OutSystems applies security best practices and manages security to allow customers to focus primarily on their business. OutSystems Platform inherently protects customers from threats by making sure security controls are applied at every layer, while ensuring that customer applications and data are isolated.
OutSystems is willing to have any customer to conduct security audits and penetration tests, as long as they are limited to the customer’s cloud infrastructure.
AWS security and compliance
OutSystems Platform physical infrastructure is hosted within Amazon Web Services secure and certified data centers. Amazon Web Services (AWS) data centers have multiple layers of operational and physical security to ensure the integrity and safety of data. The data center is manned and supported 24 hours a day, 7 days a week and 365 days a year. AWS system security includes:
Hardened and patched OS
Secure, replicated databases, firewalls and VPN services
Intrusion detection devices
Distributed Denial-of-Services mitigation services
Recurring risk assessments to ensure compliance with industry standards.
Amazon’s data center operations have been accredited under several security compliance standards, such as ISO 27001, SOC 1/SSAE 16/ISAE 3402, SOC 2, SOC3, FedRAMPSM and FIPS 140-2.
Application security in OutSystems public cloud
Applications built with OutSystems Platform benefit from an extra level of security in the application code itself. For example, there are many common threats (such as SQL injection) that exploit vulnerabilities in the way programs are written. OutSystems Platform generates standard .NET and Java code in a way that explicitly prevents these types of threat.
Additionally, OutSystems systematically validates the security of the code that is generated for web and mobile web applications. Using HP Fortify Static Code Analyzer, the OutSystems research and development team uses advanced vulnerability scanning on OutSystems generated code during regression testing, and has defined key acceptance criteria regarding web security for all generated code to eliminate all critical, high and medium vulnerabilities.
This gives you an extended security level regarding the code generated by OutSystems Platform. It also ultimately reduces the cost of maintenance as new security issues are automatically fixed in customer applications.
Application lifecycle security
The security model that supports application lifecycle and promotion is tailored to support patterns of both simple and complex software factories, where there are several restrictions on who is allowed to stage specific applications to the appropriate environment.
IT team responsibilities are defined by roles and users can specify what each role can do in each environment. For example, the developer role might not be allowed to push applications to production, while the operations role can.
A role can have custom permissions for each application. Alternatively, teams can be defined as being responsible for multiple applications, and assigned role permissions valid for all the applications managed by the team. This maps the way organizations manage security on their software factory, simplifying the management of several applications and their teams of users.
OutSystems Platform makes it as easy as possible for applications to be secure and trusted for users. Organizations can easily configure SSL/TLS certificates to provide end-to-end encryption between browsers and applications, which is crucial for applications that transmit sensitive data.
To enable SSL/TLS in an OutSystems Platform environment, the management console is used. Users associate either the single frontend IP address or the load balancer address to the preferred domain name and purchase an SSL certificate securing that domain. OutSystems Platform enables HTTPS to all applications in that environment. configuring the underlying application server to use your certificate. No need for specific HTTPS programming and testing.
Virtual private cloud (VPC) and VPNs
The VPC service provides a secure and seamless bridge between an existing IT infrastructure and OutSystems Platform environments. With this technology, a team can have their cloud environments communicate with their on-premises systems through VPN tunnels and vice-versa, enabling them to integrate and expose the core system information in a secure way.
Additionally, an organization is able to access the cloud through VPN by defining the routing and updating security policies. Security services and policies such as DNS, firewalls, and intrusion detection systems are applied seamlessly. OutSystems Platform becomes an extension of their corporate data center, without having to sacrifice security or change management practices.
VPN connections use industry-standard IPsec tunnel mode (with IKEPSK, AES-128, HMAC-SHA-1, PFS) to authenticate the two sides of the VPN connection and to protect the data in transit from eavesdropping and tampering. IPsec adds minimal overhead to the traffic stream. Encryption and encapsulation use about 7% additional bandwidth. Most network interface cards now offload encryption functions to a specialized processor, so the performance of the VPN shouldn’t be affected.
A team may subscribe to additional VPNs, for example, in order to connect to multiple geographic locations or to create a redundant VPN connection to provide failover.
Privacy and data protection
OutSystems applies industry-standard procedures to safeguard the confidentiality of the data stored by the applications hosted in the OutSystems public cloud. For example, access to OutSystems employees is controlled and restricted to the minimum requirements to provide the public cloud services.
In the OutSystems public cloud, the environment of each customer/tenant is isolated from other tenants. Each tenant has a dedicated set of virtual machines and a dedicated database instance, both running on a dedicated Virtual Private Cloud. This architecture prevents cross-tenant accesses.
With the OutSystems security model, a team is able to control which users have access to each of the environments of each application, even when all applications share the same set of environments.