About Bot Security
What is Bot Security?
Bot Security from Automation Anywhere is setting the standard for bot security with the RPA industry’s first and only security framework for bots. All bots, including those built in-house or procured from Bot Store, can now be deployed reliably with secure bot development practices in alignment with prevailing Confidentiality, Integrity, and Availability (CIA) cybersecurity principles and best practices. Bot Security encompasses four (4) progressive levels of security verification which includes developer certification.
- Level 1 – Malware Scan (all bots published on Bot Store have this designation)
- Level 2 – Developer Training & Self-Attestation
- Level 3 – Threat Model and Static Analysis
- Level 4 – Penetration Testing
How does Bot Security benefit RPA customers?
Bot Security enables customers to clear internal deployment and adoption hurdles by demonstrating a comprehensive bot security framework which meets the strictest of security requirements. Bots deployed from Bot Store are verified as secure through this framework. Bot Security training and participation in the Secure Bot Developers Guild is available to customers’ in-house development teams with the intention of enabling successful deployment and reuse of bots built on the Automation Anywhere platform, advancing industrywide secure bot development practices, and expanding the secure bot ecosystem.
How does Bot Security benefit Bot Store vendors?
Bot Security further empowers Bot Store vendors to build a recurring revenue stream via:
- Differentiation – Through Secure Bot Developer certification and security level designations of your bots, establish your enhanced security posture over competing bots, applications or developers.
- Value to Customer – Demonstrate your secure bot development expertise to customers with strict security requirements and who require this validation when making purchase decisions.
- Increased Sales – Developing security certified bots gives your bots exposure to more potential customers, in particular those with the most stringent security requirements.
How does Bot Security benefit Automation Anywhere partners?
All partners who provide value added services using the Automation Anywhere platform are subject to cybersecurity review by customers’ InfoSec teams. Bot Security enables our partners to exceed customer expectations, speed time to value and fulfill SLAs via:
- Free Secure Coding Training – Train your development teams to deliver services that incorporate secure bot development practices with a cost-effective learning path.
- Reduce Time to Client InfoSec Approval – The structure of our Bot Security program and our partnerships with cybersecurity vendors enable partners to cut the time and cost of security review in half.
- DevSecOps – Get expert guidance throughout the Secure Bot Developer certification process in order to ensure implementation of secure coding practices in an integrated and automated way.
- Secure Bot Developers Guild – Gain access to thought leadership from our internal cybersecurity experts, customer security experts, and other secure bot developers, as well as a knowledge base of issues and solutions, plus exclusive webinars and events designed to keep guild members up to date on secure development best practices.
Training and Certification
What is Secure Bot Developer certification?
In order to achieve Level 2 Bot Security verification, completion of the Secure Bot Developer learning path is required. The learning path also trains developers on concepts and components of Level 3 and Level 4. If a developer implements what is taught and tested in the learning path, the Level 3 and Level 4 verification of their bot should be relatively easy.
Secure Bot Developer certification is achieved through an Automation Anywhere University learning path that includes three training courses and a corresponding test for each course.
- Course #1: Secure Bot Design
- Course #2: Secure Bot Development
- Course #3: Secure Bot Deployment
Graduates of the learning path will obtain the Automation Anywhere Secure Bot Developer certification and be invited to join the Secure Bot Developers Guild.
Who is eligible for Secure Bot Developer certification?
Certification is open to the public through Automation Anywhere University via the Automation Anywhere University learning path.
Does Secure Bot Developer certification expire?
The Secure Bot Developer certification is valid for three (3) years after which re-certification will be required.
Bot Security Guild
What is the Bot Security Guild?
Gain access to thought leadership from our internal cybersecurity experts, customer security experts, and other secure bot developers, as well as a knowledge base of issues and solutions, plus exclusive webinars and events designed to keep guild members up to date on secure development best practices.
Who is eligible for the Bot Security Guild?
Those who receive the Automation Anywhere Secure Bot Developer certification by successfully completing the learning path on Automation Anywhere University are eligible as well as industry experts on Application Security.
What is the Code of Conduct for A-people private ‘Secure Bot Developers Guild’ group?
- Stay on topic – related to RPA and bot security.
- Keep it clean – no spam, inappropriate or offensive comments and harassment.
- Avoid using the Guild for marketing and self-promotion.
- Be honest and accurate.
- Use only original content.
- Respect your privacy and the privacy of others.
- If you have a suggestion on how to improve the Guild, please mail us at botsecurity@automationanywhere.com
- Help us look after the Guild – report any issues to our Guild moderators.
More About the Details
Is Bot Security verification per bot?
Yes, verification is done at the bot level.
- Level 1 is a malware scan of the bot, so verification is at the bot level.
- Level 2 includes vendor (developer) certification and bot level verification via self-attestation by the developer.
- Level 3 and Level 4 are at the bot level and include validation and reports provided by our cybersecurity vendor partner.
Digital Workers are essentially ATMX files and MBOTs packaged together with a master ATMX file. Once the files are packaged together in this way, they will be considered a single unit for the purposes of Bot Security, and they will have to be re-verified.
What is the difference between certification and verification?
Verification is applicable to bots and Digital Workers.
Certification is specific to vendors (developers) and the training that must be undertaken in order to become Secure Bot Developer certified.
What is the process for submitting a bot or Digital Worker for Bot Security verification? Is code submitted to Automation Anywhere?
To submit a bot or Digital Worker for Bot Security verification or for more details about Bot Security, please contact botsecurity@automationanywhere.com.
We will guide you through the process. For Level 3 and Level 4 security verification, the bot submission package will be shared by bot vendors directly with our cybersecurity vendor partners for review. For purposes of verification, the package is not submitted to Bot Store or Automation Anywhere. Once the verification process is complete, the bot or Digital Worker will be uploaded as part of the usual submission process for Bot Store.
How does Self-Attestation work?
Self-attestation is another component of Bot Security Level 2. Self-attestation requires a bot developer to affirmatively attest during the Level 2 review process that the following is true:
- The bot was developed by Secure Bot Developer certified developers.
- The bot was developed using application security best practices as defined by the Bot Security framework.
No third party tools are used for self-attestation.
I have a bot that I want to publish on Bot Store. Can my bot obtain a Level 4 Bot Security verification without obtaining Levels 1 or 2 or 3?
No, the Bot Security framework is cumulative by design. Each level supports the proceeding level in terms of verification and is designed to maximize the return on investment for secure bot development teams.
Under what circumstances does a bot or Digital Worker require re-verification?
A bot or Digital Worker that has previously received Bot Security verification must be submitted for re-verification whenever a material change has been made. For example, when new functionality has been introduced, when existing functionality has been substantially modified, and/or a brand new dependency has been introduced.The need for re-verification will be determined upon review of the bot or Digital Worker when a Bot Store vendor submits the new or updated files for publishing to Bot Store.
What is the process for re-verification?
For more details on Bot Security re-verification, please contact botsecurity@automationanywhere.com.
What is the cost of Bot Security verification for bot vendors?
Level 1 and Level 2 are available at no cost.
There is a cost to Bot Store vendors for Level 3 and Level 4. The cost is set by our security vendor partners, and is subject to change based on the complexity of the bot or Digital Worker, and the amount of time required to complete the security review.