Nobody Told Me Securing APIs Was My Problem in OutSystems

https://hackernoon.imgix.net/images/j0n8ividZ0RZ3rXBoG2pZPkHLLr2-rs83bw8.gif

I have been developing enterprise applications with OutSystems for several years already. Long enough to be critical. Long enough to be sure that some mistakes will not be repeated again. And long enough to know that the most dangerous belief you can take into a project is that OutSystems takes care of your application's security. It doesn't. At least not always. And when it comes to APIs, this issue can become especially acute.

Let me share with you the experience I had to deal with while reviewing an application. This was a large enterprise-level organization with its own IT security department, compliance checks, and everything else that follows the name. The application was already running in production for a while, and it seemed fine at first glance. Then I decided to look into the exposed REST APIs and found a particular API open for everybody to use. Without any authentication...

Copyright of this story solely belongs to hackernoon.com. To see the full text click HERE

Read more