I need to know how webMethods makes sure to be protected against code and html inserts and SQL injections but I cant find this information anywhere. I find information about API Gateway Server policies but Im not using this feature (I think).
Im just using CAF and Portlets from UI and Tasks, IS for services and adapters from sql transactions.
I read the webMethods Adapter for JDBC Installation and User’s Guide and only say we should not use Dynamic SQL adapter by potencial security risks on sql injection.
Where does webMethods establish its security development policies?
for most of them you will have to take care yourself by adding some input validation before passing the values to your internal logic.
In CAF & Tasks you can use “Input field validator” and for IS you can add some constraints to the fields in the input signature of the flow service.
You should check for the Service Development Help Guide, the CAF Development Help etc. for further informations.
When checked properly before invoking the adapter service even Dynamic SQL template can be used.