Security concerns in automation

Security isn’t a problem until it becomes one. When developing automation, it’s essential to design with security in mind rather than treating security as an afterthought.

API Authentication

This is one of the most common and secure authentication methods, especially for web products. Through this, your app could allow third parties to extract, delete, add, or update data in the database.

Here are some important considerations for this authentication method:

• Use a dedicated API key for each third-party provider.

• If possible, assign appropriate permissions for those connectors (e.g., read or write access). Unfortunately, not all apps offer this option.

• Regenerate the API key if you suspect any suspicious activity.

• Some apps allow you to restrict authentication to a specific domain or IP address (commonly seen in Google products). If you know which app will authenticate via a specific API key, I recommend completing this field as well.

• Keep admin credentials secure and do not share them. If you change your password after a breach, also remove all API keys and generate new ones. Failing to do so could allow someone to generate a new API key and access your records even after you’ve changed your credentials.

Example of API key list from Brevo.com

Apps direct integrations

Usually by using OAuth which is another widely used authentication method, especially in web apps that allow direct connections with third-party services like Airtable and Slack.

While similar to API authentication, there are additional considerations for direct integrations:

• Regularly review which apps have access to others. It’s easy to rush into integrating apps, but over time, this can create confusion, leading to hundreds of connected apps.

• Google recommends regularly reviewing apps that access your accounts and modules. In the long run, it’s safer to develop your own integrations, particularly when using platforms like Make.com or Zapier. Avoid connecting unknown apps or modules to your databases.

Example of Airtable Integrations

Username and password

This method is common in RPA automation and applications running in local environments. Here’s what you should keep in mind:

• Create a dedicated user account for each machine.

• Limit user permissions to specific use cases. It may be tempting to provide full access for future needs, but it’s important to periodically review these permissions. Also, future integrations may take longer to develop, so consider limiting write permissions rather than offering full access.

• Another crucial security measure is to use a VPN. This adds an extra layer of security. Depending on the VPN’s firewall rules, you could prevent breaches by limiting the app’s access to only those connections made through the VPN.

General Security Recommendations

• Don’t share your credentials with multiple developers. If you’re working with an agency for automation, take the time to create the connections yourself. Keep your credentials private.

• Stay informed by following blogs, Twitter, or any other channels related to the third parties you’re using. Be vigilant about checking emails for alerts on potential security breaches.

• Regularly run security checks on your integrations’ infrastructure. Review the integrations, third-party security measures, and their updates.

• Always design integrations with security as a priority, not as an afterthought.