security.outsystems.com Open in urlscan Pro
2606:4700::6812:582  Public Scan

Form analysis
0 forms found in the DOM

Text Content

TRUST CENTER

Share
Subscribe
Start your security review
View & download sensitive information
Get Access
Search items

OVERVIEW

Our mission at OutSystems is to give every organization the power to innovate
through software. We do this by helping organizations build software fast, right
and for the future.

A visual, model-driven development environment, with industry-leading AI-based
assistance ensures apps are built in days or weeks instead of months or years.
Platform services, also with AI, provide automation enhancing the entire
application lifecycle so apps can be deployed with a single-click and managed
with un-paralleled ease.

This page is an overview of OutSystems' Security and Compliance programs. Use
this site to learn more about our programs and to request access to supporting
documents.

COMPLIANCE


CSA STAR

ENS

GDPR

HIPAA

ISO 22301

ISO 27001

ISO 27001 SoA

ISO 27017

ISO 27018

ISO 9001

PCI DSS

SOC 2

TISAX

DOCUMENTS

All
Public
Private
Bulk Download

Request Access to Private Documents
Pentest Report

CSA STAR

ENS

HIPAA

ISO 22301

ISO 27001

ISO 27001 SoA

ISO 27017

ISO 27018

ISO 9001

PCI DSS

SOC 2

CAIQ

Cyber Insurance

Master Subscription Agreement

BC/DR

Acceptable Use Policy

Access Control Policy

Anti-Malicious Software Policy

Asset Management Policy

Backup Policy

Bring Your Own Device (BYOD) Policy

Business Continuity/Disaster Recovery (BC/DR) Policy

Data Classification Policy

Encryption Policy

Incident Response Policy

Information Management System (IMS) Policy

Information Security Policy

Other Policies

Password Policy

Physical Security Policy

Risk Assessment/Management Policy

Software Development Lifecycle Policy

Third Party Management Policy

Vulnerability Management Policy

Commitments








RISK PROFILE

Data Access LevelInternal
Impact LevelSubstantial
Third Party DependenceYes
View more
PRODUCT SECURITY

Audit Logging
Data Security
Integrations
View more
REPORTS

Pentest Report
SELF-ASSESSMENTS

CAIQ
DATA SECURITY

Access Monitoring
Data Backups
Data Erasure
View more
APP SECURITY

Responsible Disclosure
Code Analysis
Software Development Lifecycle
View more
LEGAL

Cyber Insurance
Data Processing Agreement
Master Subscription Agreement
View more
ACCESS CONTROL

Data Access
Logging
Password Security
INFRASTRUCTURE

Status Monitoring
All Systems Operational
Amazon Web Services
Anti-DDoS
View more
ENDPOINT SECURITY

Disk Encryption
Endpoint Detection & Response
Mobile Device Management
View more
NETWORK SECURITY

Firewall
IDS/IPS
Security Information and Event Management
View more
CORPORATE SECURITY

Email Protection
Employee Training
Incident Response
View more
POLICIES

Acceptable Use Policy
Access Control Policy
Anti-Malicious Software Policy
View more

Trust Center Updates
Subscribe


RECENT SNOWFLAKE EVENTS

GeneralCopy link

In response to Snowflake's recent security event, OutSystems conducted an
internal review and investigation in coordination with Snowflake. We did not
find any signs or evidence of a data breach impacting OutSystems or its
customers. OutSystems is continuing to monitor the situation and will continue
to investigate as new data and information become available.

Published at 06/12/2024, 1:48 PM


WEBP LIBRARY

VulnerabilitiesCopy link

Last week, our engineering team released a fix to address CVE-2023-4863, which
is an out-of-bounds write access vulnerability impacting the library that
handles WebP files. This relates only to users leveraging any versions of the
OutSystems IDE – Service Studio for O11 and ODC Studio. We encourage all users
to download the updated versions of the IDE (Service Studio 11.54.28 and
ODCStudio 1.2.5), which are now available on the OutSystems downloads page or
via the ODC portal.

Published at 10/16/2023, 5:05 PM*


OFFICIAL ANNOUNCEMENT REGARDING OPENSSL 3.0 VULNERABILITY ON OUTSYSTEMS

IncidentsCopy link

OutSystems is aware of the recently disclosed security issue relating to the
OpenSSL 3.0 (CVE-2022-3602 and CVE-2022-3786).

OutSystems Cloud deployments - outsystemsenterprise.com

OutSystems is not using OpenSSL 3.0 within the OutSystems cloud environments and
therefore customers are not affected by this vulnerability. An internal scan of
code and infrastructure was performed to verify that OpenSSL 3.0 is not present.

On-Premises Deployments

.net deployment stacks

The OutSystems platform on .NET Stack does not install or require OpenSSL 3.0.
However, customer organizations may have installed OpenSSL 3.0 in the OutSystems
platform servers for other reasons. Therefore, it is a best practice to scan the
servers where the OutSystems platform is installed for deployments of OpenSSL
3.0.

Java 010 deployment stacks

Even though the OutSystems platform does not install or require a version of
OpenSSL affected by this vulnerability, organizations may have installed OpenSSL
3.0 in the OutSystems platform servers for other reasons. Therefore, it is a
best practice to scan the servers where the OutSystems platform is installed for
versions of OpenSSL affected by the vulnerability.

Usage inside OutSystems corporate

Finally, the OutSystems corporate systems do not utilize OpenSSL 3.0. As a
security best practice, customers who manage environments containing OpenSSL 3.0
to update to the latest version, available at https://www.openssl.org/source/ or
via their operating system’s software update mechanism. Our security team will
continue to monitor any developments in this situation.

Point of contact for future follow-ups:

https://success.outsystems.com/Support
https://www.outsystems.com/compliance/csirt/

Published at 11/03/2022, 8:39 AM


A MESSAGE ABOUT THE SPRING4SHELL: ZERO-DAY VULNERABILITY IN SPRING FRAMEWORK

IncidentsCopy link

On March 31, 2022, Spring confirmed the zero-day vulnerability and released
Spring Framework versions 5.3.18 and 5.2.20 to address it. The vulnerability
affects SpringMVC and Spring WebFlux applications running on Java Development
Kit (JDK) 9+.

What does this mean for OutSystems customers?

Based on our investigation, the OutSystems platform does not appear to be
vulnerable to Spring4Shell based on how our software uses JDK 9+

 * OutSystems 11 does not run on Java and is not affected by this vulnerability.
 * OutSystems 10 customers running on on-premise Java stacks do not appear to be
   vulnerable based on the configuration of the OutSystems Platform and how it
   uses the JDK 9+ software.

Regardless, all customers should do a thorough investigation of their on-premise
deployments to check for any vulnerable software within their stack.

What is OutSystems doing?

At OutSystems, the security of our platform and of our customers’ data is of the
utmost importance and we are doing everything we can to stay ahead of the
situation.

Our security team is monitoring the situation closely and following the
recommended guidance from Spring. We will deploy any relevant patches as soon as
they become available. At this time, we do not anticipate service disruptions as
a result of these efforts.

We will provide any relevant updates on new developments for our customers here
on the Security Portal.

More about the Spring4Shell: Zero-Day Vulnerability

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

At OutSystems, the security of our platform and the safety of our customers’
data is our top priority. For more security updates from OutSystems, please
visit: security.outsystems.com

Published at 04/05/2022, 6:17 AM

If you think you may have discovered a vulnerability, please send us a note.

Report Issue
Powered by