This includes all the content, security, and functionality requirements from the Silver Certified level. Additionally, the listing needs to pass each of the requirements listed below. In case there are issues with any of the steps, the Marketplace Partner will be required to fix them and explain any possible discrepancies.
Once all of the requirements are met, the listing will receive the Gold Certified badge which will be visible on the listing’s page.
The necessary time required for obtaining this level of certification is up to additional two weeks.
We check the submission against a series of multiple antivirus engines and ensure that the listing artifacts are evaluated and unpacked through deep file analysis. This is integrated with file reputation services to provide in-depth rich context and threat classification on over 8 billion files including all file types.
This step offers protection against potential malware and viruses.
Regardless of the type of listing, the listing usually contains dependencies that might have security-related vulnerabilities.
This stage helps identify and solve possible security issues that often arise when using third-party dependencies.
A few of the possible issues that may be solved through this stage include:
- Vulnerabilities and other similar security issues present in one or more of the attached dependencies.
- The incompatibility between the type of license used in some of the dependencies and the license selected by you for the listing;
Since the security of the listing is dependent on the security of every dependency used, in case there are issues with any of the items above, the certification will not be granted until these are solved.
To catch vulnerabilities or malicious source code, we also run a comprehensive series of static code checks against the code and build artifacts behind the submission.
There are various number of issues that can be detected at this stage and, as mentioned in the previous step, here we look at both flaws that might be present in the source code, as well as possible vulnerabilities.
The vulnerabilities detected will need to be remediated by you so that possible logic flaws, incorrect data management, incorrect configurations, and other behavior will not be exploited by a malicious actor.
Through this step we ensure that the listings are protected against, but not limited to, the following threats and standards:
- CWE Top 25;
- OWASP Top 10;
- Other similar industry standards and threat models.
During this step security checks will be performed, where applicable, for the following:
Buffer Management Errors
Command or Argument Injection
Cross-Site Scripting (XSS)
Insufficient Input Validation
Insufficient Logging & Monitoring
Time and State
Untrusted Search Path
This step applies only to Custom Activities. For other types of submissions such as those where UiPath workflows and projects are used, this analysis is part of the functionality testing process at Silver level which all types of listings undergo.
Listings are checked against malicious behavior at runtime.
Even though through the previous levels we cover a significant amount of the attack vectors, the dynamic scanning stage ensures a robust approach towards having a secure listing.
For example, some of the analyzed runtime behaviors may include:
- Memory Analysis – Monitoring for suspicious behavior;
- Traffic Analysis – Monitoring connections and network traffic;
- API calls – Monitoring for potentially dangerous OS calls or accessing certain APIs.
Therefore, by adding the dynamic scanning step and coupling it with the previous static scans, we ensure that the certified listings have undergone the latest, enterprise-grade security verification.
Our internal team of Penetration Testers will conduct a deep dive pen-test as well as manually inspect the source code, package, and other listing artifacts.
By having UiPath Pentesters combine the results of all the previous stages with the penetration testing process, we ensure the highest level of protection against different attack vectors.
Updated 2 months ago