- Release Notes
- Getting Started
- Setup and Configuration
- Automation Projects
- Dependencies
- Types of Workflows
- File Comparison
- Automation Best Practices
- Source Control Integration
- Debugging
- The Diagnostic Tool
- Variables
- Arguments
- Imported Namespaces
- Trigger-based Attended Automation
- Recording
- UI Elements
- Control Flow
- Selectors
- Object Repository
- Data Scraping
- Image and Text Automation
- Citrix Technologies Automation
- RDP Automation
- Salesforce Automation
- SAP Automation
- VMware Horizon Automation
- Logging
- The ScreenScrapeJavaSupport Tool
- The WebDriver Protocol
- Test Suite - Studio
- Extensions
- Troubleshooting
- About troubleshooting
- Microsoft App-V support and limitations
- Internet Explorer X64 troubleshooting
- Microsoft Office issues
- Identifying UI elements in PDF with Accessibility options
- Repairing Active Accessibility support
- Automating Applications Running Under a Different Windows User
- Validation of large Windows-legacy projects takes longer than expected
ST-SEC-009 - SecureString Misusage
ST-SEC-009
Scope: Workflow
This rule checks whether the SecureString type is misused in the workflow. This string type is used when avoiding to store potentially sensitive strings as plain text. If certain activities accept sensitive information as input but do not support the SecureString type, you can exclude them from this rule.
The SecureString type should not be used for any purpose other than the intended one. Therefore, attempting to cast SecureString to String may be viewed as a security risk.
According to the official Microsoft documentation, if a String object contains any sensitive information, it raises the risk of the data being revealed after it is used.
In addition, the scope of SecureString type variables should be very limited, ideally in the same scope where they were created.
In the Project Settings window, select the Workflow Analyzer tab. Find and select the rule.
You can exclude activities that do not support the SecureString type by adding their namespaces separated by a comma in the Excluded Activities field.