Secure software development life cycle (S-SDLC)

Automation Anywhere has implemented a development security plan and protocol that defines a specific depth of testing/evaluation to be done by the Engineering team on each release, conforming with best practices as defined by NIST SA-11 Developer Security Testing and Evaluation and NIST SA-15, Development Process, Standards, and Tools. This plan has been documented and shared with the Automation Anywhere Engineering teams.

Veracode vulnerability scanning for static and dynamic code analysis

In each weekly build, during the development process and before every release, all Automation Anywhere software is scanned for flaws using the Veracode tool. Automation Anywhere Enterprise meets the requirements for the strictest security policy available in the tool, Veracode Level 5, which is defined as no Very High, High, or Medium severity vulnerabilities. Analysis reports are available with each release.

Dependency analysis

In each weekly build, during the development process and before every release, all of the third-party libraries and dependencies in Automation Anywhere software are scanned for known vulnerabilities using the Black Duck tool. Automation Anywhere upgrades vulnerable libraries when new versions become available. Analysis reports are available with each release.

All Critical/High vulnerabilities are fixed for each release. Medium vulnerabilities will be considered for fixes in future releases depending on the scope of the Automation Anywhere releases. The list of OSS used by the application is published for each release.

Penetration testing

Automation Anywhere does a penetration test through a third-party vendor before each major release. Additionally, Automation Anywhere incorporates the feedback from penetration tests conducted by customers, which includes some of the largest financial institutions in the world. Analysis reports are available with each release.