Additional Security Measures for Select Bots and Digital Workers

 

All bots and Digital Workers on the Bot Store have been scanned for malware using a third-party anti-virus engine.

In addition, the source code for select bots or Digital Worker have been reviewed internally against a set of security checks for certain software vulnerabilities. The bots and Digital Workers that have gone through this additional set of security checks will include a note and link to this page.

The list of additional security checks reviewed is below.  These checks correspond to certain software vulnerabilities identified by the Open Web Application Security Project (OWASP), a not-for-profit organization focused on improving the security of software.   Each of the OWASP issues below correspond to certain items included in the Common Weakness Enumeration (CWE), a list of software security vulnerabilities which can occur in software development as provided by MITRE, a non-profit research and development group.

Customers should conduct their own security reviews for paid bots to ensure compliance with their internal policies.

List of Security Checks Reviewed

OWASP Issue Description Corresponding CWEs
A1: Injection Almost any source of data can be an injection vector, environment variables, parameters, external and internal web services, and all types of users. Injection flaws occur when an attacker can send hostile data to an interpreter.
  • CWE-78: Improper Neutralization of Special Elements Used in an OS Command (‘OS Command Injection’)
  • CWE-89: SQL Injection
  • CWE-94: Code Injection
  • CWE-434: Unrestricted Upload of File with Dangerous Type
  • CWE-494: Download of Code Without Integrity Check
  • CWE-829: Inclusion of Functionality from Untrusted Control Sphere
A2: Broken Authentication Attackers have access to hundreds of millions of valid username and password combinations for credential stuffing, default administrative account lists, automated brute force, and dictionary attack tools. Session management attacks are well understood, particularly in relation to unexpired session tokens.
  • CWE-306: Missing Authentication for Critical Function
  • CWE-307: Improper Restriction of Excessive Authentication Attempts
  • CWE-798: Use of Hard-coded Credentials
  • CWE-807: Reliance on Untrusted Inputs in a Security Decision
  • CWE-862: Missing Authorization
  • CWE-863: Incorrect Authorization
A3: Sensitive Data Exposure Rather than directly attacking crypto, attackers steal keys, execute man-in-the-middle attacks, or steal clear text data off the server, while in transit, or from the user’s client, e.g. browser. A manual attack is generally required. Previously retrieved password databases could be brute forced by Graphics Processing Units (GPUs).
  • CWE-311: Missing Encryption of Sensitive Data
  • CWE-319: Cleartext Transmission of Sensitive Information
 A5: Broken Access Control Exploitation of access control is a core skill of attackers. SAST and DAST tools can detect the absence of access control but cannot verify if it is functional when it is present. Access control is detectable using manual means, or possibly through automation for the absence of access controls in certain frameworks.
  • CWE-73: External Control of File Name or Path
  • CWE-285: Improper Authorization
A6: Security Misconfiguration Attackers will often attempt to exploit unpatched flaws or access default accounts, unused pages, unprotected files and directories, etc to gain unauthorized access or knowledge of the system.
  • CWE-250: Execution with Unnecessary Privileges
  • CWE-676: Use of Potentially Dangerous Function
  • CWE-732: Incorrect Permission Assignment for Critical Resource
A9: Using Components with Known Vulnerabilities  While it is easy to find already-written exploits for many known vulnerabilities, other vulnerabilities require concentrated effort to develop a custom exploit.
  • CWE-190: Integer Overflow or Wraparound
  • CWE-327: Use of a Broken or Risky Cryptographic Algorithm
  • CWE-759: Use of a One-way Hash Without a Salt