Review details about Automation Anywhere compliance and vulnerability
scanning.
Secure software development life cycle (S-SDLC)
Automation Anywhere has implemented a development security plan and protocol that
defines a specific depth of testing/evaluation to be done by the Engineering team on
each release, conforming with best practices as defined by NIST SA-11 Developer
Security Testing and Evaluation and NIST SA-15, Development Process, Standards, and
Tools. This plan has been documented and shared with the Automation Anywhere
Engineering
teams.
Veracode vulnerability scanning for static and dynamic code analysis
In each weekly build, during the development process and before every release, all
Automation Anywhere software is scanned for flaws using the Veracode tool. Automation Anywhere Enterprise meets the requirements for the strictest security
policy available in the tool, Veracode Level 5, which is defined as no Very High,
High, or Medium severity vulnerabilities. Analysis reports are available with each
release.
Dependency analysis
In each weekly build, during the development process and before every release, all of
the third-party libraries and dependencies in Automation Anywhere software are scanned
for known vulnerabilities using the Black Duck tool. Automation Anywhere upgrades
vulnerable libraries when new versions become available. Analysis reports are
available with each release.
All Critical/High vulnerabilities are fixed for each release. Medium vulnerabilities
will be considered for fixes in future releases depending on the scope of the Automation Anywhere releases. The list of OSS used by the application is published for
each release.
Penetration testing
Automation Anywhere does a penetration test through a third-party vendor before each
major release. Additionally, Automation Anywhere incorporates the feedback from
penetration tests conducted by customers, which includes some of the largest
financial institutions in the world. Analysis reports are available with each
release.