- Queries related to Veracode certification on UiPath platform sub-dependencies? - Are all the Activities packages Veracode certified? - Is UiPath Platform Veracode certified and from which version? - Is there a vulnerability management process?
Resolution: From version18.4.4 and all successive versions of the UiPath Platform have been certified as meeting the highest level of the Veracode program Verified Continuous. This validates that UiPath's software development processes include comprehensive and mature security practices.
Veracode Verified Continuous is the highest level of the Verified program and builds on the security processes embedded in the development life cycle from Verified Team to include the following security gates:
- Integration of security tools into development workflows
- Assessment of the application using an alternate technique (ex. dynamic analysis)
- Documentation that the application does not include any Very High, High or Medium flaws
- Completion of a bi-annual mitigation review
- Documentation of a 30-day remediation deadline
- Provide advanced training on secure coding for the security champion identified on the development team.
- Provide development team with training on secure coding.
Veracode scans the whole activities package. Additionally, to scan its third party dependencies/libraries, UiPath uses FOSSA to track third-party products that are a part of the platform to ensure that vulnerabilities are tracked. Veracode audits the third party scanning practices and ensures that UiPath persists no vulnerabilities of Medium or above in its products.
Read more on