OutSystems CSIRT

The OutSystems Computer Security Incident Response Team (OutSystems CSIRT) is the OutSystems cyber investigation and forensics team. A part of the Information Security Office, the team provides security monitoring services to protect OutSystems from cyber attacks and the loss of its intellectual assets.

The primary mission of OutSystems CSIRT is to help ensure company, system, and data preservation by thoroughly investigating computer security incidents and contributing to their prevention with proactive threat assessment, mitigation planning, incident trend analysis, security architecture review, and vulnerability management.

OutSystems CSIRT also shares information with other CSIRTs involved in security incident responses.

1 - Document Information

1.1 - Date of Last Update

This is version 1.1 and was last updated on 14 Jun 2018.

1.2 - Distribution List for Notifications

Email notification of updates are sent to OutSystems CSIRT. Please send any questions about updates to the OutSystems CSIRT email address: csirt@outsystems.com

1.3 - Document Location

The current version of this document is on the OutSystems Trust page. Make sure that you are using the latest version of this document.

1.4 - Authentication of This Document

A digitally signed version is available at the end of this document. The signature was produced using the OutSystems CSIRT PGP key. 
Our public key can be downloaded from section 2.7.

2 - Contact information

2.1 - Name of the Team

Full name: OutSystems Computer Security Incident Response Team 
Short name: OutSystems CSIRT.

2.2 - Address

Rua Central Park 2, 2A 
2795-242 Linda-a-Velha 
Portugal

2.3 - Time Zone

Western European Time Zone (UTC+00:00)

2.4 - Telephone Number

Regular and emergency contact: +351 800 780 555

2.5 - Other Telecommunication

Not applicable

2.6 - Email Address

Send incident reports that relate to OutSystems CSIRT to csirt@outsystems.com 
Non-incident related mail should be addressed to support@outsystems.com

2.7 - Public Keys and Other Encryption Information

Encrypt any sensitive email with the OutSystems PGP Key and send to csirt@outsystems.com
Key size: 4096 
Key validity: 01 Nov 2019 
Key fingerprint: 1C25 DBBB 1BF8 ECC3 CD75 D8CA 1BAE A457 224A 6C74 
Link to Public Key

2.8 - Team Members

No public information is provided about OutSystems CSIRT members.

2.9 - Other Information:

More information about OutSystems CSIRT is available on the OutSystems Trust page.

2.10 - Points of Customer Contact

The preferred method for contacting OutSystems CSIRT is email.

For abuse or security issues, use csirt@outsystems.com.

For general customer inquiries, use the OutSystems Support Portal (registration is required, but it’s free).

3 - Charter

3.1 - Mission Statement

The OutSystems Computer Security Incident Response Team (OutSystems CSIRT) is the OutSystems cyber investigation and forensics team. It provides security monitoring services to protect OutSystems from cyber attacks and the loss of its intellectual assets.

The primary mission of OutSystems CSIRT is to help ensure company, system, and data preservation by performing comprehensive investigations into computer security incidents, and to contribute to the prevention of such incidents by engaging in proactive threat assessment, mitigation planning, incident trend analysis, security architecture review, and vulnerability management.

3.2 - Constituency

OutSystems CSIRT is responsible for handling security incidents that relate to company employees, company assets, and all OutSystems domains, namely: outsystems.com, outsystemsenterprise.com, outsyste.ms, outsystemscloud.com and outsystems.net.

3.3 - Sponsorship and Affiliation

OutSystems CSIRT consists of a group of engineers and analysts that serves all of OutSystems and acts under the authority of the Information Security Office and its Chief Information Security Officer to protect OutSystems information assets.

OutSystems CSIRT is affiliated with Cloud Security Alliance.

3.4 - Authority

OutSystems CSIRT coordinates, investigates, and remediates security incidents at the direction of the OutSystems Information Security Office and its Chief Information Security Officer.

4 - Policies

4.1 - Types of Incident and Levels of Support

The level of support provided by the OutSystems CSIRT Team will vary depending on the type and severity of the incident or issue, the type of constituent, the affected scope, and OutSystems CSIRT resources. Resources will be assigned according to the following priorities:

  • Threats to the physical safety of human beings
  • Denial of service attacks on OutSystems client infrastructures, support systems, or public systems
  • Root or system-level attacks on OutSystems client infrastructures, support systems or public systems
  • Compromise of restricted confidential service accounts or software installations on any of OutSystems client infrastructures or OutSystems support system
  • Any threats, attacks or compromises at other sites that originate from the OutSystems network
  • Large-scale attacks of any kind
  • Compromise of individual user accounts
  • Threats, harassment, and other criminal offenses involving individual user accounts
  • Compromise of end-user devices
  • Forgery, misrepresentation, and other security-related violations of local rules and regulations
  • Denial of service on individual user accounts

If required, OutSystems CSIRT will also provide support in the form of analysis, documentation and intervention (if required) of any vulnerability found or reported that affects OutSystems. Incident types not specified here will be prioritized according to their apparent severity, impact, and extent.

