Security is relevant for GeneXus, and it is carefully considered in the development of both the generators and the components that are included (standard classes, external objects, etc.).
It should be noted that the security of a GeneXus application is not only related to the above components but also to the code that developers produce, and to the security that has been established throughout the development cycle of that solution (revisions, deployment, etc.).
Any security incidents found in the sources generated by GeneXus or the distributed components are treated with high priority.
In the event you detect a vulnerability, you can report a security incident to Support (via http://genexus.com/issuetracking) as a "vulnerability," including the version used and the steps to reproduce it.
The team in charge will look into the matter to validate the report and take the corresponding corrective action (release a fix, provide a workaround, etc.), which will depend on the case (severity, version in which the issue is reported or happens, etc.).
The corresponding fixes will be released in the following upgrade of the latest version released. If possible and necessary, they will also be released in the version/upgrade reported by the client, provided the client has a current contract and the version/upgrade is still supported.
Vulnerabilities will be made public at the time of correction but will not include exploits or risk assessments associated with their exploitation. No data on vulnerabilities of third-party products that can be integrated with GeneXus and its components will be published.
GeneXus S.A. reserves the right to inform details to clients with up to date contracts when some vulnerability is detected and confirmed.
The information will be published as part of the official release notes of each product release. It will not be provided to public databases of other companies or organizations.
Go to http://genexus.com/releasenotes and filter by 'GXSEC' to get a list of security fixes and improvements.
There are many tools in the market that analyze the code and report "findings;" that is, areas of possible attack (SAST). Examples of these tools are Veracode, Fortify, etc.
These findings do not prove the existence of a certain vulnerability (although it may be wrongly called by those tools as a detected vulnerability), but rather that a certain code is "suspected of being vulnerable." What’s more, some tools can detect suspicious code that others cannot, and different executions with the same tool on the same solution can yield different results.
Information on how to process the vulnerabilities detected by these tools can be found at the following link: https://www.genexus.com/en/developers/websac?data=44740;;
GeneXus S.A. regularly runs analyzers that report this type of findings and analyze the results. In any case, it is not possible to cover all existing tools in the market, developed solutions, and possible cases, so what is received as a "report" by GeneXus SA is the report of a specific vulnerability, not of a finding made by a code analysis tool. Detected vulnerabilities are those exploited by someone, typically a security specialist, to achieve more or less severe – but nonetheless successful – attacks. As mentioned before, GeneXus S.A. acts as quickly as possible to fix them.
GeneXus S.A. recommends taking Security into account in the development cycle and also having a specialized team to cover the different aspects.
It is also advisable to hire security specialists as advisors or to carry out ethical hacking tasks, which provide more certainty regarding the level of security of a solution.