School of Information Systems

How OutSystems Protect Your Applications and Data

“Web security” is relative and has two components, one internal and one public. Your relative security is high if you have few network resources of financial value, your company and site aren’t controversial in any way, your network is set up with tight permissions, your web server is patched up to date with all settings done correctly, your applications on the web server are all patched and updated, and your web site code is done to high standards.

Your web security is relatively lower if your company has financial assets like credit card or identity information, if your web site content is controversial, your servers, applications and site code are complex or old and are maintained by an underfunded or outsourced IT department. All IT departments are budget challenged and tight staffing often creates deferred maintenance issues that play into the hands of any who want to challenge your web security.

As web applications become more widespread and increasingly transactional, more corporate data and business logic are at risk. It has become necessary – in a way it’s never been before – to ensure that every single line does not introduce a vulnerability and that every single software application (whether built for desktop, cloud or mobile) is safe from cyber-attacks and that your intellectual property, customer data (credit card numbers, SSN, addresses, etc.), business processes, and trade secrets are protected.

With so much at risk – money, reputation, legal issues – organizations today agree that web security is a top concern. In some businesses specific regulation exists, like PCI DSS, for payment cards cardholder information handling.  This regulation requires compliance to well-defined security standards as an imperative to conducting business.

Security must be accounted for at all layers – from network to application software. It takes a single unsecure pathway to private information to make an entire system vulnerable! The goal, of course, is to eliminate exploitable security risks in software at the application code level and ensure that all pathways to data are secure, and no vulnerabilities would allow a website to be abused for the purposes of spreading malware.

Organizations are driving their security efforts using security testing tools to identify all potentially exploitable vulnerabilities in software at the application code level. Developers and security experts then team up to review these (usually very extensive) vulnerability lists and fix those that the team agrees should be addressed, according to occurrence frequency, exploit complexity, and potential impact. These reviews require a huge amount of effort – in time, resources, and expertise – and they need to be undertaken every time an organization needs to deploy a new and secure release of an application.

With OutSystems, web security is a bit different. For the past decade, results from every security test – code vulnerability scans, runtime analysis scans, penetration tests – that customers have performed on code generated by OutSystems platform have been incorporated back into the platform.  That is ten years of accumulated intelligence and improved security. Ten years of security testing all that knowledge accumulated over the years instantly made available to developers from the moment they begin developing a new application. It’s all in the platform and is an inherent part of every application every customer deploys.

Taking approach to application security one step further, OutSystems recently integrated a security testing tool – HP Fortify Static Code Analyzer – directly into quality assurance process. By making this security review a part of OutSystems product delivery processes, and by enforcing an aggressive acceptance criteria (no critical, no high, no medium reported occurrence left behind) OutSystems are able to systematically ensure that the applications generated with the OutSystems Platform – both Java and .NET applications – are inherently secure. When it comes to code vulnerabilities, fix once, fixed forever. Continuous monitoring and improvement of our platform – along with regular client feedback and regular vulnerability updates from HP – means that application security grows stronger with every iteration.

Wiza Teguh