Cost and Time Savings Achieved, Security Posture Strengthened Using AWS Shield Advanced with OutSystems

OutSystems provides a high-performance, low-code application development platform that helps its customers develop applications quickly with minimal coding knowledge. Founded in 2001 in Portugal, OutSystems has become a global software vendor that supports 13 AWS Regions with offices around the world.

Recognized by Gartner in 2021 as a leader in enterprise low-code application development platforms, OutSystems supports customers in a variety of industries, including customers managing business-to-business applications, business-to-employee applications, and business-to-consumer applications. Its customers’ applications have different usages and traffic patterns depending on the use case, making it challenging for OutSystems to manage the wide range of behaviors and security postures. Prior to using AWS services for a security solution, OutSystems supported two customers with their own custom security protection solution. However, this solution required a significant amount of manual effort from the company and didn’t offer protection at scale. Starting in 2020, OutSystems implemented a security solution using Firewall Manager, Shield Advanced, and AWS WAF—which helps protect web applications from common web exploits—to meet the varying needs of its customers because it had already built its application development platform using AWS services. “It was a natural choice for us because our product runs natively on AWS, and we have experience with it internally, so we could implement the security solution with less overhead,” says Igor Antunes, head of security architecture at OutSystems.

The security solution for OutSystems needed to support the complexity and large scale required by its customers. The company manages a large and growing number of application load balancers—over 4,000 as of 2022—and serves thousands of applications across all load balancers. To protect its customers across multiple geographic regions, OutSystems uses AWS WAF. “Using AWS services, we can manage the security posture of all customers from a central place by deploying rules that are specific to our technology and blocking malicious events,” says Antunes. “We also have the granularity to address very specific challenges.” Using Firewall Manager, OutSystems can define rules while leaving room for local configuration options based on a country’s regulations or a company’s policies. For example, OutSystems can support configurations related to geo-blocking for individual customers in a specific environment while relying on a basic rule set for configurations that don’t vary across customers.

Using AWS services, OutSystems achieved significant time savings so that the company could reallocate resources to other projects. “Previously, an analyst and an operator would have to create the local WAF and deploy the rules with the solution when reacting to an event,” says Antunes. “Using AWS, we reduced 2 hours of work to less than 5 minutes.” This saved time is particularly impactful with the company’s ever-growing number of WAFs because it would be unsustainable to change rules manually for all the WAFs or to adapt the rules to a set of customers. If a cyber issue occurs, OutSystems can resolve it quickly because AWS Shield Advanced also provides early detection of possible distributed denial of service attacks and tight collaboration with the AWS response team.

OutSystems reduced its costs by 88 percent per month by upgrading to Shield Advanced. The company gains these significant cost savings on an ongoing basis despite its scale because it no longer needs to pay for each WAF or rule. “Using AWS Shield Advanced and AWS Firewall Manager, we pay a fixed rate and get as much protection as we need,” says Antunes.

When deploying the security solution, OutSystems also saved on implementation costs compared with the cost of a solution from another vendor because the company didn’t need to obtain additional resources or capacity above what it was already using internally. Additionally, by using the infrastructure of Firewall Manager for the deployment of its solution, OutSystems could focus on its own product instead of designing its security solution from scratch. Throughout the process, OutSystems received support from the teams at AWS to manage the complexity of the solution. For example, when OutSystems exceeded AWS limits of internal APIs because of the scale of its security solution, the AWS WAF and Firewall Manager teams worked alongside the company to troubleshoot. “The teams at AWS were always available to work with us and provide guidance on the best practices for deploying this solution,” says Antunes.

When deploying its security solution, OutSystems worked closely alongside AWS teams to address challenges and meet customer needs. OutSystems plans to continue implementing additional capabilities of AWS Firewall Manager to fine-tune its security solution and better protect its customers. “Throughout the full lifecycle, from the inception of an idea until the end, we always used AWS to get the right support at the right time,” says Antunes.