Python RPA Security - Check out best practices

This is a discussion topic for the original post at Python RPA Security - Check out best practices - BotCity | Python RPA | Blog

:arrow_right: What about security in Python RPA? Check out good practices to make your robots more secure :robot::point_down:

:pushpin: In RPA, bots often have direct communication with critical systems that, without proper measures, can leave sensitive data vulnerable and facilitate unauthorized access;

πŸ’‘ The most prominent tech companies use Python massively in their stacks. With Python, your RPA operation can guarantee point-to-point the highest level of security (with encryption, vulnerability testing, and more);

πŸ’‘ See BotCity β€˜s recommendations for further protecting your bots and mitigating key risks (according to OWASP):

βœ… Protect the environment in which the bot is developed and run. Including the operating system, database, dependencies, and network, with the latest security updates;

βœ… Separate development, test/homologation, and production environments;

βœ… Make communication secure with VPNs, encryptions, SSL/HTTPS certificates, allow-lists, and specific ports on the firewall;

βœ… Ensure that actions are assigned with secure and unique identification credentials for each robot;

βœ… Separate credentials from the code and store them in an encrypted vault, and change them periodically;

βœ… Grant strictly necessary permissions to the bot and collaborators, with multi-factor authentication where applicable;

βœ… When deactivating a bot, don’t forget to revoke the credentials;

βœ… Monitor the activities of bots and create alerts for unexpected behavior;

βœ… Manage sessions with screenshots or videos;

βœ… Protect the integrity of logs by storing them separately and ensuring that they are complete and auditable;

βœ… Do not use the default Python interpreter. It is likely outdated. Install and make sure you have the latest version;

βœ… Use virtual environments;

Avoid making relative imports;

βœ… Beware of unknown, unofficial, or out-of-date libraries (check the Snyk Advisor). Be careful not to misspell the library name and use a malicious one by mistake;

βœ… Avoid loading unnecessary data/libraries;

βœ… Keep the code clean;

βœ… Always validate/treat data entries to protect against injections, use encryption for sensitive data, and handle errors and exceptions;

βœ… Avoid leaving unlimited things and free up memory for objects you are no longer going to use;

Set DEBUG = FALSE in production;

βœ… Deserialize with caution when using Pickle. Evaluate using PyYAML;

βœ… Establish an adaptive governance framework;

βœ… Perform unit tests, integration tests, canary releases and periodically evaluate the implementation as a whole;

Do code review, versioning control, and backups;

βœ… Scan your code for vulnerabilities (get to know Bandit, Snyk Code, SonarQube…);

βœ… Reflect on scenarios where things can go wrong and have a plan for incidents;

βœ… Have a proactive dialog with the security team from the beginning of the project;