Security layer in 4 Layer Canvas
Question

Generally the 4 layer canvas is consists of Foundation layer, Core Layer, End User layer and Orchestration (till OS10). But there is no information related to security layer.

Just want to understand from experts that how we can depicts the security layer in the 4 Layer canvas. 

Thanks in advance.

Hello Pankaj

Greetings for the day!

I am not an expert in this matter but would like to share my opinion :) 

What I believe is OutSystems 4 layer Canvas is an architecture with the layers of its services used to Design, Develop, and Deploy the Applications. There is no dedicated layer of security because the security is in-build ingredients for all the four layers. That makes it more secure at every instance. 


If we took example of any application the 4 layers will have below services of OS -

Foundation layer

Services, External DB

Core Layer

Related Entities, Wrappers, Server Actions, Service Action, Web Blocks

End User layer

Web Screens and Web Blocks

Orchestration

Dashboard, Backoffice Panel, Web Pages


Now, as and when we implement all items we can see the security at each instance. Like

  1. We can create Custom and Basic Authentication for REST APis which is part of Foundation Layer - https://www.outsystems.com/evaluation-guide/how-can-i-create-secure-rest-apis-with-outsystems/
  2. We can allow the Users to visit screens or not which is part of End User Layer Security 
  3. Same way, we can check Roles and put security to access the Entity and Do Operations in that


And more in the same way... And that's why OutSystems has various best practice documents to develop a secure application. So, with following the best practices we can use all those ingredients at each layer. 


One more example is Cipher's encryption to encrypt the local database. In my opinion it should go in this way..


But still I would also like to hear from Experts about their opinion on the same.


Regards ;) 

Thanks Manish for Detailed description.

I have same understanding as yours. But still I want to hear from the experts. 

Hi Pankaj,

what do you plan to include in that security layer?

I think security is transversal to every layer.


Hi @José Gonçalves,

I am planning to add data security and information security level information with Role based access. 

For the Role access you can create Roles in a lower layer, depending on which upper modules they will be used. From there you can control access to screens and data based on Roles.

Yes, We are following same. But there many times when I share the 4LC Architecture with my clients but they are more concerns about securities. I thought if we can add this into in 4LC so that could be better. 

mvp_badge
MVP

Security should not  be a separate layer. Security best practices apply to all the layers as well as the OutSystems infrastructure. There are tons of OutSystems documents on how to implement all these best practices.

In https://success.outsystems.com/Documentation/Best_Practices/Security the shared layered responsibility model is described.

Here is an example of security best practices  for Reactive web application, which obviously apply to the End User layer of the architecture canvas:

https://success.outsystems.com/Documentation/Best_Practices/Security/Reactive_web_security_best_practices


Here is an example of extra security  that can be applied at the environment level:

https://success.outsystems.com/Documentation/Best_Practices/Security/Injection_and_Cross_Site_Script_(XSS)


Here is an example of implementing an extra security layer at the core layer of the architecture canvas:

https://success.outsystems.com/Documentation/11/Reference/OutSystems_APIs/LifeTime_API_v2/REST_API_Authentication


There are many more, but I hope you get the point, Security is not a layer on its own, it's relevant for any layer as well as your infrastructure and governance of Users and applications.

Kind regards,

Daniel


Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.