V-279056

Discussion

Application servers may provide a web service capability that could be leveraged to allow remote access to sensitive application data. Many web services use SOAP, which in turn uses XML and HTTP as a transport. Natively, SOAP does not provide security protections. Therefore, ColdFusion must provide security extensions to enhance SOAP capabilities to ensure that secure authentication mechanisms are employed to protect sensitive data. The ws-security suite is a widely used and acceptable SOAP security extension. ColdFusion offers SOAP capabilities but does not offer any type of security for these services. To extend the security of the SOAP protocol, an administrator must install the ws-security suite to enhance SOAP through Java Web Services and configure the ws-security features within the new object. This new object then becomes the wrapper for the SOAP communication, securing the sensitive data.

Check Content

Verify that web services using the SOAP protocol to access sensitive data are secured with WS-Security.

1. Determine Web Services Usage by interviewing the system administrator (SA), or reviewing relevant documentation, including:
- Hosted application source code.
- Application design documentation.
- Published web services design documentation.
- ColdFusion baseline documentation.

2. Evaluate Applicability. 

If no web services are published, this requirement is not a finding.

If web services are published and the SOAP protocol is not used, this is not a finding.

If SOAP is used and the data accessed is not sensitive, this requirement is not a finding.

3. Verify Security Controls. If web services are published using SOAP to access sensitive data:

a. Confirm that WS-Security is implemented to provide secure authentication and protect the data.

b. This may be verified by interviewing the administrator or reviewing the documentation sources listed above.

If web services are published using SOAP to access sensitive data and WS-Security is not implemented, this is a finding.