Service A requires message confidentiality using message-layer security. You are asked to create a security policy for Service A that communicates its confidentiality requirements. However, you have not yet determined the type of encryption mechanism that will be used to enable message confidentiality. What types of binding assertions can you use to convey what service consumers should expect in the WS-Security header of SOAP messages exchanged by the service?
Service A contains reporting logic that issues SOL queries against a database to generate reports. The actual SQL query syntax is determined at runtime. It has been reported that some of these queries ended up retrieving highly confidential data by accessing tables that service consumers were not authorized for. How can this be avoided?
Architects have applied the Service Perimeter Guard pattern to a service inventory by adding a perimeter service inside the firewall that receives all incoming request messages and then routes them to the appropriate services. The firewall has been configured to allow any service consumers to send messages to the perimeter service. You are told that this security architecture is flawed. Which of the following statements describes a valid approach for improving the security architecture?
Service A's logic has been implemented using unmanaged code. An attacker sends a message to Service A that contains specially crafted data capable of manipulating the quoting within a particular XPath expression. This results in the release of confidential information. Service A is a victim of which kind of attack?