4.2 - Cooperation, Interaction and Disclosure of Information

All received information is handled as confidential, regardless of its priority.

When reporting incidents that have sensitive information, be explicit (for example, by using the label SENSITIVE) and, if possible, encrypt it using the OutSystems CSIRT PGP Key, available from the link in section 2.7 of this document.

Although there are legal and ethical restrictions on the flow of information from OutSystems CSIRT, some of which are specified in OutSystems policies, all reports will be respected; OutSystems CSIRT acknowledges its indebtedness to and declares its intention to contribute to the spirit of cooperation that created the Internet. Therefore, though appropriate measures will be taken to protect the identity of members of our constituency and members of involved third parties where necessary, OutSystems CSIRT will otherwise share information freely when this will help others resolve or prevent security incidents.

Information will be released based on the following considerations:

  • Private user information is considered confidential Information and, as such, will not be released unless disguised or otherwise hidden.
  • Intruder information is similar to private user information, and the same rules apply.
  • Information that concerns third-party systems, sites, or other technological assets will not be released without the permission of the affected third party.
  • Technical information about vulnerabilities and attacks that affect third-party vendors, including fixes and workarounds, will be released freely after contacting the affected third parties and after allowing sufficient time for the implementation of patches or fixes.
  • Vulnerability information about OutSystems is considered technical information about vulnerabilities or attacks. This information will be divulged freely after proper mitigation, patches, and/or hotfixes are available for deployment.
  • Information considered embarrassing (e.g. statements that an incident has occurred) to OutSystems, OutSystems partners or any third party, will not be released without the permission of the affected parties.

OutSystems CSIRT will only share the necessary information with involved parties or publicly as required to resolve or prevent security incidents.

4.3 - Communication and Authentication

In view of the types of information that the OutSystems CSIRT will likely be dealing with, telephones will be considered sufficiently secure to be used, even when unencrypted. Unencrypted email will not be considered secure, but will be sufficient for the transmission of low-sensitivity data. Sensitive data sent by email must be encrypted by the OutSystems CSIRT PGP key.

Online ticketing tools will be considered sufficient for transmitting sensitive information if proper user access segregation is implemented.

Network file transfers will be considered to be similar to email: sensitive data must be encrypted for transmission.

When establishing trust is necessary, the identity of the other party will be ascertained to a reasonable degree of trust. Appropriate methods will be used, such as a search of FIRST members, the use of WHOIS, and other Internet registration information, along with telephone call-back or email mail-back to ensure that the party is not an impostor. Incoming email with data that must be trusted will be checked with the originator or by means of digital signatures.

5 - Services

5.1 - Incident Response

OutSystems CSIRT will assist with the technical and organizational aspects of security incidents. In particular, it will provide assistance or advice for the following aspects of incident management.

5.1.1 - Incident Triage

  • Investigating if an incident is in fact a security incident
  • Determining the extent and criticality of a security incident

5.1.2 - Incident Coordination

  • Determining initial cause of the incident
  • Facilitating contact with related third parties
  • Facilitating contact with OutSystems Security, law enforcement officials or both if necessary
  • Reporting to other CSIRTs
  • Creating announcements to users and customers when applicable

5.1.3 - Incident Resolution

  • Following the process of removing or mitigating a vulnerability and checking its effectiveness
  • Collecting and storing evidence when criminal prosecution (with supervision from law enforcement agencies) or disciplinary action is being contemplated

5.2 - Proactive Activities

OutSystems CSIRT maintains the following services to the extent made possible by its resources:

  • List of departmental security contacts (administrative and technical). These will be available for OutSystems employees and partners.
  • Repository of security tools and corresponding documentation.
  • Clipping service relating to security vulnerabilities and cyber attacks. This information will be made available to OutSystems employees and partners via approved communication channels.
  • Security level assignments including producing new security tools, performing internal audits (penetration tests, vulnerability scans, etc.), reviewing security architectures and network designs, etc.
  • Central logging service and analysis for OutSystems clients.
  • Documenting security incidents, analysis and resolutions.

7 - Disclaimer

Although every precaution will be taken in the preparation of information, modifications, and alerts, OutSystems CSIRT assumes no responsibility for errors, omissions, or damages resulting from the use of the information contained within.