All bots and Digital Workers on the Bot Store have been scanned for malware using a third-party anti-virus engine.
In addition, the source code for select bots or Digital Worker have been reviewed internally against a set of security checks for certain software vulnerabilities. The bots and Digital Workers that have gone through this additional set of security checks will include a note and link to this page.
The list of additional security checks reviewed is below. These checks correspond to certain software vulnerabilities identified by the Open Web Application Security Project (OWASP), a not-for-profit organization focused on improving the security of software. Each of the OWASP issues below correspond to certain items included in the Common Weakness Enumeration (CWE), a list of software security vulnerabilities which can occur in software development as provided by MITRE, a non-profit research and development group.
Customers should conduct their own security reviews for paid bots to ensure compliance with their internal policies.
List of Security Checks Reviewed
|OWASP Issue||Description||Corresponding CWEs|
|A1: Injection||Almost any source of data can be an injection vector, environment variables, parameters, external and internal web services, and all types of users. Injection flaws occur when an attacker can send hostile data to an interpreter.||
|A2: Broken Authentication||Attackers have access to hundreds of millions of valid username and password combinations for credential stuffing, default administrative account lists, automated brute force, and dictionary attack tools. Session management attacks are well understood, particularly in relation to unexpired session tokens.||
|A3: Sensitive Data Exposure||Rather than directly attacking crypto, attackers steal keys, execute man-in-the-middle attacks, or steal clear text data off the server, while in transit, or from the user’s client, e.g. browser. A manual attack is generally required. Previously retrieved password databases could be brute forced by Graphics Processing Units (GPUs).||
|A5: Broken Access Control||Exploitation of access control is a core skill of attackers. SAST and DAST tools can detect the absence of access control but cannot verify if it is functional when it is present. Access control is detectable using manual means, or possibly through automation for the absence of access controls in certain frameworks.||
|A6: Security Misconfiguration||Attackers will often attempt to exploit unpatched flaws or access default accounts, unused pages, unprotected files and directories, etc to gain unauthorized access or knowledge of the system.||
|A9: Using Components with Known Vulnerabilities||While it is easy to find already-written exploits for many known vulnerabilities, other vulnerabilities require concentrated effort to develop a custom exploit.||