Web services using Simple Object Access Protocol (SOAP) to access sensitive data must be secured with WS-Security.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279056	SRG-APP-000156-AS-000106	APAS-CF-000325	SV-279056r1171606_rule	2025-12-19	1

Description
Application servers may provide a web service capability that could be leveraged to allow remote access to sensitive application data. Many web services use SOAP, which in turn uses XML and HTTP as a transport. Natively, SOAP does not provide security protections. Therefore, ColdFusion must provide security extensions to enhance SOAP capabilities to ensure that secure authentication mechanisms are employed to protect sensitive data. The ws-security suite is a widely used and acceptable SOAP security extension. ColdFusion offers SOAP capabilities but does not offer any type of security for these services. To extend the security of the SOAP protocol, an administrator must install the ws-security suite to enhance SOAP through Java Web Services and configure the ws-security features within the new object. This new object then becomes the wrapper for the SOAP communication, securing the sensitive data.

Description

Application servers may provide a web service capability that could be leveraged to allow remote access to sensitive application data. Many web services use SOAP, which in turn uses XML and HTTP as a transport. Natively, SOAP does not provide security protections. Therefore, ColdFusion must provide security extensions to enhance SOAP capabilities to ensure that secure authentication mechanisms are employed to protect sensitive data. The ws-security suite is a widely used and acceptable SOAP security extension. ColdFusion offers SOAP capabilities but does not offer any type of security for these services. To extend the security of the SOAP protocol, an administrator must install the ws-security suite to enhance SOAP through Java Web Services and configure the ws-security features within the new object. This new object then becomes the wrapper for the SOAP communication, securing the sensitive data.

ℹ️ Check
Verify that web services using the SOAP protocol to access sensitive data are secured with WS-Security. 1. Determine Web Services Usage by interviewing the system administrator (SA), or reviewing relevant documentation, including: - Hosted application source code. - Application design documentation. - Published web services design documentation. - ColdFusion baseline documentation. 2. Evaluate Applicability. If no web services are published, this requirement is not a finding. If web services are published and the SOAP protocol is not used, this is not a finding. If SOAP is used and the data accessed is not sensitive, this requirement is not a finding. 3. Verify Security Controls. If web services are published using SOAP to access sensitive data: a. Confirm that WS-Security is implemented to provide secure authentication and protect the data. b. This may be verified by interviewing the administrator or reviewing the documentation sources listed above. If web services are published using SOAP to access sensitive data and WS-Security is not implemented, this is a finding.

ℹ️ Check

Verify that web services using the SOAP protocol to access sensitive data are secured with WS-Security. 1. Determine Web Services Usage by interviewing the system administrator (SA), or reviewing relevant documentation, including: - Hosted application source code. - Application design documentation. - Published web services design documentation. - ColdFusion baseline documentation. 2. Evaluate Applicability. If no web services are published, this requirement is not a finding. If web services are published and the SOAP protocol is not used, this is not a finding. If SOAP is used and the data accessed is not sensitive, this requirement is not a finding. 3. Verify Security Controls. If web services are published using SOAP to access sensitive data: a. Confirm that WS-Security is implemented to provide secure authentication and protect the data. b. This may be verified by interviewing the administrator or reviewing the documentation sources listed above. If web services are published using SOAP to access sensitive data and WS-Security is not implemented, this is a finding.

✔️ Fix
Configure web services using the SOAP protocol to access sensitive data. 1. Install and configure the WS-Security suite to secure access to the sensitive data. 2. Ensure the configuration provides: - Authentication of service consumers. - Message integrity (e.g., via XML signatures). - Confidentiality (e.g., via encryption). 3. Update application and service documentation to reflect the WS-Security implementation.

✔️ Fix

Configure web services using the SOAP protocol to access sensitive data. 1. Install and configure the WS-Security suite to secure access to the sensitive data. 2. Ensure the configuration provides: - Authentication of service consumers. - Message integrity (e.g., via XML signatures). - Confidentiality (e.g., via encryption). 3. Update application and service documentation to reflect the WS-Security implementation.