Comprehensive secure development process

Blue Prism’s secure development process is a market-leading, embedded security culture, focused on delivering security excellence through four key principles:

  • Education – Providing up-to-date knowledge, information, and training to the development team.
  • Evaluation – Regular reviews of our products using industry standard frameworks and security tools.
  • Elimination – Remove potential threats through the evaluation of standards, compliance, and performance.
  • Evolution – Continued improvement of our security program, ensuring alignment with our product technologies and by reacting effectively to new and emerging threats.

Blue Prism secure development is based on OWASP ASVS, ISO 27034 and GDPR Article 25 standards and practices.

Education

Blue Prism recognizes the importance of providing high quality, engaging education to its development team, beginning during their induction and continuing regularly throughout their employment.

Interactive training and development for secure coding

Blue Prism partners with a world-leading educational platform that specializes in providing engaging and informative content. The platform assists organizations in achieving compliance requirement targets mandated by information security frameworks and standards such as:

  • NIST
  • PCI
  • OWASP
  • ISO 27001

All Blue Prism developers undergo initial and ongoing training and certification, which includes:

  • A four-part interactive security training course included in their induction.
  • Four tiers of ongoing security training, with every developer required to reach a minimum of level one.
  • Bespoke courses designed to cover specific subjects of interest.
  • Quarterly reviews, using the metrics taken from tournaments to address areas of low scoring.
  • Education is further supplemented by:
    • Quarterly tournaments for all developers to take part in.
    • Micro learning modules that are automatically applied to development features.
    • Access to a guided offensive security testing lab to aid understanding of the exploitation of the OWASP top ten threats.

Evaluation

The evaluation principle contains components that have been put in place to review the effectiveness of the education principle, raise awareness, protect the business, and continually monitor performance.

Threat modelling

Blue Prism has adopted a subject matter-based threat modelling methodology, which provides a framework to understand and visualize threats that may apply to the product or the feature they are implementing. This enables them to:

  • Use a combination of STRIDE and bespoke, in-house threat modelling techniques.
  • Identify assets, threats, and controls.
  • Raise awareness of potential issues earlier in the development process.
  • Speed up software delivery and response times.
  • Assess each individual software feature to create a threat model.

Dedicated application security team

A dedicated team of application security engineers are on hand to support the Blue Prism development teams in the following ways:

  • Each Blue Prism development team has a dedicated primary and secondary security engineer.
  • Engineers raise awareness and promote understanding of development security issues.
  • Help identify and resolve security issues during refinement stage as part of the shift left initiative.
  • Coupling engineers to development teams means experience and knowledge is fostered and specific to the team.
  • Engineers keep up-to-date with relevant changes and developments in the security field and relay these to the development teams.

Static code analysis (SAST)

The source code of Blue Prism products is scanned using a variety of best-of-breed security tools to ensure compliance and code quality, and includes:

  • Scans using multiple “best of breed” SAST tools.
  • Over 450 different checks are applied to the entire codebase, with hundreds of scans being performed each month.
  • Automated pipeline scans are performed overnight.
  • Manual, on-demand scans are available when required.
  • Control gates that prevent any issues from being committed to the code base.
  • Complete SAST scanning coverage of the entire software portfolio.
  • Scanning policy includes checks from the following security standards:
    • NIST
    • OWASP Top 10
    • SANS Top 25
    • PCI
    • HIPAA
    • FISMA
    • STIG
  • Version-specific compliance reports that support our release procedures.

Software composition analysis (SCA)

All open-source dependencies are identified and evaluated using a market-leading dependency and license management tool, which provides:

  • In-depth coverage dependency checking – direct and transitive software dependencies are analyzed.
  • Overnight, automated pipeline and manual on-demand scans – performing more than 20,000 scans per month.
  • Complete coverage of the entire software portfolio, including:
    • The implementation of open source components and license locks, preventing risks from entering our main codebases.
    • License detection and monitoring to ensure we are only using third-party dependencies that we are legally able to. A comprehensive list of third-party dependencies is provided with each release.
  • Monitoring of current and previous releases of products for newly disclosed vulnerabilities. We monitor over 900 software projects and over 4000 software dependencies.

Automated dynamic security testing (DAST)

Web-based products are subjected to multiple dynamic security tests to ensure that the products operate in a secure and robust manner, which allows:

  • Tests to be initiated on demand in the CI pipeline.
  • A combination of frameworks, custom tools, and scripts to return targeted results.
  • Validation of our secure development process.

Manual penetration testing

Manual penetration testing is performed as a final control against our SaaS products to ensure that our products are not vulnerable to complex exploitation techniques. This process includes:

  • Rigorous testing of web-based products prior to release.
  • Utilization of multiple consultants to ensure varied approaches and results.
  • Targeted testing of security-specific features carried out on all on-premises products.

Elimination

The elimination principle underpins our vulnerability approach by applying the outcomes of evaluations to allow us to aim for:

  • The removal of all reported high, medium and low severity threats that have not been mitigated prior to release.
  • The removal of all exploitable third-party threats that have not been mitigated prior to release.

Evolution

Blue Prism is committed to a security program that evolves in line with our product technologies and new and emerging threats meaning:

  • Our process tools and policies are under constant review to ensure we continue to deliver Security Excellence.
  • We have a multi-vendor approach, allowing us to select the most appropriate tools from the market-leading vendors.