Compliance and vulnerability scanning

Review details about Automation Anywhere compliance and vulnerability scanning.

Secure software development life cycle (S-SDLC)

Automation Anywhere has implemented a development security plan and protocol that defines a specific depth of testing and evaluation to be done by the Engineering team on each release, conforming with best practices as defined by NIST SA-11 Developer Security Testing and Evaluation and NIST SA-15, Development Process, Standards, and Tools. This plan has been documented and shared with the Automation Anywhere Engineering teams.

Static vulnerability scanning

During the development process and before every release, all Automation Anywhere software is scanned for flaws using the Veracode tool. Automation Anywhere Enterprise meets the requirements for the strictest security policy available in the tool, Veracode Level 5, which is defined as no Very High, High, or Medium severity vulnerabilities. Analysis reports are available with each release.

Dependency analysis

Automation Anywhere uses Black Duck for scanning and reporting vulnerable Open-Source Software (OSS) components (libraries and dependencies) in our products as part of a secure SDLC process. As part of our release process, Black Duck will scan code for known vulnerabilities. All identified and outdated components will be updated with the most recent versions as and when they are made available.

Any vulnerabilities qualified as Critical or High are mitigated before the release enters production. The vulnerabilities qualified as Medium are triaged and analyzed for applicability. If determined to be applicable, such vulnerabilities are fixed in the subsequent releases. Lastly, vulnerabilities qualified as Low are fixed on a case-by-case basis.

Our IT best practices, in adherence to our security guidelines, function as an added layer of compensating controls (as part of defense in-depth strategy) and would generally mitigate security vulnerabilities qualified as Low.

Penetration testing

  • Automation Anywhere gets a penetration (PEN) test performed by a third-party external vendor for detecting security vulnerabilities in the product at least once a year. The frequency of the penetration test can be performed more than one time in a year and depends on the scope and product design changes.

    Automation Anywhere publishes the test report and summary of the observation status on the Automation Anywhere compliance portal. See Compliance Portal.

  • Automation Anywhere does internal penetration test of the product for every release by in-house security penetration experts to keep a track of the security risk in the product.
Note: The Compliance Portal includes Static Application Security Testing (SAST) reports from Veracode, Open-Source Software (OSS), and Blackduck, while vendor penetration test reports are classified as Dynamic Application Security Testing (DAST) reports.