We leverage our Intel Security Certification to cover what’s thought of traditionally as “application testing”. This certification verifies that all of our engine components are current against the latest known vulnerabilities according to an NIST vulnerability database.

For penetration testing, we (and any other customer) can use the free w3af tool found at http://w3af.sourceforge.net/ . We encourage any of our customers to do their own penetration testing of their application. Having said that, we are not aware of any vulnerabilities. WorkXpress uses an architecture that invalidates attack methods such as SQL injection.

In greater detail, security involves multiple layers: Physical security, network security, internet security, server security, transmission security, application security and ultimately user and browser security.

The first three layers are all handled by the cloud vendor chosen, for example Amazon web services, or private policies for a behind-the-firewall installation. Amazon has an informative and detailed description of their processes here; http://awsmedia.s3.amazonaws.com/pdf/AWS_Security_Whitepaper.pdf . We leverage the VPC, EC2 and S3 technologies on customer’s behalf.

We do have additional preventative measures to deal with denial of service attacks. We have demonstrated in the past the capability to detect a denial of service attack, and rapidly block out the traffic causing it.

At the level of server security, neither the builders nor users have access to the underlying technology stack. A person needs root access to a WorkXpress server to be able to interact directly with the OS, web server, database or to execute code directly. All other interactions come through the WorkXPress PaaS according to the interfaces it provides. The easiest way to gain root access to a WorkXpress server is by gaining physical access to the box, however as long a credible cloud vendor is chosen this is unlikely. Otherwise, one must be able to forcibly crack the root password. The root password is strong enough, and is changed frequently enough such that current technologies would not likely be able to crack this password.

Within all WorkXpress clouds, internal firewalls disable all but web traffic. WorkXpress maintains proprietary internal firewall rules to support certain very specific types of cloud to cloud communication.

Transmission security guards against the sniffing of and interpreting of packets passed around the internet. The primary way to defend against this type of breach is through https login. We offer this as an option on all WorkXpress installations. However, because we always transmit passwords in an encrypted format, https is only necessary under regulatory requirement or other unusual circumstances.

User security and browser security don’t affect the servers or the application, but rather the quality of data submitted to it, or who has access to data retrieved from it. This is true in part because attacks that would affect the server or application through the users input or communication stream, such as SQL injection attacks, are protected against. All WorkXpress user passwords are redacted on the screen, transmitted via https and ultimately stored using non-reversible encryption; in this way, even WorkXpress engineers cannot retrieve passwords. However, good internal policies pertaining to password strength and memorization, and good computer maintenance and anti-virus habits, remain the key defenses against these sorts of intrusions.

Application Security controls what Users gain access to within the application. All applications are provided with base concepts of User and Group within which the builder can deploy a basic security model. However, WorkXpress’ five building blocks method empowers the builder to further create an unlimited array of administrative, user and object based security permissions according to their needs.

We regularly back up all code and all customer data. The customer is free to set whatever backup schedule, and backup destination, they wish, thereby limiting the extreme cases of catastrophic loss.

There are a few other things we do to add extra layers of redundancy and protection. However, we keep some of these as confidential for obvious reasons.

This has a wide range of requirements depending on things like the size of your organization, the volume of credit card activity undertaken. These are expressed in terms of PCI level and broadly define an organizations’ obligations based on credit card transaction volume.

WorkXpress provides all the tools to secure PCI compliance, however, we do not offer any sort of PCI certification. Ultimately, the builder of the application is responsible for achieving a PCI certification.

WorkXpress provides all of the necessary tools to build a PCI compliant platform: Encrypted data at rest, TLS encrypted transit, OS anti-virus, OS and application patches applied in a timely manner, capability to restrict user viewing card information with role based access, unique and auditable user IDs, and security token integration. Ultimately the application builder is responsible for achieving PCI certification on the WorkXpress platform just as they are with any application development regardless of platform.

[Brief descriptions on this can be found here: http://www.pcicomplianceguide.org/merchants-0071022-gaining-pci-compliance.php?step=maintainvulnerability#calculate]

For smaller organizations, WorkXpress provides integration with Amazon Flex Payment Services (Amazon FPS). This integration was chosen primarily to avoid PCI compliance and auditing requirements. Even large organizations that do not process credit card transactions as a core competency often outsource this to bypass the liability and compliance challenges that arise. With Amazon FPS, the WorkXpress based software never actually touches a credit card number. Please see our Amazon FPS documentation for more detail.

For larger organizations, WorkXpress can integrate with their existing PCI infrastructure through encrypted APIs, secure XML or secure FTP. The specific methods will be determined by customers security staff/consultants that specialize in PCI applications and audit compliance. WorkXpress will allow the customer to determine what works best given the specifics of your environment.

This can be well achieved using our tools for encryption, redaction and encrypted data transmission described above. We have built many of our building blocks to have simple check-box support for these and other security methods.

Sox compliance with WorkXpress is easily achieved simply by checking the “audit this field” box in the settings of any WorkXpress Field. That will then log who changed what to what and when.