- Release Notes
- Overview
- Getting Started
- Marketplace Vendors
- Marketplace Customers
- Publishing Guidelines
- Publishing Guidelines for Ready-to-go Automations
- Security & IP Protection
- Other UiPath Listings
- Node-RED
- Setup
- Teams
- Microsoft Teams Scope
- Create Team
- Create Team From Group
- Get Team
- Get Teams
- Channels
- Create Channel
- Delete Channel
- Get Channel
- Get Channels
- Update Channel
- Chats
- Get Chat
- Get Chats
- Get Chat Members
- Messages
- Get Message
- Get Messages
- Get Message Replies
- Reply To Message
- Send Message
- Events
- Create Event
- Delete Event
- Get Event
- Get Events
- Users
- Get User Presence
- How It Works
- Technical References
- Get Started
- About
- Setup
- Technical References
- Azure Form Recognizer Scope
- Activities
- Analyze Form
- Analyze Form Async
- Get Analyze Form Result
- Analyze Receipt
- Analyze Receipt Async
- Get Analyze Receipt Result
- Analyze Layout
- Analyze Layout Async
- Get Analyze Layout Result
- Train Model
- Get Models
- Get Model Keys
- Get Model Info
- Delete Model
- Connectors
- How to Create Activities
- Build Your Integration
Gold Certified
This includes all the content, security, and functionality requirements from the Silver Certified level. Additionally, the listing needs to pass each of the requirements listed below. In case there are issues with any of the steps, the Marketplace Partner will be required to fix them and explain any possible discrepancies.
Once all of the requirements are met, the listing will receive the Gold Certified badge which will be visible on the listing’s page.
The necessary time required for obtaining this level of certification is up to additional two weeks.
We check the submission against a series of multiple antivirus engines and ensure that the listing artifacts are evaluated and unpacked through deep file analysis. This is integrated with file reputation services to provide in-depth rich context and threat classification on over 8 billion files including all file types.
This step offers protection against potential malware and viruses.
Regardless of the type of listing, the listing usually contains dependencies that might have security-related vulnerabilities.
This stage helps identify and solve possible security issues that often arise when using third-party dependencies.
A few of the possible issues that may be solved through this stage include:
- Vulnerabilities and other similar security issues present in one or more of the attached dependencies.
- The incompatibility between the type of license used in some of the dependencies and the license selected by you for the listing;
Since the security of the listing is dependent on the security of every dependency used, in case there are issues with any of the items above, the certification will not be granted until these are solved.
To catch vulnerabilities or malicious source code, we also run a comprehensive series of static code checks against the code and build artifacts behind the submission.
There are various number of issues that can be detected at this stage and, as mentioned in the previous step, here we look at both flaws that might be present in the source code, as well as possible vulnerabilities.
The vulnerabilities detected will need to be remediated by you so that possible logic flaws, incorrect data management, incorrect configurations, and other behavior will not be exploited by a malicious actor.
Through this step we ensure that the listings are protected against, but not limited to, the following threats and standards:
- CWE Top 25;
- OWASP Top 10;
- Other similar industry standards and threat models.
During this step security checks will be performed, where applicable, for the following:
|
Item |
Item |
Item |
|---|---|---|
|
API Abuse Authentication Issues Authorization Issues Buffer Management Errors Code Injection Code Quality Command or Argument Injection Credentials Management CRLF Injection Cross-Site Scripting (XSS) |
Cryptographic Issues Dangerous Functions Deployment Configuration Directory Traversal Encapsulation Error Handling Information Leakage Insecure Dependencies Insufficient Input Validation Insufficient Logging & Monitoring |
Numeric Errors Potential Backdoor Race Conditions Server Configuration Session Fixation SQL Injection Time and State Untrusted Initialization Untrusted Search Path |
Listings are checked against malicious behavior at runtime.
Even though through the previous levels we cover a significant amount of the attack vectors, the dynamic scanning stage ensures a robust approach towards having a secure listing.
For example, some of the analyzed runtime behaviors may include:
- Memory Analysis – Monitoring for suspicious behavior;
- Traffic Analysis – Monitoring connections and network traffic;
- API calls – Monitoring for potentially dangerous OS calls or accessing certain APIs.
Therefore, by adding the dynamic scanning step and coupling it with the previous static scans, we ensure that the certified listings have undergone the latest, enterprise-grade security verification.
Our internal team of Penetration Testers will conduct a deep dive pen-test as well as manually inspect the source code, package, and other listing artifacts.
By having UiPath Pentesters combine the results of all the previous stages with the penetration testing process, we ensure the highest level of protection against different attack vectors.
