Threats

  • Network eavesdropping leads to disclosure of confidential information
  • An attacker manipulates a message in transit influencing the service’s behavior

Vulnerabilities

  • Lack of end to end encryption when sending SOAP messages
  • Lack of a digital signature to verify authenticity of a SOAP message

Countermeasures

You might also notice that the implementations for these patterns are grouped together so that we are demonstrating implementation not just of data confidentiality but also data origin authentication. This is intentional. An encrypted message can still be tampered with - so we recommend you implement both of these patterns at the same time...

Hope to post another entry on Monday...