We have plans on integrating a limited amount of security checks into the WebMethods EDI. As of now, there are not many inbuilt security checks in the webMethods EDI, please correct me if I am wrong.
My plan is to check for the following basic checks before they are designed/pushed to integration server.
- check for any no auth or BASIC auth web services, and if they do, alert the user to use other more secure authentication operations.
- check for hardcoded username/passwords for any authentication. Either to downstream databases or upstream web services etc, or to authenticate users to the web services created for self.
- check if there area any external IP/URL references. External meaning - any IP subsets which are not part of what I have included, or any URL with domain not included in the list.
- check if encryption/decryption features developed internally are using secure crypto algorithms.
- check if all inputs in the design go under a validation module, which confirms no malicious characters are accepted.
Could you please let me know if they are already available, or if I need to build them on my own. If you can provide me any details of how you have implemented security at the level I am mentioning, it would be good information for me.