marketplace
latest
false
UiPath logo, featuring letters U and I in white

Marketplace User Guide

Last updated Sep 5, 2024

Gold Certified

This includes all the content, security, and functionality requirements from the Silver Certified level. Additionally, the listing needs to pass each of the requirements listed below. In case there are issues with any of the steps, the Marketplace Partner will be required to fix them and explain any possible discrepancies.

Once all of the requirements are met, the listing will receive the Gold Certified badge which will be visible on the listing’s page.

The necessary time required for obtaining this level of certification is up to additional two weeks.

Malware Analysis

We check the submission against a series of multiple antivirus engines and ensure that the listing artifacts are evaluated and unpacked through deep file analysis. This is integrated with file reputation services to provide in-depth rich context and threat classification on over 8 billion files including all file types.

This step offers protection against potential malware and viruses.

Vulnerabilities in 3rd Party Dependencies

Regardless of the type of listing, the listing usually contains dependencies that might have security-related vulnerabilities.

This stage helps identify and solve possible security issues that often arise when using third-party dependencies.

A few of the possible issues that may be solved through this stage include:

  • Vulnerabilities and other similar security issues present in one or more of the attached dependencies.
  • The incompatibility between the type of license used in some of the dependencies and the license selected by you for the listing;

Since the security of the listing is dependent on the security of every dependency used, in case there are issues with any of the items above, the certification will not be granted until these are solved.

Static Code Analysis

To catch vulnerabilities or malicious source code, we also run a comprehensive series of static code checks against the code and build artifacts behind the submission.

There are various number of issues that can be detected at this stage and, as mentioned in the previous step, here we look at both flaws that might be present in the source code, as well as possible vulnerabilities.

The vulnerabilities detected will need to be remediated by you so that possible logic flaws, incorrect data management, incorrect configurations, and other behavior will not be exploited by a malicious actor.

Through this step we ensure that the listings are protected against, but not limited to, the following threats and standards:

  • CWE Top 25;
  • OWASP Top 10;
  • Other similar industry standards and threat models.

During this step security checks will be performed, where applicable, for the following:

Item

Item

Item

API Abuse

Authentication Issues

Authorization Issues

Buffer Management Errors

Code Injection

Code Quality

Command or Argument Injection

Credentials Management

CRLF Injection

Cross-Site Scripting (XSS)

Cryptographic Issues

Dangerous Functions

Deployment Configuration

Directory Traversal

Encapsulation

Error Handling

Information Leakage

Insecure Dependencies

Insufficient Input Validation

Insufficient Logging & Monitoring

Numeric Errors

Potential Backdoor

Race Conditions

Server Configuration

Session Fixation

SQL Injection

Time and State

Untrusted Initialization

Untrusted Search Path

Note: This step applies only to Custom Activities. For other types of submissions such as those where UiPath workflows and projects are used, this analysis is part of the functionality testing process at Silver level which all types of listings undergo.

Dynamic Code Analysis

Listings are checked against malicious behavior at runtime.

Even though through the previous levels we cover a significant amount of the attack vectors, the dynamic scanning stage ensures a robust approach towards having a secure listing.

For example, some of the analyzed runtime behaviors may include:

  • Memory Analysis – Monitoring for suspicious behavior;
  • Traffic Analysis – Monitoring connections and network traffic;
  • API calls – Monitoring for potentially dangerous OS calls or accessing certain APIs.

Therefore, by adding the dynamic scanning step and coupling it with the previous static scans, we ensure that the certified listings have undergone the latest, enterprise-grade security verification.

Pen-testing (only for Custom Activities)

Our internal team of Penetration Testers will conduct a deep dive pen-test as well as manually inspect the source code, package, and other listing artifacts.

By having UiPath Pentesters combine the results of all the previous stages with the penetration testing process, we ensure the highest level of protection against different attack vectors.

Was this page helpful?

Get The Help You Need
Learning RPA - Automation Courses
UiPath Community Forum
Uipath Logo White
Trust and Security
© 2005-2024 UiPath. All rights reserved.