Security Issues

  
Hi,

I am reading up on top 10 most critical web application security risks and what are your best practices on these kind of security issues?
For Outsystems I ask, what are you lot doing about it within the platform (especially the generated code ofcourse)

I'm puzzling with the fact if the TrueChange(tm) should flag those issues as a warning/error to point the developer on possible security issues.
It would give a false security, because you cannot garantuee the 100% secure environment, on the other hand, one does get helped by fixing those possible issues in a quick way.
For example, the most obvious thing is ofcourse EncodeSQL()-method which should be used with the queries.

So, what are your thoughts on this?
Hi Joost

The Agile Platform (AP) already have built-in features and default code generation settings to avoid many of the security pitfalls of web applications. As you say, we can't guarantee a 100% secure application, but by following the default behaviors when developing apps with the AP, we're already covering many security features.

For instance, the user, permissions and session management that comes out of the box with the AP, takes the effort to manage the security context of the apps web screens and key operations. Together with the HTTPS and Integrated Authentication options, it brings your applications another step forward to best security. All this is automatically reflected on the generated source code.

Even the code injection risk is minimized by the AP default behaviors, either at dumping screen expressions or querying the database, mainly because the screen expressions are escaped by default, and the query parameters are converted to bind variables (generating parameterized queries), to improve performance and avoid SQL injection. Only when the developer opts to change the default values to unescaped screen expressions or expand inline query parameters there's in fact a risk for code injection ( as refered at the forum post Tip: How to avoid code injection in OutSystems applications). And even on these scenarions we can use the refered Encode() built-in functions.

Of course that none of this is new to you, but I'm just reenforcing the fact that the AP is designed and built with security in mind as well. :)

Obviously that we are always on alert regarding security risks and how to avoid them, either at the AP core, or the System Components patterns and technologies (like RichWidgets, ECT or EPA). When security issues are found we acknowledge them and work to fix them adequately. It has happened in the past and we can't guarantee that it won't in the future, but we try to have them fixed asap.

As you've referred, the TrueChange(tm) engine identifies several key patterns that aren't compliant with development best practices, but still, there's room to improve it to identify the lack of Encode() functions usage on expand inlines and unescaped expressions. But as you might understand, we might be able to identify some basic patterns (like a direct assignment of an input widget variable to an unescaped screen expression or expand inline query parameter), but more complex patterns might not be easily identified, without causing significant overhead, or risk the generated of many false positives.

Nonetheless, we should take this concern into consideration, and I'll follow up with R&D on that.

Some of the other TOP 10 security risks on web applications could be addressed with secure networks and protocols, and lay a little bit outside of the applicaiton development, but even then, the AP provides some key features to help address some of these problems, like Internal Network setting or Selective Deployment.

Then we can't forget that the AP is built to run over known Application Servers (IIS+.NET and JBoss), which bring their own security features to help secure the applications that are running on top of them.

Security of the AP and the develop apps are very important to us, and we keep that in mind when developing new features and changing any existing ones.

Your views on your reading and on your exprience with the AP regarding these security issues should also be a good source of feedback to keep us improving our product towards optimum security, so keep these discussions coming! :)

Best regards

Cheers

Miguel Simões João