Execution flow diagrams and design documents must be created to show how deadlock and recursion issues in web services are being mitigated.

From Application Security and Development Security Technical Implementation Guide

Part of ASDV-PL-002950

Associated with: CCI-000336

SV-84929r1_rule Execution flow diagrams and design documents must be created to show how deadlock and recursion issues in web services are being mitigated.

Vulnerability discussion

In order to understand data flows within web services, the process flow of data must be developed and documented.There are several different ways that web service deadlock occurs, many times it is due to when a client invokes a synchronous method on a web service, the client will block waiting for the method to complete. If attempts to call the client (invoke a callback) while the client is waiting for the original method to complete, then each party will deadlock waiting for the other.This is referred to as deadlock. The same situation could occur if a callback handler attempted to call a synchronous method on its caller.Applications that utilize web services must account for and document how they deal with a deadlock issue. This can be accomplished by documenting data flow and specifically accounting for the risk in the design of the application.

Check content

Review the application documentation and the system diagrams detailing application system to system and service to service communication methods. Interview the application admin to identify any application web services that are deployed by the application. If the application does not deploy web services, the requirement is not applicable. If the application consumes web services but is not responsible for development of the services, the requirement is not applicable. Review the data flow diagrams and the system documentation to determine if the issue of web service deadlock is addressed. If the issue is not addressed in the documentation or configuration settings, ask the application admin to demonstrate how deadlock issues are addressed. If deadlock issues are not being addressed via documented web service configuration or design, this is a finding.

Fix text

Develop web services to account for deadlock issues.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer