Data Vulnerability

Robot Framework
1

Hi everyone -

I’m presenting Robot Framework as one of automation test solution in our project, one of the questions that they had is regarding data vulnerabilities of using this tool, since it is an opensource. Eventhough , the tool is only for our test environment ,data is much less likely same as prod.

Question is, how is it ensure that data is not exposed on outside world and patches /releases are ensured safe from online attackers/data breaches?

Thanks!

2

That is an interesting take as I would usually think the opposite. Why would you trust a closed source solution over an open source solution in terms of data security?

3

Hi Brandon -

Thanks for your inputs, I guess their concern is something like as below. So wondering what’s the take of Robot Framework in terms of security.

As open source code is open to modifications, changes, and views, it can be automatically improved by each user. However, this accessibility leads to the fact that the code becomes attractive to hackers who practice their skills on it.

Since closed source code can only be modified by users with private access , all errors are corrected by the support service in case of software drawbacks. This method is more secure compared to open source, but it can also lead to users putting up with glitches or poor performance for long periods of time before the problem gets fixed.

4

Automatically improved by each user? I would argue not. Robot Framework does store store any of your data anywhere so whatever credentials or information you use is yours and only yours. Of course don’t log it out to some file somewhere although that would not be the fault of RF, that’s just a user mistake.

But any merge requests or pull requests to contribute or enhance RF are also peer reviewed and subjected to Committer eyeballs. That’s no different than Closed source software. Also, it’s well known, and I guess documented if you search around the web, that Open Source software in general is more secure than Closed source software precisely b/c more eyeballs can take a look at it.

Community created code contributed to RF is not just automagically accepted and merged in.

1 Like
5

Thanks Hobet and Brandon. Really appreciate your thoughts.

Thanks!

6

Hi Jayson,

You can present it like this:

  1. anyone concerned about security and data leaks, can inspect the code of Robot Framework (or any other open source software) and verify for themselves that the tool won’t “phone home” or otherwise send your confidential data outside your network. With a closed source tool you can not verify, you simply have to “trust” the sales person (because sales people never lie)
  2. Most open source projects have a an openly documented process for contributing code to the project for Robot Framework you must submit a pull request which then needs to be approved before it’s added to the code, in addition because your github account is used to submit a pull request if compromising code is caught then all other code by that contributor can also be checked easily. This transperancy does not exist in closed sourced software.
  3. if your organisation is that concerned about data leaks then they should not be trusting any software and should have adequate controls on the firewalls and network gateways to ensure no un-authorised network traffic exits their network. I know personally when I have worked for law enforcement agencies and financial institutions that their test environments are fire-walled from each other and from the main production network, often it was more difficult to get any internet access at all from a test environment than it was from the main production network.

Hope this helps,

Dave.

2 Likes
8

Thanks for update and quick reply. I’ll be sure to keep an eye on this thread.

indigocard