Check | Description |
---|---|
| Input to Web methods is constrained and validated for type, length, format, and range. |
| Input data sanitization is only performed in addition to constraining input data. |
| XML input data is validated based on an agreed schema. |
Check | Description |
---|---|
| Web services that support restricted operations or provide sensitive data support authentication. |
| If plain text credentials are passed in SOAP headers, SOAP messages are only passed over encrypted communication channels, for example, using SSL. |
| Basic authentication is only used over an encrypted communication channel. |
| Authentication mechanisms that use SOAP headers are based on Web Services Security (WS Security) using the Web Services Enhancements WSE). |
Check | Description |
---|---|
| Web services that support restricted operations or provide sensitive data support authorization. |
| Where appropriate, access to Web service is restricted using URL authorization or file authorization if Windows authentication is used. |
| Where appropriate, access to publicly accessible Web methods is restricted using declarative principle permission demands. |
Check | Description |
---|---|
| Sensitive data in Web service SOAP messages is encrypted using XML encryption OR messages are only passed over encrypted communication channels (for example, using SSL.) |
Check | Description |
---|---|
| If parameter manipulation is a concern (particularly where messages are routed through multiple intermediary nodes across multiple network links). Messages are digitally signed to ensure that they cannot be tampered with. |
Check | Description |
---|---|
| Structured exception handling is used when implementing Web services. |
| Exception details are logged (except for private data, such as passwords). |
| SoapExceptions are thrown and returned to the client using the standard <Fault> SOAP element. |
| If application-level exception handling is required a custom SOAP extension is used. |
Check | Description |
---|---|
| The Web service logs transactions and key operations. |
Check | Description |
---|---|
| The endpoint address in Web Services Description Language (WSDL) is checked for validity. |
| The URL Behavior property of the Web reference is set to dynamic for added flexibility. |