application Security Verification Standard Project of OWASP. Or also the Level 2 Standard.

Thanks for the help.

Best reggards,
Nuno Mendes



Hi,

Outsystems "guarantees" most of the stuff out of the box.
However there are many items which are the sole responsibility of the developers themselves.

Still, in 2011 (4 years ago) Outsystems gave me these answers about the 2010 top 10 of OWASP


   *   A1: Injection<https://www.owasp.org/index.php/Top_10_2010-A1>
Yes, we solve both code and SQL injection (parameters in queries must be escaped in the applications).
 
  *   A2: Cross-Site Scripting (XSS)<https://www.owasp.org/index.php/Top_10_2010-A2>
The platform makes no check. Browsers do not support this anyway.
 
  *   A3: Broken Authentication and Session Management<https://www.owasp.org/index.php/Top_10_2010-A3>
Yes. Credentials are always protected, session ID is not exposed in the URL, sessions timeout, users can logout at any time, etc. All is built-in in the platform and nothing needs to be done.
 
  *   A4: Insecure Direct Object References<https://www.owasp.org/index.php/Top_10_2010-A4>
Access control must be managed at the application level. Capabilities to do this are built-in the Agile Platform through Roles, Permissions, and Groups. You can apply any of these security elements to any element.
 
  *   A5: Cross-Site Request Forgery (CSRF)<https://www.owasp.org/index.php/Top_10_2010-A5>
Tokens to external sites must be managed at the application level.
 
  *   A6: Security Misconfiguration<https://www.owasp.org/index.php/Top_10_2010-A6>
There are notifications of software upgrades and checklists to update them to ensure no missconfiguration.
 
  *   A7: Insecure Cryptographic Storage<https://www.owasp.org/index.php/Top_10_2010-A7>
Cryptography must be managed at the application level.
 
  *   A8: Failure to Restrict URL Access<https://www.owasp.org/index.php/Top_10_2010-A8>
Access control must be managed at the application level. Capabilities to do this are built-in the Agile Platform through Roles, Permissions, and Groups. You can apply any of these security elements to any element, namely Web Screens / URLs.
 
  *   A9: Insufficient Transport Layer Protection<https://www.owasp.org/index.php/Top_10_2010-A9>
Support for SSL is built-in the Agile Platform.
 
  *   A10: Unvalidated Redirects and Forwards<https://www.owasp.org/index.php/Top_10_2010-A10>
Must be managed at the application level.
 
Hi there,

Thanks for your answer. I now have some points to convince the security concernes in the use of the OutSystems Platform from a customer.

Best Reggards,
Nuno Mendes
Check my post regarding the OWASP Top 10 (2013):
http://www.outsystems.com/forums/discussion/16176/owasp-top-10-2013-for-outsystems-9/

@J. Thanks for the 2010 list. I've used this as a resource for the new 2013 list.