WebLayers’ Out-of-the-box Policy Libraries

WebLayers SOA Policy Library

The SOA Library focuses on four specific risk fac¬tors: interoperability, portability, performance, and security of the service. The Library contains the following subset of policy libraries:

• WSDL Libraries
• SOAP Libraries
• XML Libraries
• XML Schema Libraries
• JAX-RPC v1.0 and v1.1 libraries
• WS-I Basic profile libraries
• UDDI Publication libraries of Excel¬lence

WebLayers Java Policy Library

The Java Libraries target issues around possible bugs, dead code, suboptimal code, duplicate code, and overcomplicated expressions. The policies focus on the following risk factors: usability, reli¬ability, performance, and interoperability. The JAVA Library set contains the following:

• Basic JSF rules
• Basic JSP rules
• Basic Rules
• Braces Rules
• Clone Implementation Rules
• Code Size Rules
• Controversial Rules
• Coupling Rules
• Design Rules
• Finalizer Rules
• Import Statement Rules
• J2EE Rules
• JUnit Rules
• Jakarta Commons Logging Rules
• Java Logging Rules
• JavaBean Rules
• Migration Rules
• Naming Rules
• Optimization Rules
• Security Code Guidelines
• Strict Exception Rules
• String and String Buffer Rules
• Type Resolution Rules
• Unused Code Rules

WebLayers COBOL Policy Library

The COBOL Libraries target issues around pos¬sible bugs, suboptimal code, and overcomplicat¬ed expressions. The policies focus on the follow¬ing risk factors: maintainability, stability, reliability, efficiency, performance, and CPU usage. The COBOL Library set contains the following:

• COBOL Policies
• COBOL Policies targeting CICS usage
• COBOL/CICS Polices targeting non-thread-safe constructs
• COBOL Policies targeting VSAM usage
• JCL Policies
• JCL Policies targeting IMS
• JCL Policies targeting VSAM

DISA Application Security and Development STIG

(Automated and Review Policy Libraries)

• Access Control
• Application Information Disclosure
• Application Registration
• Authentication
• Best Practices
• Cryptography
• Documentation
• Data
• Input Validation
• Hidden Fields in Web Pages
• Race Conditions

WebLayers WebSphere MQ Policy Library Set

Web enabling WebSphere MQ (WMQ) Services as reusable integration components can accelerate IT efforts and help leverage legacy IT assets for future projects as well as SOA initiatives. However, implementing web-enabled WMQ services takes the right technical know-how; industry best practices and standards must guide the development team from the onset. Automated governance is the key to successfully governing WMQ, starting at design time and continuing throughout deployment. With developers following policies and standards as they write the code for WMQ services ensures user ready services. WebLayers’ out-of-the-box WebSphere MQ Policy Libraries accelerate development and achieve the desired economic returns.

The WebLayers MQ Policy Library is a licensed component of the WebLayers Enterprise governance system. The complete content of the policy libraries is available in the WebLayers Center™ Platform and contains expanded material that covers policy explanation, risks/benefits, conformance business impact, and enforcement implementation.

The WebLayers WMQ Library focuses on several risk factors including interoperability, portability, performance, and security of the service. The library also addresses a series of design guidelines, patterns, and architectural recommendations that enables organizations to build interoperable, robust, flexible, and secure services. This policy library contains guidelines relating to WMQ WSDLs, Schema, SOAP, and XML that describe the pros and cons of certain Web services features and design patterns and identifies those that are less compatible with widely used tools and processors. The WebLayers WMQ Library also targets the configuration of Queues and Queue Managers to ensure the runtime configuration adheres to best practices.

The Library set contains the following subset of policy libraries:

• Queue Configuration
• Queue Manager Configuration
• Schema Best Practices
• General WSDL Best Practices
• WMQ WSDL Best Practices

Security Policies

The Java Platform enables software engineers to develop robust software applications.  However, the Java Platform cannot defend against implementation bugs that occur in trusted code. Often it is the application itself that is the weakest link to software security compliance. The impact of vulnerabilities and associated cost make it imperative that security be incorporated into every phase of the software development lifecycle.  While practicing secure coding techniques helps avoid software defects that cause vulnerabilities, program crashes, exposure of sensitive information and denial of service attacks, a developer may still introduce security flaws into a program.

Insecure coding practices and developers’ lack of awareness of known vulnerabilities can lead to security flaws. Organizations must develop an effective approach to eliminate such flaws.  WebLayers, Inc. recommends secure-coding guidelines to minimize security vulnerabilities.

The security policy library was created to  enhance a developers security practice and knowledge of secure coding, and to ensure a high compliance to software security and integrity. The library combines the secure coding initiatives of the CERT Secure Coding for Java (www.cert.org)  and the Common Weakness Enumeration-CWE  (cwe.mitre.org)  .  Weblayers Security library provides a comprehensive set of security-specific coding guidelines targeted at the Java programming language.

The Security Library Policies covers the following:

• CWE-845   Input Validation and Data Sanitization
• CWE-848   Numeric  Types and Operations
• CWE-849   Object Orientation
• CWE-850   Methods
• CWE-851   Exceptional Behavior
• CWE-852   Visibility and Atomicity
• CWE-853   Locking
• CWE-854   Thread APIs
• CWE-855   Thread Pools
• CWE-857   Input output
• CWE-858   Serialization
• CWE-859   Platform Security
• CWE-861  Miscellaneous