Security related questions about AutoPIPE:
1. Questions related to software security
Answer:
The Security section of the Release notes / readme file will contain information about any security-related issues with each new release of AutoPIPE. Users can look up comprehensive information on these CVE-related issues online (CVE here / here. Otherwise, search the NATIONAL VULNERABILITY DATABASE here ). Bentley keeps a FAQ website similar to CVE available to assist with any security-related inquiries. For further information, answers to frequently asked questions, and to submit your own questions, please visit the Bentley Systems Trust Portal.
The Bentley Trust Portal is designed to help current and potential Bentley Subscribers find information regarding the security measures in place to develop, maintain, and improve Bentley’s products and platforms. The Trust Portal is intended to improve the sales cycle by providing frequently requested security and compliance information in a self-service platform.
A link to the Bentley Trust Portal is located on the Bentley Trust Center website at: https://www.bentley.com/en/trust-center. The Bentley Trust Center contains important links to other Bentley.com pages, Bentley’s Common Vulnerability Exposure (CVE) program, a link to Bentley’s Bug Bounty program, and applicable compliance certifications for Bentley subsidiaries or business partners, as applicable.
Please take note that product technical support answers questions related to the product, all security-related inquiries should be submitted through the Bentley Systems Trust Portal (demo video here).
- If you are a security researcher or have a security concern and suspect you’ve identified a vulnerability related to Bentley products, submit a Security report here.
2. Does Log4J pose a threat to AutoPIPE?
Answer:
No, AutoPIPE products does not use any open source coding and is not written in Java. Therefore, LOG4J is not a threat in anyway to AutoPIPE..
In addition, please see WIKI page here.
3. Our company has a stringent set of security questions (200+ questions) that need to be answered before doing business, how can we get all of these questions answered?
Answer:
First log a new case and send an excel file with 1 question on each row. The answer will be provided in the next column, the file saved, and sent back for your review.
4. Outstanding application vulnerability/security patch(es) for our current version
Answer:
AutoPIPE development team does not provide security patches for current or older software. It is the user's responsibility to protect their computer system.
See WIKI here for list of program versions. Further below this listing is a hyperlink for Release notes on most of the versions released.
5. Noticed that MFA sign-in frequency has increased, what can be done to decrease the number of times to perform MFA sign-in?
Answer:
Should the increased frequency of MFA prompts continue for more than 24 hours after a successful login you should perform a self-service password reset at: https://passwordreset.microsoftonline.com/
6. Is AutoPIPE FIPS compliant?
Answer:
As of Dec 2023, from ECCN against encryption; Functionally – No. AutoPIPE's program source does contain libraries and functions capable of performing encryption. In addition, no testing has been performed with AutoPIPE using Windows in a FIPS 140-2 approved mode of operation. User are urged to test in these environments and advise Bentley technical support group of any issues that arise.
7. Export information for AutoPIPE:
- Country of Origin: USA [Country of Origin for Software is where the final product is compiled / Built]
- Export Control Classification Number (ECCN): generally not made public, please submit a case referencing this WIKI and reason for needing the number.
- Any export restrictions: see End user agreement here
- % of US content in this software: 100%