Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The security risk in a Credential manager and Environment variable

HidekiHayashi
Level 4
‎12-02-21 01:50 AM
Status: Not Planned
There is a security risk because there is a way to view passwords, depending on how the current credentials are obtained.
We have this security risk in robot creation.
Based on this, I would like to propose the following measures.
1.If the data item containing the authentication information is not of the password type, the acquisition of the authentication information results in an error.
2.Prevents casting from password-type data items to text-type data items.

現在の認証情報のデータ取得方法によってはパスワードを見る方法が存在するため、セキュリティリスクがあります。
我々はロボット作成においてこのセキュリティリスクが問題になっています。
このことから、以下のような対策を提案したいと思います。
1.認証情報を入れるデータアイテムがパスワードタイプでなければ、認証情報の取得はエラーにする。
2.パスワードタイプのデータアイテムから、テキストタイプのデータアイテムへのキャストはできなくする。
2 Comments
AndreyKudinov
Level 10
‎21-02-21 10:44 PM
‎21-02-21 10:44 PM
Then you just senkeys that password to a notepad... this doesnt solve anything.
Just don't let your devs access production.
0 Likes
MelanieGiuliani
Community Team (Retired)
‎07-04-21 02:35 PM
‎07-04-21 02:35 PM
Hi Hideki,

Thank you for your idea! We've reviewed your feedback internally, and have determined that In some circumstances, this is necessary - if you have the proper security settings, it shouldn't be an issue in prod.

As such, we've decided to mark this ideas as Not Planned.

Below is an excerpt from our Knowledge Base on this topic:

Password data item needs to be parsed as text:

It is correct product functionality that a password or other sensitive data stored in a password data item can be parsed/interrogated by the robot, there are use cases where the robot needs to know its own password and be able to manipulate it. This decision that this functionality was correct was made by Blue Prism after discussion with existing clients and RPA consultants several years ago.

The following are examples of where the password data item needs to be used as text by the runtime robot:

  • Sometimes a password needs to be passed as an input to a code stage, for example as password for an API. A password is a string in the .NET code stage.
  • Potentially the digital worker needs to interigate the contents of it's own password. For example, if a system wants only certain characters from a full password to be used. I.e. Enter characters 2,3,5,7 from your password. I.e. your password is ABCD1234 and the system login wants characters 2, 3, and 5. The robot needs to be able to parse the text of its own password to extract characters BC1.
  • Complex password policies at clients sometimes require the robot to be able to evaluate its own password to be able to set the new password. For example, one customer has a password that when updated/changed can have no character in the same place as the previous password. To do this reliably the robot needs to compare a newly generated password with the previous password.

Blue Prism’s current recommendation:

Blue Prism recommends a strong Logical Access Model is used for all clients. As part of that model Developers should not have access to Studio in any environment where production passwords are stored.

It has therefore always been Blue Prisms recommendation for developing against production that production passwords are not stored within the solution. The security of any solution from developer interference can only be guaranteed in higher environments (test/production) with the implementation of a Logical Access Model (LAM) where the restriction of developer access is ensured.

Thank you,

Melanie 

0 Likes