Automation Anywhere has implemented a Secure Software Development Life Cycle (SSDLC) framework for developing and delivering Automation 360 and its entire suite of AI combined with Automation software products and solutions for its customers.

Scope

This document defines and lists the respective design checks, tools and processes that have been integrated into the software development life cycle methodology. This helps in timely identification and resolution of various types of security threats and vulnerabilities on a continuous basis.

The Automation 360 suite of applications, product modules, third-party open source software components, libraries and packages that are either developed, released, delivered, managed, supported or owned by Automation Anywhere are within the scope of the policy.

Policy

The following three phases are a part of the Secure SDLC (Software Development Life Cycle) policy:

1. Requirements and security design phase

During the initial requirement gathering and prototype design phase, a security threat model and architectural review is performed based on the use cases and data flows, so that various security, privacy and compliance risks are identified early in the process for timely mitigation prior to the release.

2. Secure development phase

During the development phase, two types of vulnerability checks are performed on a continuous basis.

  • Static Application Security Testing (SAST) for analysis of Automation Anywhere developed code

    Automation Anywhere utilizes Veracode® Static Analysis (SAST) code scanner to continuously assess software vulnerabilities in our product as part of the SSDLC process. All critical, high, and medium level vulnerabilities must be resolved or mitigated and a Veracode verified status of Veracode Level 5 must be achieved before every product release. The low vulnerabilities are assessed and analyzed for applicability, and if determined to be applicable, are fixed in the subsequent releases on a case-by-case basis. This report will be available under a similar heading, such as Veracode Reports on the Apeople page and the compliance portal for every On-Premises and Cloud product release.

  • Open Source Software scanning and dependency analysis

    For vulnerability assessment in open source software components used in the product, we use the Black Duck® vulnerability scanner. This report will be available under a similar heading, such as OSS Reports in the compliance portal. We fix the high and critical marked vulnerabilities before the release of the product and the medium severity vulnerabilities are fixed in the subsequent releases. The low vulnerabilities are assessed and analyzed for applicability, and if determined to be applicable, are fixed in the subsequent release on a case-by-case basis. This vulnerability report is available on the compliance portal for every On-Premises and Cloud product release.

Additionally for Cloud- based releases hosted on Automation Anywhere Software as a Service (SaaS) instances, all product containers are scanned on a continuous basis for identifying, tracking and resolving all critical and high severity vulnerabilities.

3. Security testing phase

During every release, a Dynamic Application Security Testing (DAST) scan, followed by various other penetration tests, based on the Open Worldwide Application Security Project (OWASP) framework check lists, are conducted to regularly identify, assess, and resolve vulnerabilities on the latest release builds. As per the release policy, all critical and high severity findings must be mitigated or resolved before the release, while the medium and low severity findings are resolved in a subsequent release by the SLA (service-level agreement). Automation Anywhere conducts the DAST scan internally as part of the product verification and validation process.

The following steps helps Automation Anywhere to conduct a thorough and systematic security assessment of the application to identify vulnerabilities, evaluate their potential impact, and provide a structured response for remediation.
  1. Automation Anywhere engages a third-party application security consultant to conduct an independent penetration testing exercise on the latest released and deployed version of the applications. This testing is performed one time in a year.
  2. After the penetration test is completed, the identified findings are assessed and validated by Automation Anywhere.
  3. The actual severity of the risks is determined by Automation Anywhere using a series of triage conditions. These conditions are based on industry-standard rankings and frameworks, such as the Common Vulnerability Scoring System (CVSS), and take into account the probability of exploitation.
  4. After the severity ratings are established, the original penetration testing report is posted in the compliance portal. Along with the report, Automation Anywhere provides an explanation of the findings and timelines for addressing the identified issues, on a case-by-case basis in the form of a report.