CERT-SEI

Web Service Verification

Along with testing, web service verification helps to maintain confidentiality, integrity, and availability of service-oriented architecture (SOA) elements.

Our approach to SOA web service verification addresses the key concerns of

  • information assurance—The need for information assurance poses the question of how to protect information and services by ensuring confidentiality, integrity, authentication, availability, and non-repudiation. This level of protection is needed while the information is in storage, processing, or transit and whether it is threatened by malice or accident.
  • interoperability—Web service interoperability aims to provide seamless and automatic connections from one software application to another.
  • networthiness—The networthiness of a web service in an SOA context depends on determining network impact of the web service, developing port and protocol white list policies for web service use, conducting network security scans to ensure that web services are not compromising networks, and other factors.

This approach aims to certify web services in order to assure they are not malicious to the SOA infrastructure and to accredit them in a vastly shorter period than is commonly done. It is based on industry standards, best practices, and our experience from working across many organizations, and it makes use of software tools for automation (as much as possible). This approach has been tested by and is being implemented by the Army SOA Foundation and is being actively considered as a best practice by other DoD organizations.

Read more

Verification and testing recommendations for SOA environments