Security related questions about AutoPIPE:
1. Questions related to software security
Answer:
Our security team generally routes security-related inquiries to our Trust Center.
2. Does Log4J pose a threat to AutoPIPE?
No, AutoPIPE products does not use any open source coding and is not written in Java. Therefore, LOG4J is not a threat in anyway to AutoPIPE..
In addition, please see WIKI page here.
3. Our company has a stringent set of security questions (200+ questions) that need to be answered before doing business, how can we get all of these questions answered?
First log a new case and send an excel file with 1 question on each row. The answer will be provided in the next column, the file saved, and sent back for your review.
4. Outstanding application vulnerability/security patch(es) for our current version
AutoPIPE development team does not provide security patches for current or older software. It is the user's responsibility to protect their computer system.
See WIKI here for list of program versions. Further below this listing is a hyperlink for Release notes on most of the versions released.
5. "Is ... FIPS compliant?"
Intent?
a. Does our software run on a Windows computer that is configured for FIPS?
b. Does our software use only FIPS approved algorithms?
As of May 2023, Microsoft no longer recommends enabling FIPS (or course, its complicated, see their disclaimer in red)
A few quotes from Microsoft staff:
a. "The bottom line here is that just because a software product works when [Windows] FIPS mode is enabled does not mean that it adheres to government standards."
b. "If FIPS mode is enabled, the .NET Framework disallows the use of all non-validated cryptographic classes. The problem here is that the Framework offers multiple implementations of most algorithms, and not all of them have been submitted for validation, even though they are similar or identical to implementations that have been approved."
c. "Another significant problem with FIPS mode is that until very recently there was no NIST-approved way to derive an encryption key from a password. That blocked use of the Bitlocker Drive Encryption feature that stored a computer’s 48-character recovery password to Active Directory."
d. "Our updated guidance reflects our belief there is not a compelling reason for our customers that are not subject to government regulations to enable FIPS mode."
Bentley AutoPIPE