Security in UiPath in detail

Hello!

I am looking for information about how safe is UiPath and what kind of security mechanisms are realized in UiPath.

Can anyone explain what does exactly mean the following statement from UiPath Orchestrator web page:

"In addition, UiPath Architecture is compliant with:

Top 10 OWASP requirements
HIPAA & SOX"

I appriciate any materials about security in UiPath.

Thank you.

Hi @themarat,

May i know what kind of security risks you are wondering about Uipath?

1. Is it related to install Uipath on your machine?
2. Is it related to run the Uipath Robot/Workflow on your machine?
3. Is it something related to automate your business applications?
4. Is it related to data in your applications and confidential information loss?

Awaiting for your response.

Thanks,
Jiban

Hello Jiban!

Actually there are all security risks that you’ve mentioned in my consideration.

I would like to have coplex view on all UiPath security aspects.

Hi Themarat,

When it comes to security, let’s try to understand the source of security loopholes.

1. UiPath woks on top of applications or it interact with the application. here security will be at application level.
2. Uipath Works on web, so we will be using Https URL for any source which need automation, here the security will be at application level .
3. When we pass the credential over the wire, UiPath use AES_CBC_256, which is a highly secure cryptography algorithm to make our credential safe.
4. UiPath use HIPAA & SOX as storage technology to store our information, which is very structured in nature.
5. UiPath used to connect with REST services for different requirement, ex. Cognitive services where the security is from the service side, they will be using SSL or any other.

There is no threat so far with respect to the implementation.

Thanks,
Asish

Asish thank you for your explanation.

But I do not understand clearly how OWASP TOP 10 is applicable for UiPath.

OWASP TOP 10 is for web application, isn’t it? But UiPath is not web application.

UiPath Studio is not, but Orchestrator is Web Application

Katkon, thank you for answer.

May be you know, were any vulners detected in UiPath Studio and UiPath Orchestrator?

I mean vulners that were assigned CVE number.

Jiban, may be you know, were any vulners detected in UiPath Studio and UiPath Orchestrator?

I mean vulners that were assigned CVE number.

Hi @themarat,

Till date as per my knowledge nothing has been detected in UiPath and Orchestrator.
It drives the business application in the similar fashion like a human.
It depends upon the developer also, how secure the code is and whether he is keeping any confidential/important information in any risky place (inside workflow/in logs etc).

Example:

1. Reading confidential data from application and pushing this to the centralized logging server. Again the logging server relies inside the client’s network which is a secured zone. So no risk.

2. Keeping credentials securely in windows credential manager or Orchestrator assets will decrease the chance of vulnerability. This leads towards less risk too.

There are many more prevention ways, which can be used to avoid the vulnerability of a Automation script/workflow.

Thanks,
Jiban

Jiban, thanks a lot for these examples!

You’ve mentioned about many others ways to decrese information security risk of automation scripts. May be there is any best practice with all of them?

Could you recommend something as a kind of security methodology to keep in mind during robots developming?

For more explanation: