OWASP Top 10 (2013): https://www.owasp.org/index.php/Top_10_2013-Top_10
Parameters in SQL Elements which have Expand Inline set to 'Yes' must be escaped in the application.
From the manual: When using this technique you should take special measures to prevent malicious SQL statements to run on your database (SQL injection). To avoid such scenarios you should use the 'EncodeSql' built-in function on the arguments that will be expanded inline on the query.
Credentials are always protected, session ID is not exposed in the URL, sessions timeout, users can logout at any time, etc. All is built-in in the platform and nothing needs to be done.
Access control must be managed at the application level. Capabilities to do this are built-in the Outsystems Platform through Roles. You can apply roles to web screen.
There are notifications of Outsystems software upgrades and checklists to update them to ensure no misconfiguration on application level.
The webserver configuration needs to be checked separately for any misconfiguration on server level.
Support for SSL is built-in the Outsystems Platform and should be turned on for every environment.
Cryptography must be managed at the application level for all sensitive data.
The headers mentioned in this url, can be used to protect sensitive data provided by/sent to the browser in place.
Access control must be managed at the application level. Capabilities to do this are built-in the Outsystems Platform through Roles. You can apply Role to Web Screens.
Disable the Registered access on all Web Screens and explicitly grant access for specific roles
This is managed by the OS Platform by enabling the ViewState by default.
This is partly managed by the OS Platform. When a different version of jQuery is used in a component than the default of the platform, the platform will show a warning related to the out-of-date version in the component. For other 3rd party components the developer should create a list with the version used and regularly check the 3rd party for updates / security vulnerabilities.
When adding the components to the platform, try adding with a wrapper that only exposes the necessary functionality and not all functionality by default.
When redirects are needed, they must be managed at the application level by the developer.
Prevent using user parameters in the url redirect and if necessary try to use mapped values (using static lookups) to validate the user input. The authorization is handled by the platform.