Download Free Service Oriented Architecture (SOA) Security Checklist

Download Free Service Oriented Architecture (SOA) Security Checklist. This checklist cover some SOA security checklist such as:

Deployment and administrative
• Debugging and tracing status on production system—Off
• Web services should be running with least privileged mode if possible
• Protocol hardening—supporting SOAP only

WSDL hardening
• No unnecessary services or method exposed to external world
• Auto generation of WSDL can be disabled if needed
• WSDL file can be in protected area with authentication

Exception handling
• Exception management for Web services routines
• No information leakage from element
• Logging exception details for tracking breach
• Application-level SOAP handling with exception

“In transit” management
• SSL for end-to-end connection
• Digitally signed message if going through multiple nodes

Validating inputs
• XML input checking with schema
• Input filtering before consuming untrusted variable
• Input check on range, size, length, etc.

Authentication and authorization
• SSL and Basic authentication
• WS-Security authentication mechanism in SOAP header
• Application-level authentication and ACLs
• Authorization design and ACLs
• Methods-based authorization with respect to WSDL