Low Code. High Security.
Best practice security — baked-in by default.
Security concerns are not to be taken lightly. Security trends paints a grim picture of how both the number and complexity of malicious attacks are on the rise. The good old days of just trusting the firewall to keep you safe are gone. In todays worlds, IT security needs to be set up in depth, making every step of a potential attack a tough process for the attacker.
Security in depth means handling security of your system on every level — meaning application, infrastructure, data, network, monitoring and so forth. Handling this in traditional programming is of course possible, but to be honest, it is also quite a bit of work. And this amount of work tends to be slowing the development and innovation process down.
When looking into implementing security measures in low code applications, a lot of questions might arise. It becomes evident that several layers of the security is now to be handled by the low code platform. Do you trust that?
OutSystems has done a lot of work, to make sure their platform is secure by default. In this blog post I will deep dive into a subset of the features embedded into the OutSystems platform. As you will see, these cover aspects such as vulnerability scannings, OWASP top 10 defensive measures, role based access controls on both application and operation level, identity management, auditing, and many more.
In case you are interested in getting your own quick overview of the embedded features, a one-page overview can be obtained on the OutSystems Security Poster.
How OutSystems play defense
Focus on defending against OWASP top 10 security risks
The Open Web Application Security Project (OWASP) is typically used as a reference guide for identifying the most common security risks for applications open to the web. The OWASP Top 10 list includes risks on all levels of the system. Each risk can be mitigated in a number of ways and more likely than not, several measures will be required to gain a strong enough security posture.
In their security efforts, OutSystems has focused their defense on protection against the top 10 list provided by OWASP.
By default, OutSystems takes care of each of these risks through a number of in-built features (see further descriptions here). As a developer this means that when using OutSystems-provided UI components and widgets, issues such as SQL Injection and Cross-Site scripting is already taken care of.
However, as you and others are able to extend the features of OutSystems, for instance through providing your own JavaScript for customized components, it is still possible to create insecure applications. Therefore, take care when using Forge-components or your own extensions.
Eliminating vulnerable code
When programming in the traditional way, typical measures to eradicate vulnerabilities and security hotspots in the code is through the use of both static code analysis and vulnerability scans. As OutSystems abstracts this away, the question is how you can now cover this? Good news! OutSystems already does this for you by default upon every change to their platform, using the HP Fortify Static Code Analyzer, running against a set of aggressive criteria.
At the same time, OutSystems also allows you to extract the generated code, on which you can then run your own scans with your preferred tools and against your own criteria. For details on this, look here.
Finally, vulnerable and potentially unsafe application patterns are identified by the OutSystems IDE (Service Studio) at design-time. Each detected risk, such as code injections, cross-site scripting, unvalidated redirects and violation of data isolation, will be shown as a warning for you to handle as a developer before publishing the application.
Use your existing Identity Management
OutSystems allows you to create users both on application level and separately for operations tasks. You can do so in OutSystems directly through out-of-the-box features, or you can integrate with and utilize your existing Identity Management tool. OutSystems support integrations with Active Directory and LDAP systems out-of-the-box.
Furthermore, additional authentication mechanisms are also fully supported, such as SAML or OAuth.
Extensions are available through the OutSystems Forge to let you connect to even more identity providers, such as Okta, Azure or OneLogin.
Encryption
OutSystems makes it easy to use and enforce HTTPS/SSL encryption. For native mobile applications, this is enforced by default, while it is optional for web applications. To enforce it on web, just click the checkbox, either system wide or for each web page or service.
Also, databases in the OutSystems cloud allow for full encryption at rest.
Auditing
All access in and out of the OutSystems cloud and applications are logged and monitored by the OutSystems platform.
This allows for auditing and efficient tracking of security issues related to everything from requests and integrations to end-user access and details of their actions in the application.
Role based access controls
Access to pages and services can be effectively controlled through easy configurable roles on application level in a granular fashion.
Similarly, roles can be set up for IT-operations tasks. Separate duties per environment, for instance to allow different users to deploy applications to individual environments.
Additional protection for mobile apps using App Shield
Recently, OutSystems announced the App Shield — an additional opt-in security layer for mobile applications. The app shield works as a fully integrated, code-free deployment feature, that can be automatically deployed with individual applications after an initial setup.
The app shield is relevant for mobile applications, that has any of the below characteristics:
- B2C or B2E mobile applications with sensitive data
- Subject to security and/or privacy regulations
- Industries like banking, financial services, healthcare or insurance.
OutSystems continually modify the app shield to effectively defend against the latest security attack methodologies. For you, this enables you to spend less time on developing and maintaining security features on your own, allowing you to improve your time-to-market.
Further details on the App Shield features can be found here.
