HP Fortify - SAST scan results


I have read somewhere that Outsystems uses HP fortify for SAST scans to capture any vulnerabilities. This scan is triggered whenever a build is created. Also I understand that they release security patches as and when new vulnerabilities are captured. 

Can we publish the SAST results somewhere so that temporary fixes can be made to the application till security patches are released for the captured vulnerabilities. Just don't like not knowing and living with the vulnerabilities for the time between the build creation and security patches release if required.  

Created on 26 Oct 2018
Comments (5)

Hi Tushar, 

Thank you for your participation in the OutSystems Community.

However, I believe you are missing a couple of details in your request.

When we create a build of the product inside OutSystems, there are still several steps missing before we release the build to our customers. So, a vulnerable build doesn't affect you in any way.

Furthermore, your suggestion violates the principles of responsible disclosure, which we follow at OutSystems.  Whenever we find or learn about a vulnerability, we fix it or mitigate it with the urgency it deserves first. Then we communicate the nature/risk of the vulnerability, and the instructions to fix it or mitigate it first. We disclose the vulnerability publicly only after we give a reasonable time for our customers to adapt.

Finally, our policy is not to disclose security reports, because they may contain information that could potentially be exploited.

As a customer, you may run your own static code analysis to validate the security of the applications you create in OutSystems. This allows you not only to test that the platform generates secure applications by default, as well as testing that your developers didn't introduce any vulnerabilities.




Thanks for the details Joao. 

You mentioned that "As a customer, you may run your own static code analysis to validate the security of the applications you create in OutSystems.".  Can you please help me with details on how this can be achieved. Here in our client organization we use HP Fortify to run static scans on custom .Net applications. Is there a way to run the same on outsystems applications ? 


Would like to actually put forth a scenario I am dealing with here. There's a client that we have been working with. And we are trying to push for the use of low-code platforms over traditional developments. But they are really particular about the security considering the data sensitivity. So as of now every application that goes into production has to be mandatory go through SAST and DAST scans. DAST is something that we cans still handle even with outsystems as it is platform independent . But for SAST,  either we'll have to publish artifacts from Outsystems scans  as evidences OR find a way to actually run SAST on the outsystems solution at our end. We are in a bottlenect hear,. Any help is appreciated. 

During the application publish process, the OutSystems platform writes the source code to the file system of the OutSystems platform server. You just have to pick up and feed it to your favorite static code analysis tool.

Changed the category to Other