What security testing does Waters perform for Empower? - WKB280834

ENVIRONMENT

• Empower

ANSWER

• Waters has a product security team that manages code security and vulnerability management activities.
• Empower is intended for deployment on customer premises or virtual private cloud, operating within the confines of the customer security system or VPN.
• Empower does not include or require Web servers open to the internet, and the primary access control is through the customer’s corporate authentication mechanism.
• Empower is an established product for which architectural and dependency changes are not common.
• Penetration testing is performed as needed should such changes be implemented.
• Note: Empower is deployed on-premise or on the customer's cloud infrastructure; the customer’s security measures are the first line of defense.

ADDITIONAL INFORMATION

Waters is not currently ISO 27001 certified. This certification is planned for the future, but only for true cloud informatics products (for example, waters_connect Cloud or Empower as a Service (EaaS).

Waters does not publish the outcome of penetration testing.
 

Since Empower is an established product, we conduct penetration testing only upon major architectural changes and score the findings using a DREAD model (  https://en.wikipedia.org/wiki/DREAD_(risk_assessment_model)  ). The issues identified are added to the program backlog and are handled in the same fashion as any other item from the backlog using the change management workflow.

In Empower 3.8.1 we implemented code changes as a result of the security analysis done. In the release notes there is a section related to enhancements and security updates.The plan is to continue delivering security updates with the next Empower releases.

Waters does not provide customer access to vulnerability related information and penetration testing reports for security reasons and risk of exploitation of threat models and architectural details listed in such reports.