Compliance and vulnerability scanning
- Updated: 2024/09/05
Compliance and vulnerability scanning
Review details about Automation Anywhere compliance and vulnerability scanning.
Secure software development life cycle (S-SDLC)
Automation Anywhere has implemented a development security plan and protocol that defines a specific depth of testing and evaluation to be done by the Engineering team on each release, conforming with best practices as defined by NIST SA-11 Developer Security Testing and Evaluation and NIST SA-15, Development Process, Standards, and Tools. This plan has been documented and shared with the Automation Anywhere Engineering teams.
Static vulnerability scanning
During the development process and before every release, all Automation Anywhere software is scanned for flaws using the Veracode tool. Automation Anywhere Enterprise meets the requirements for the strictest security policy available in the tool, Veracode Level 5, which is defined as no Very High, High, or Medium severity vulnerabilities. Analysis reports are available with each release.
Dependency analysis
Automation Anywhere uses Black Duck for scanning and reporting vulnerable Open-Source Software (OSS) components (libraries and dependencies) in our products as part of a secure SDLC process. As part of our release process, Black Duck will scan code for known vulnerabilities. All identified and outdated components will be updated with the most recent versions as and when they are made available.
Any vulnerabilities qualified as Critical or High are mitigated before the release enters production. The vulnerabilities qualified as Medium are triaged and analyzed for applicability. If determined to be applicable, such vulnerabilities are fixed in the subsequent releases. Lastly, vulnerabilities qualified as Low are fixed on a case-by-case basis.
Our IT best practices, in adherence to our security guidelines, function as an added layer of compensating controls (as part of defense in-depth strategy) and would generally mitigate security vulnerabilities qualified as Low.
Penetration testing
- Automation Anywhere gets a penetration (PEN) test performed by a third-party
external vendor for detecting security vulnerabilities in the product at
least once a year. The frequency of the penetration test can be performed
more than one time in a year and depends on the scope and product design
changes.
Automation Anywhere publishes the test report and summary of the observation status on the Automation Anywhere compliance portal. See Compliance Portal.
- Automation Anywhere does internal penetration test of the product for every release by in-house security penetration experts to keep a track of the security risk in the product.