Within this page you can find an initial guide for secure configuration of the OutSystems platform, and contact details for the OutSystems security team.
For an OutSystems cloud deployment, make sure you read the shared responsibility model before continuing.
Setup Support Portal Security Contacts
The security contact will be the first recipient of all security-related email communications. Please refer to the following document for instructions on defining your security contact in the support portal.
Initial User Management
As part of the initial usage of any infrastructure, it is necessary to initialize the administrator users of all tenants. In this case, we are looking at IT users and Application users.
The Lifetime and Service Center consoles are used to manage the OutSystems platform. The tenant for the users is managed within Lifetime, while the application users are managed within the Users application page. Make sure to change both administrator passwords when you first use the platform according to the following instructions.
Each environment has a dedicated User tenant which, for some versions of the platform, might contain an Administrator account with a default password. This tenant is used by default for newly created applications. Make sure to change the passwords of all these users.
To do this, navigate to each of your environments: <environment address>/Users
Select the Administrator user:
Choose the Set Password option:
The management of operational users is performed using the Lifetime console. For Cloud infrastructures, it is a good practice to perform an initial password change, and then apply a rotation policy for any administrator users.
To rotate the password navigate to the User Management tab in <lifetime address>/Lifetime, select the user assigned administrator privileges:
Edit the password:
External Authentication Provider
Within Lifetime, OutSystems allows you to manage IT users (developers, testers, operators). By default, when these users access OutSystems, they are authenticated using the built-in authentication mechanism. OutSystems also supports user authentication with external identity management providers by using the External Authentication feature.
When configured to use an external authentication provider, the platform delegates authentication to the assigned plugin. In this situation, the plugin is responsible for validating the credentials and returning a unique user identifier. That unique identifier maps the authenticated user to an OutSystems IT user. Refer to the documentation here for details on setting up external authentication.
As an additional note, the SAML Platform Authentication forge component allows your OutSystems Platform applications such as Service Studio, Integration Studio, Service Center, and Lifetime to integrate with most of the commercial IdP companies that support SAML 2.0 protocol for authentication purposes.
Certificates & Data Encryption in Transit
It is important to make sure that data in transit is encrypted using secure communication channels. An SSL certificate binds a cryptographic key to an organization’s details. When such a certificate is installed in an application server, the HTTPS protocol is activated. This creates an encrypted channel between your web server and your visitor’s web browser, allowing private information to be transmitted without eavesdropping or being tampered.
Here is how to request and install a certificate in your application server so that your OutSystems applications can use secure connections in an on-premises setup.
Your OutSystems cloud environment is automatically deployed with default valid SSL certificates with the outsystemsenterprise.com domain. It is possible, and highly advisable, to customize your environment hostname and SSL certificate.
OutSystems provides developers with the ability to decide at design time which pages and integrations are available over HTTP or HTTPS. However, IT Managers or Administrators can override and enforce the HTTPS security of applications that are installed and running. This can be done for a whole environment, which affects all applications running there, or application by application.
Find instructions for enforcing HTTPS security here.
The following sections contain features that are application and environment-dependent.
OutSystems allows specific elements of applications (Web UI Flows, exposed SOAP services, and exposed REST APIs) to be available only within an internal network, while other parts of the application are available to the general public. Depending on the type of applications being developed, make sure to check the configuration of the internal network. It is a good practice to apply restricted internal network rules when developing back office or any other type of internal management application that should only be accessed by a limited range of IP addresses.
VPN (to OutSystems cloud)
A Virtual Private Network (VPN) allows the extension of a private network across the internet. This enables you to create a private network between your OutSystems cloud infrastructure and your on-premises systems by establishing a secure communication channel between the two. After making sure all requirements are fulfilled, you can enable the VPN connection.
The following sections delve into design patterns and component usage during development that assure the secure implementation of applications. We recommend creating separate and reusable applications/modules for each of the capabilities described below, for example a Crypto module that contains wrappers for all data encryption.
When you start developing a new module it has the built-in logic for end-user authentication. Other than the Internal logic, the platform offers four other mechanisms for end-user authentication:
- Active Directory: The Active Directory authentication method for authenticating end-users requires the front-end server to be part of the Active Directory domain. Refer to the following page for configuration instructions.
- LDAP: Instructions for LDAP (Lightweight Directory Access Protocol) configuration of OutSystems applications can be found here.
- SAML 2.0: Uses SAML-based authentication to authenticate the end-users with single sign-on (SSO) provided by commercial Identity Provider companies. Check how to Configure SAML 2.0 Authentication.
- Azure AD: Uses SAML based authentication to authenticate the end-users with single sign-on (SSO) provided by the Azure AD Identity Provider. Check how to Configure Azure AD Authentication.
To achieve greater security with authentication, the following approaches can be included as part of application development.
OutSystems provides single sign-on capabilities by default: after authenticating in one of the applications, the end-users can access all other applications without having to provide the credentials. Single Sign-On is supported only for modules where cookies are enabled.
Used to distinguish human from machine input, CAPTCHA protects your websites from spam and abuse. To include this in OutSystems applications, simply install and use the reCAPTCHA Forge component. Please note that this forge component is not supported by OutSystems.
To implement multi-factor authentication, multiple methods of authentication from different categories of credentials are required to verify a user’s identity, giving a much greater level of confidence that the legitimate user is logging in. The categories of credentials include:
Knowledge (passwords, PINs)
Possession (OTP, ID card, SIM card)
Inherence (retina scan, fingerprint scan)
Location (GPS device)
Time factors (user versus time verification)
Data Encryption at Rest
OutSystems protects your data with a number of data security controls. However, you are still responsible for developing applications that follow best practices for data security. Components like CryptoAPI help you encrypt sensitive data at the application level. Using this component you can easily achieve, for example, an Envelope Encryption Technique. Beware the presented forge component is not supported by OutSystems.
OutSystems has a Computer Security Incident Response Team that you can reach out to at any time. The OutSystems Computer Security Incident Response Team (OutSystems CSIRT) is the OutSystems cyber investigation and forensics team. A part of the Information Security Office, the team provides security monitoring services to protect OutSystems from cyber attacks and the loss of its intellectual assets.