Hi Tushar, 

Thank you for your participation in the OutSystems Community.

However, I believe you are missing a couple of details in your request.

When we create a build of the product inside OutSystems, there are still several steps missing before we release the build to our customers. So, a vulnerable build doesn't affect you in any way.

Furthermore, your suggestion violates the principles of responsible disclosure, which we follow at OutSystems.  Whenever we find or learn about a vulnerability, we fix it or mitigate it with the urgency it deserves first. Then we communicate the nature/risk of the vulnerability, and the instructions to fix it or mitigate it first. We disclose the vulnerability publicly only after we give a reasonable time for our customers to adapt.

Finally, our policy is not to disclose security reports, because they may contain information that could potentially be exploited.

As a customer, you may run your own static code analysis to validate the security of the applications you create in OutSystems. This allows you not only to test that the platform generates secure applications by default, as well as testing that your developers didn't introduce any vulnerabilities.

Best,

Joao

Thanks for the details Joao. 

You mentioned that "As a customer, you may run your own static code analysis to validate the security of the applications you create in OutSystems.".  Can you please help me with details on how this can be achieved. Here in our client organization we use HP Fortify to run static scans on custom .Net applications. Is there a way to run the same on outsystems applications ? 

Joao,

Would like to actually put forth a scenario I am dealing with here. There's a client that we have been working with. And we are trying to push for the use of low-code platforms over traditional developments. But they are really particular about the security considering the data sensitivity. So as of now every application that goes into production has to be mandatory go through SAST and DAST scans. DAST is something that we cans still handle even with outsystems as it is platform independent . But for SAST,  either we'll have to publish artifacts from Outsystems scans  as evidences OR find a way to actually run SAST on the outsystems solution at our end. We are in a bottlenect hear,. Any help is appreciated. 

During the application publish process, the OutSystems platform writes the source code to the file system of the OutSystems platform server. You just have to pick up and feed it to your favorite static code analysis tool.

Since outsystems has been moving ahead with the Architecture dashboard now. Is this something that can be integrated in Arch Dashboard itself ?

What kind of integration were you thinking about?

E.g. I don't find any obvious value in consolidating findings of Architecture Dashboard and HP Fortify on the same GUI.

In any case, it would be best to create a new idea, as we are kind of starting a different discussion here.

Please check previous comments.

Hi,

Can you please suggest which has good integration with outsystems

Fortify or Sonaqube.