Bot Security Program – Level 2 Self-Attestation Checklist

Use this checklist to confirm your bots meet the criteria for a Level 2 badge on Bot Store. It is the responsibility of the bot developer to ensure each of their bots complies with all of the items listed below.

  • Authentication mechanisms must be secure in proportion to the risk, obey applicable standards, and well are documented. Stronger authentication must be implemented where the risk is greater.
  • Authorization requirements for bots must obey the Principle of Least Privilege, are fully documented in a table listing each asset, each role, and what the associated privileges are for each of them.
  • Network access must use industry standard security (i.e., TLS 1.2 above) and domains/endpoints are validated via a whitelist of permitted domains/endpoints.
  • Document and implement whitelisted directories for file access.
  • The bot does not have any hidden functionalities that are not documented.
  • All untrusted input must be validated before being used. Implement a centralized input validation routine to ensure consistent processing and ease of maintenance.
  • Implement output encoding based on the context of where the data will be used.
  • Authentication and authorization failures must fail securely (no access) and produce well-defined and documented exceptions.
  • All exceptions must be handled with clear definition of errors encountered.
  • If any resource is being utilized by the bot such as desktop software or a remote website, it must be clearly defined and documented.
  • Errors and exceptions must not leak details of the system. Provide general error messages to the user while securely logging the details for use by tech support or other authorized personnel.
  • Authentication and session management practices used in the bot must not violate industry standard expiration best practices for authentication credentials and session identifiers.
  • Cryptographic capabilities used by the bot must only use publicly-vetted, established algorithms and standards consistent with industry best practices.
  • Bot network and resource access must not use “hidden URLs” and/or undocumented redirectors.
  • Software developers undergo software security development and testing training on a regular basis to ensure they have up-to-date knowledge and skills to build secure bots.