Security related questions about AutoPIPE:
Question. Questions related to software security
Answer:
The Security section of the Release notes / readme file will contain information about any security-related issues with each new release of AutoPIPE. Users can look up comprehensive information on these CVE-related issues online (Bentley's Common Vulnerability Exposure Program, or CVE website at WWW.CVE.ORG, or NATIONAL VULNERABILITY DATABASE here ). Bentley keeps a FAQ website similar to CVE available to assist with any security-related inquiries. For further information, answers to frequently asked questions, and to submit your own questions, please visit the Bentley Systems Trust Portal.
The Bentley Trust Portal is designed to help current and potential Bentley Subscribers find information regarding the security measures in place to develop, maintain, and improve Bentley’s products and platforms. The Trust Portal is intended to improve the sales cycle by providing frequently requested security and compliance information in a self-service platform.
A link to the Bentley Trust Portal is located on the Bentley Trust Center website at: https://www.bentley.com/en/trust-center. The Bentley Trust Center contains important links to other Bentley.com pages, Bentley’s Common Vulnerability Exposure (CVE) program, a link to Bentley’s Bug Bounty program, and applicable compliance certifications for Bentley subsidiaries or business partners, as applicable.
Please take note that product technical support answers questions related to the product, all security-related inquiries should be submitted through the Bentley Systems Trust Portal (demo video here).
Note: After opening the Trust Portal for the first time, please select the banner as indicated below to see additional features (ex. submit question, etc..)
a. Select button "Ask a Question" to submit your personal question.
b. Select hyperlink "Your Question" to see previously asked questions.
- If you are a security researcher or have a security concern and suspect you’ve identified a vulnerability related to Bentley products, submit a Security report here.
Question
Does Log4J pose a threat to AutoPIPE?
Answer:
No, AutoPIPE products does not use any open source coding and is not written in Java. Therefore, LOG4J is not a threat in anyway to AutoPIPE..
In addition, please see WIKI page here.
Question
Our company has a stringent set of security questions (200+ questions) that need to be answered before doing business, how can we get all of these questions answered?
Answer:
First create an excel file with 1 question on each row. Next submit a Security report as instructed above. The security team will answer provide an answer to the related question in the next column and send back the document.
Question
Outstanding application vulnerability/security patch(es) for our current version
Answer:
AutoPIPE development team does not provide security patches for current or older software. It is the user's responsibility to protect their computer system.
See WIKI here for list of program versions. Further below this listing is a hyperlink for Release notes on most of the versions released.
Question
Noticed that MFA sign-in frequency has increased, what can be done to decrease the number of times to perform MFA sign-in?
Answer:
Should the increased frequency of MFA prompts continue for more than 24 hours after a successful login you should perform a self-service password reset at: https://passwordreset.microsoftonline.com/
Question
Is AutoPIPE FIPS compliant?
Answer:
As of Dec 2023, from ECCN against encryption; Functionally – No. AutoPIPE's program source does contain libraries and functions capable of performing encryption. In addition, no testing has been performed with AutoPIPE using Windows in a FIPS 140-2 approved mode of operation. User are urged to test in these environments and advise Bentley technical support group of any issues that arise.
Question
Export information for AutoPIPE:
- Country of Origin: USA [Country of Origin for Software is where the final product is compiled / Built]
- Export Control Classification Number (ECCN): generally not made public, please submit a case referencing this WIKI and reason for needing the number.
- Any export restrictions: see End user agreement here
- % of US content in this software: 100%
Question
Is AutoPIPE safe from Telerick issues mentioned below:
Answer:
After installing AutoPIPE, remove Telerik.WinControls.PdfViewer.dll file.
Question
What are the ports, protocols, and services used? Does the software create firewall rules to allow access over non-standard ports?
Answer:
AutoPIPE is a desktop program itself and it is only the licensing and CONNECT Advisor that require an internet connection. This is again something to check with the licensing team on the ports, protocols and firewall rules.
Question
Does the software use any mobile code?
Answer:
No
Question
Is the software NOT IPv6 compatible?
Answer:
AutoPIPE is not certified for IPv6 but expectation is that it will work
Question
Will applying security patches to the underlying supporting infrastructure hamper functionality?
Answer:
AutoPIPE is a desktop program and it will require permissions to read/write in the model directory, user profile and program data folders. Need to check with the licensing team on any of their guidelines/comments on security patches blocking functionality.
Question
Does the software use any peripheral hardware?
Answer:
No.
Question
Does Bentley AutoPIPE have any certificates?
Answer:
Please see KB article here about all the certificates available for AutoPIPE.