Security and Privacy FAQ
Where is the TestOps cloud hosted?
The TestOps application and its data are both hosted on AWS in the us-east-1 region
(Northern Virginia, USA).
What port does Katalon Studio use to communicate with external resources?
Katalon Studio is a desktop application and it has connections to ALM integration servers such as JIRA, qTest, Slack, CI whose security protocols are configured by the users. Katalon Studio uses port 443 for updating checking/ bugs reporting.
How configuration and credential data be encrypted in Katalon Studio?
App configurations and credential data will be encrypted by PBE with SHA1 and DESede.
What type of encryption does the 'Encrypt Text' tool in Katalon Studio use?
We use PBEwithSHA1AndDESede algorithm. Katalon Studio will keep a unique salt and secret key to encrypt and decrypt values when performing the keyword action. We provide only the encryption feature without the decryption feature. Users can only see the encrypted value in the script file. The raw value will not be logged in our report. You can encrypt text manually by going to Katalon Studio, :The encrypted value can be used in the method:
WebUI.setEncryptedText(findTestObject(null), '8SQVv/p9jVTHLrggi8kCzw==')
The method is to fill the encrypted text into a text box, the raw value will be decrypted when running the test.
How does Katalon manage the physical security setup of the system/service (including overview/architecture drawing)?
Katalon security framework complies with the ISO/IEC 27001 standard for information security management system (ISMS) and covers Physical and Environmental security to prevent unauthorized physical access, damage, and interference to the organization's information and information processing facilities.
Log4Shell (CVE-2021-44228) - General update
On the 9th of December 2021, a Remote Code Execution exploit CVE-2021-44228 was discovered in a popular Java logging library called Log4j2. It became widespread and known to have been exploited in the wild. This incident was created for further investigation and response to fully understand and respond to the potential attacks on Katalon assets. Based on our internal review, Katalon users are not affected by this vulnerability.
Katalon TestOps is not affected by this vulnerability. TestOps uses the default implementation of Spring Boot (implemented Logback through SLF4J for logging). As noted by the Spring Boot team: "Spring Boot users are only affected by this vulnerability if they have switched the default logging system to Log4J2."
Any vulnerability that might exist in TestOps has been mitigated to some extent in its Web Application Firewall (WAF) controls, which have been updated to block requests embedding known attacks on this vulnerability.
As of 13 December 2021, TestOps has been upgraded to include Log4J v2.15.0 in its dependencies. In combination with the WAF controls noted above, these corrective actions should completely mitigate any exposure in TestOps.
Katalon Studio Enterprise uses Log4J v1.2.15. This version is not as vulnerable as the version identified in the CVE, particularly given that we are not using the JMSAppender. The similar conclusion is drawn for Katalon Runtime Engine.
You might download it from our GitHub Repo at:
For 8.3.0: https://github.com/katalon-studio/katalon-studio/releases/tag/v8.3.0
We are encouraging our users to download and use those versions. During your usage, please do let us know of any feedback that you have with the products.
Does the GPT-powered Manual Test Generator engine employ closed-model AI or open source? Is the data shared or used by any other third party?
The GPT-powered Manual Test Generator is based on the cloud API of OpenAI. We only send requests to OpenAI and receive responses from their server. No prompt or answer submitted through Katalon products is used by OpenAI to train models. The data is retained by OpenAI for a maximum of 30 days, solely for abuse and misuse monitoring purposes, after which it will be deleted. For more information, see: OpenAI's API data usage policy. Katalon also does not store prompts and answers submitted through the Manual Test Generator.