Trust Center

Start your security review
View & download sensitive information
Search items
ControlK

Overview

Our mission at Outsystems is to give every organization the power to innovate through software. We do this by helping organizations build that software fast, right and for the future. A visual, model-driven development environment with industry-leading AI-based assistance ensures apps are built in days or weeks instead of months or years. Platform services, also with AI, provide automation enhancing the entire application lifecycle so apps can be deployed with a single-click and managed with unparalleled ease.

This page is an overview of OutSystems security compliance programs. You can use it to learn more about our security compliance programs and to request access to our compliance documents.

Compliance

CSA STAR Logo
CSA STAR
ENS Logo
ENS
GDPR Logo
GDPR
HIPAA Logo
HIPAA
ISO 22301 Logo
ISO 22301
ISO 27001 Logo
ISO 27001
ISO 27001 SoA Logo
ISO 27001 SoA
ISO 27017 Logo
ISO 27017
ISO 27018 Logo
ISO 27018
ISO 9001 Logo
ISO 9001
PCI DSS Logo
PCI DSS
SOC 2 Logo
SOC 2
TISAX Logo
TISAX
Start your security review
View & download sensitive information
HIPAA Report
Pentest Report
SOC 2 Report
CSA STAR
ENS
HIPAA
ISO 22301
ISO 27001
ISO 27001 SoA
ISO 27017
ISO 27018
ISO 9001
PCI DSS
SOC 2
CAIQ
Cyber Insurance
Master Subscription Agreement
BC/DR
Acceptable Use Policy
Access Control Policy
Anti-Malicious Software Policy
Asset Management Policy
Backup Policy
Business Continuity Policy
BYOD Policy
Data Classification Policy
Encryption Policy
General Incident Response Policy
IMS Policy
Information Security Policy
Other Policies
Password Policy
Physical Security
Risk Management Policy
Software Development Lifecycle

Risk Profile

Data Access LevelInternal
Impact LevelSubstantial
Third Party DependenceYes
View more

Product Security

Audit Logging
Data Security
Integrations
View more

Reports

HIPAA Report
Pentest Report
SOC 2 Report

Self-Assessments

CAIQ

Data Security

Access Monitoring
Backups Enabled
Data Erasure
View more

App Security

Responsible Disclosure
Code Analysis
Software Development Lifecycle
View more

Access Control

Data Access
Logging
Password Security

Infrastructure

Amazon Web Services
Anti-DDoS
View more

Endpoint Security

Disk Encryption
Endpoint Detection & Response
Mobile Device Management
View more

Network Security

Firewall
IDS/IPS
Security Information and Event Management
View more

Corporate Security

Email Protection
Employee Training
Incident Response
View more

Policies

Acceptable Use Policy
Access Control Policy
Anti-Malicious Software Policy
View more

Trust Center Updates

WebP Library

VulnerabilitiesCopy link

Last week, our engineering team released a fix to address CVE-2023-4863, which is an out-of-bounds write access vulnerability impacting the library that handles WebP files. This relates only to users leveraging any versions of the OutSystems IDE – Service Studio for O11 and ODC Studio. We encourage all users to download the updated versions of the IDE (Service Studio 11.54.28 and ODCStudio 1.2.5), which are now available on the OutSystems downloads page or via the ODC portal.

Published at N/A*

Official Announcement Regarding OpenSSL 3.0 Vulnerability on OutSystems

IncidentsCopy link

OutSystems is aware of the recently disclosed security issue relating to the OpenSSL 3.0 (CVE-2022-3602 and CVE-2022-3786).

OutSystems Cloud deployments - outsystemsenterprise.com

OutSystems is not using OpenSSL 3.0 within the OutSystems cloud environments and therefore customers are not affected by this vulnerability. An internal scan of code and infrastructure was performed to verify that OpenSSL 3.0 is not present.

On-Premises Deployments

.net deployment stacks

The OutSystems platform on .NET Stack does not install or require OpenSSL 3.0. However, customer organizations may have installed OpenSSL 3.0 in the OutSystems platform servers for other reasons. Therefore, it is a best practice to scan the servers where the OutSystems platform is installed for deployments of OpenSSL 3.0.

Java 010 deployment stacks

Even though the OutSystems platform does not install or require a version of OpenSSL affected by this vulnerability, organizations may have installed OpenSSL 3.0 in the OutSystems platform servers for other reasons. Therefore, it is a best practice to scan the servers where the OutSystems platform is installed for versions of OpenSSL affected by the vulnerability.

Usage inside OutSystems corporate

Finally, the OutSystems corporate systems do not utilize OpenSSL 3.0. As a security best practice, customers who manage environments containing OpenSSL 3.0 to update to the latest version, available at https://www.openssl.org/source/ or via their operating system’s software update mechanism. Our security team will continue to monitor any developments in this situation.

Point of contact for future follow-ups:

https://success.outsystems.com/Support https://www.outsystems.com/compliance/csirt/

Published at N/A

A message about the Spring4Shell: Zero-Day Vulnerability in Spring Framework

IncidentsCopy link

On March 31, 2022, Spring confirmed the zero-day vulnerability and released Spring Framework versions 5.3.18 and 5.2.20 to address it. The vulnerability affects SpringMVC and Spring WebFlux applications running on Java Development Kit (JDK) 9+.

What does this mean for OutSystems customers?

Based on our investigation, the OutSystems platform does not appear to be vulnerable to Spring4Shell based on how our software uses JDK 9+

  • OutSystems 11 does not run on Java and is not affected by this vulnerability.
  • OutSystems 10 customers running on on-premise Java stacks do not appear to be vulnerable based on the configuration of the OutSystems Platform and how it uses the JDK 9+ software.

Regardless, all customers should do a thorough investigation of their on-premise deployments to check for any vulnerable software within their stack.

What is OutSystems doing?

At OutSystems, the security of our platform and of our customers’ data is of the utmost importance and we are doing everything we can to stay ahead of the situation.

Our security team is monitoring the situation closely and following the recommended guidance from Spring. We will deploy any relevant patches as soon as they become available. At this time, we do not anticipate service disruptions as a result of these efforts.

We will provide any relevant updates on new developments for our customers here on the Security Portal.

More about the Spring4Shell: Zero-Day Vulnerability

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

At OutSystems, the security of our platform and the safety of our customers’ data is our top priority. For more security updates from OutSystems, please visit: security.outsystems.com

Published at N/A

If you think you may have discovered a vulnerability, please send us a note.

Powered bySafeBase Logo