Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
2
Authentication How long does a session last before it times out?
How does Single sign-on (SSO) work for the native This is configurable from within the Workday tenant
mobile applications? What is passed to the mobile based on customer preference. A default session lasts 20
device for authentication, and how is that stored on
minutes before requiring re-authentication.
the device?
Not natively, but SSO solutions that utilize client mobile-specific user access configurations. If it’s available
certificates can be used with the Workday Mobile Web to a user on the desktop version, it’s available on mobile.
3
Workday Applications Can administrators disallow certain data to be saved
or downloaded onto a mobile device?
What data persists on mobile devices when using
Workday’s native mobile applications? Any activity relating to downloadable business data (i.e.
emailing annotated reports, viewing payslip PDFs, document
Workday follows the guidelines set forth by Apple and
sharing) can be disabled at the tenant setting level.
W3C to prevent data being stored on any device, both
through the native applications and the browser. Only
Which versions of iOS and Android OS do you
simple values that facilitate reconnecting to the correct
support?
destination persist across sessions:
Reference our Mobile Documentation for device
• Tenant requirements. The path is: Community > Documentation >
• Connection URL Mobile Solutions > Mobile Devices and Features > Device
Requirements.
• Username
3. If doc sharing is enabled on iOS, users can share exposed Web Services. NOTE: 443/TCP is used for our SOAP
attachments from the Workday app to other apps on web services (SOAP/web service WSDLs are exposed).
the device.
4
Transport Security How can we prevent users from taking screenshots
while using Workday mobile?
Does all data that transfers between mobile devices
and Workday travel via Secure Sockets Layer (SSL)? There are no built-in defenses against screenshots
within the apps or Mobile Web solution. Screen shots can
Yes, all data that transfers between a mobile device and
sometimes be prevented using Mobile Device Management
Workday travels via SSL. 128-bit SSL is the minimum
and Provisioning capabilities (see Section 4). This would
required by Workday’s servers, but if the client uses a
depend on which third-party MDM solution is in place.
stronger algorithm (i.e. 256-bit SSL), Workday’s servers
will respect that.
Any data masking that’s configured in the desktop information. The path is: Community > Documentation >
5
Logging and Monitoring What security testing has been performed on both the
mobile client and the web services/servers that are
What information is logged by Workday when using
used? Who performed this testing?
the mobile application?
Extensive testing is carried out both by Workday’s
None—we don’t log any intra-app actions on any of our
internal Application Security team as well as by third-
solutions.
party security firms like iSEC Partners.
How do I know what tasks are available on mobile? The penetration testing leverages information from
How do I find out about new features in a release? developer interviews and framework analysis. The attack
Refer to our List Tasks Available on Mobile document classes tested during the penetration test included, but
on Community. The path is: Community > Product were not limited to:
Dashboards > Mobile Product Information.
• Cross Site Scripting
• XPath/SQL Injection
Security Testing • HTTP Redirects (Hostile Link attacks)
Have you had a third party perform a web services
penetration test, code review, and/or security • Response Splitting
architecture review?
• Directory Traversal
Yes. The following third-party tests and reviews have
• CSRF / Forced Browsing
been performed:
• SSL Cipher Strength Analysis
• Application security testing by iSEC Partners and
others • Cookie Security
• System and network security testing by Cigital • Malicious File Execution (Remote File Inclusion)
6
Did it test the OWASP Top Ten? Glossary
Yes, we tested the OWASP Top Ten where applicable to Native mobile applications: Workday’s mobile solutions
mobile. built specifically for the Android, iPhone, and iPad. Down-
loadable through Google Play and the Apple App Store.
Where can I find a copy of the results, or at least
summary and follow-up actions? Workday Mobile Web: Workday’s mobile solution that’s
Customers can download a copy of the most recent pene- accessible on any smartphone or tablet through mobile
tration testing reports from the Workday Customer Portal. web browsers (e.g. Safari, Chrome, etc.). Includes all the
same features as the native apps and is compatible with
third-party MDM solutions.
Workday, Inc. | 6230 Stoneridge Mall Road | Pleasanton, CA 94588 | United States
1.925.951.9000 | 1.877.WORKDAY (1.877.967.5329) | Fax: 1.925.951.9001 | www.workday.com
© 2014. Workday, Inc. All rights reserved. Workday and the Workday logo are registered trademarks of Workday, Inc. All other brand and product names are trademarks
or registered trademarks of their respective holders. 20140918MOBILESECFAQ-ENUS