Application development governance as a whole can vastly improve and accelerate IT initiatives and return on investment. The key to successful software governance at all levels, including project, team or enterprise, starts in design-time and expands throughout the development and deployment stage of software development life cycles.
As an organization’s software governance initiatives expand and mature, a more automated approach is needed to define and enforce policies and eliminate the simple but costly mistakes that are overlooked during development or review. Catching these errors early on during the development process will mitigate potential faulty software glitches. WebLayers’ out-of-the-box policy libraries will transform the complex manual task of policy creation, deployment, and enforcement into a clear, actionable, and automated process that ensures policy compliance and adherence to all policies.
Developed in conjunction with Fortune 500 companies and industry consortia to encompass industry best practices, the WebLayers governance out-of-the-box policies accelerate SOA, Java/.NET, COBOL, C, C#, C++, DISA Security STIG compliance, PL1 and many other language and governance efforts and ensure quick uniformity throughout the software development life cycle. Working in concert with WebLayers Review Center, WebLayers governance will shorten development time, improve code quality, and accelerate service deployment.
Policy Best Practices
- Enforce policies early and often – catching issues early in the life cycle saves time and money. WebLayers can govern artifacts from design specifications to source code to service artifacts.
- Start small and scale up over time – start governing one project and one part of the infrastructure (like a source control system or registry/repository) and expand over time.
- Establish a baseline for existing services – run them against the WebLayers Policy Libraries to get a baseline compliance level (or scorecard) that details the quality of existing assets and highlights of the areas that need review.
WebLayers Policy Libraries are licensed components of the enterprise governance system. The complete content of the policy libraries is available in the WebLayers Center™ platform and contains expanded material that covers policy explanation, risks/benefits, and conformance business impact.
Click on the tabs to see a partial list of policies.
WebLayers SOA Policy Library
The SOA Library focuses on four specific risk fac¬tors: interoperability, portability, performance, and security of the service. The Library contains the following subset of policy libraries:
- WSDL Libraries
- SOAP Libraries
- XML Libraries
- XML Schema Libraries
- JAX-RPC v1.0 and v1.1 libraries
- WS-I Basic profile libraries
- UDDI Publication libraries of Excel¬lence
WebLayers Java Policy Library
The Java Libraries target issues around possible bugs, dead code, suboptimal code, duplicate code, and overcomplicated expressions. The policies focus on the following risk factors: usability, reli¬ability, performance, and interoperability. The JAVA Library set contains the following:
- Basic JSF rules
- Basic JSP rules
- Basic Rules
- Braces Rules
- Clone Implementation Rules
- Code Size Rules
- Controversial Rules
- Coupling Rules
- Design Rules
- Finalizer Rules
- Import Statement Rules
- J2EE Rules
- JUnit Rules
- Jakarta Commons Logging Rules
- Java Logging Rules
- JavaBean Rules
- Migration Rules
- Naming Rules
- Optimization Rules
- Security Code Guidelines
- Strict Exception Rules
- String and String Buffer Rules
- Type Resolution Rules
- Unused Code Rules
WebLayers COBOL Policy Library
The COBOL Libraries target issues around pos¬sible bugs, suboptimal code, and overcomplicat¬ed expressions. The policies focus on the follow¬ing risk factors: maintainability, stability, reliability, efficiency, performance, and CPU usage. The COBOL Library set contains the following:
- COBOL Policies
- COBOL Policies targeting CICS usage
- COBOL/CICS Polices targeting non-thread-safe constructs
- COBOL Policies targeting VSAM usage
- JCL Policies
- JCL Policies targeting IMS
- JCL Policies targeting VSAM
DISA Application Security and Development STIG
(Automated and Review Policy Libraries)
- Access Control
- Application Information Disclosure
- Application Registration
- Best Practices
- Input Validation
- Hidden Fields in Web Pages
- Race Conditions
WebLayers WebSphere MQ Policy Library Set
Web enabling WebSphere MQ (WMQ) Services as reusable integration components can accelerate IT efforts and help leverage legacy IT assets for future projects as well as SOA initiatives. However, implementing web-enabled WMQ services takes the right technical know-how; industry best practices and standards must guide the development team from the onset. Automated governance is the key to successfully governing WMQ, starting at design time and continuing throughout deployment. With developers following policies and standards as they write the code for WMQ services ensures user ready services. WebLayers’ out-of-the-box WebSphere MQ Policy Libraries accelerate development and achieve the desired economic returns.
The WebLayers MQ Policy Library is a licensed component of the WebLayers Enterprise governance system. The complete content of the policy libraries is available in the WebLayers Center™ Platform and contains expanded material that covers policy explanation, risks/benefits, conformance business impact, and enforcement implementation.
The WebLayers WMQ Library focuses on several risk factors including interoperability, portability, performance, and security of the service. The library also addresses a series of design guidelines, patterns, and architectural recommendations that enables organizations to build interoperable, robust, flexible, and secure services. This policy library contains guidelines relating to WMQ WSDLs, Schema, SOAP, and XML that describe the pros and cons of certain Web services features and design patterns and identifies those that are less compatible with widely used tools and processors. The WebLayers WMQ Library also targets the configuration of Queues and Queue Managers to ensure the runtime configuration adheres to best practices.
The Library set contains the following subset of policy libraries:
- Queue Configuration
- Queue Manager Configuration
- Schema Best Practices
- General WSDL Best Practices
- WMQ WSDL Best Practices
The Java Platform enables software engineers to develop robust software applications. However, the Java Platform cannot defend against implementation bugs that occur in trusted code. Often it is the application itself that is the weakest link to software security compliance. The impact of vulnerabilities and associated cost make it imperative that security be incorporated into every phase of the software development lifecycle. While practicing secure coding techniques helps avoid software defects that cause vulnerabilities, program crashes, exposure of sensitive information and denial of service attacks, a developer may still introduce security flaws into a program.
Insecure coding practices and developers’ lack of awareness of known vulnerabilities can lead to security flaws. Organizations must develop an effective approach to eliminate such flaws. WebLayers, Inc. recommends secure-coding guidelines to minimize security vulnerabilities.
The security policy library was created to enhance a developers security practice and knowledge of secure coding, and to ensure a high compliance to software security and integrity. The library combines the secure coding initiatives of the CERT Secure Coding for Java (www.cert.org) and the Common Weakness Enumeration-CWE (cwe.mitre.org) . Weblayers Security library provides a comprehensive set of security-specific coding guidelines targeted at the Java programming language.
The Security Library Policies covers the following:
- CWE-845 Input Validation and Data Sanitization
- CWE-848 Numeric Types and Operations
- CWE-849 Object Orientation
- CWE-850 Methods
- CWE-851 Exceptional Behavior
- CWE-852 Visibility and Atomicity
- CWE-853 Locking
- CWE-854 Thread APIs
- CWE-855 Thread Pools
- CWE-857 Input output
- CWE-858 Serialization
- CWE-859 Platform Security
- CWE-861 Miscellaneous