1. Use to Implement: Input validation Page-Level authorization Session Management Audit Logging Use to Implement: Input validation Page-Level authorization Session Management Audit Logging Avoid: Relying Only on Blacklist Validation Output Encoding in Filter Overly Generous Whitelist Validation XML Denial of Service Logging Arbitrary HTTP Parameters Avoid: Relying Only on Blacklist Validation Output Encoding in Filter Overly Generous Whitelist Validation XML Denial of Service Logging Arbitrary HTTP Parameters Intercepting Filter

2. Avoid: Physical Resource Mapping Unhandled Mappings in Multiplexed Resource Mapping strategy Logging of Arbitrary HTTP Parameters Duplicating Common Logic Across Multiple Front Controllers Avoid: Physical Resource Mapping Unhandled Mappings in Multiplexed Resource Mapping strategy Logging of Arbitrary HTTP Parameters Duplicating Common Logic Across Multiple Front Controllers Avoid: Invoking Commands Without Sufficient Authorization Avoid: Invoking Commands Without Sufficient Authorization Front Controller Use to Implement: Logical Resource Mapping Session Management Audit Logging Use to Implement: Logical Resource Mapping Session Management Audit Logging

3. Use to Implement: Whitelist Input Validation Flagging Tainted Variables Use to Implement: Whitelist Input Validation Flagging Tainted Variables Avoid: Context Auto- Population Strategy Assuming Security Context Reflects All Security Concerns Avoid: Context Auto- Population Strategy Assuming Security Context Reflects All Security Concerns Context Object

4. Use to Implement: Synchronization Tokens as Anti-CSRF Mechanism Page-level Authorization Use to Implement: Synchronization Tokens as Anti-CSRF Mechanism Page-level Authorization Avoid: Unauthorized Commands Avoid: Unauthorized Commands Avoid: Unhandled Commands Avoid: Unhandled Commands Avoid: XSLT and Xpath Vulnerabilities XML Denial of Service Disclosure of Information in Soap Faults Publishing WSDL files Avoid: XSLT and Xpath Vulnerabilities XML Denial of Service Disclosure of Information in Soap Faults Publishing WSDL files Application Controller

5. Use to Implement: Output Encoding in Custom Tag Helper Use to Implement: Output Encoding in Custom Tag Helper Avoid: XSLT and Xpath Vulnerabilities Unencoded User Supplied Data Avoid: XSLT and Xpath Vulnerabilities Unencoded User Supplied Data View Helper

6. Use to Implement: Output Encoding in Custom Tags Use to Implement: Output Encoding in Custom Tags Avoid: XSLT and Xpath Vulnerabiliites Avoid: XSLT and Xpath Vulnerabiliites Avoid: Skipping Authorization Check Within SubViews Avoid: Skipping Authorization Check Within SubViews Composite View

7. Avoid: Dispatching Error Pages Without a Default Error Handler Avoid: Dispatching Error Pages Without a Default Error Handler Service to Worker

8. Avoid: Using User Supplied Forward Values Assuming User’s Navigation History Avoid: Using User Supplied Forward Values Assuming User’s Navigation History Dispatcher View

9. Use to Implement: Whitelist Input Validation Use to Implement: Whitelist Input Validation Business Delegate

10. Avoid: Memory Leaks in Caching Avoid: Memory Leaks in Caching Avoid: Open Access to UDDIs Avoid: Open Access to UDDIs Service Locator

11. Use to Implement: Middle-tier Authorization Use to Implement: Middle-tier Authorization Avoid: Unauthenticated Client Calls Deserializing Objects from Untrusted Sources Avoid: Unauthenticated Client Calls Deserializing Objects from Untrusted Sources Session Facade

12. Avoid: Unauthenticated Client Calls Avoid: Unauthenticated Client Calls Application Service

13. Business Object

14. Avoid: Plaintext Transmission of Confidential Data Avoid: Plaintext Transmission of Confidential Data Composite Entity Avoid: Interpreter Injection Avoid: Interpreter Injection

15. Avoid: Plaintext Transmission of Confidential Data Avoid: Plaintext Transmission of Confidential Data Transfer Object

16. Transfer Object Assembler

17. Value List Handler

18. Avoid: Interpreter Injection Improper Resource Closing Unencrypted Connection String Storage Avoid: Interpreter Injection Improper Resource Closing Unencrypted Connection String Storage Data Access Object

19. Service Activator Avoid: Denial of Service in Message Queues Unauthenticated Messages Unauthorized Messages Dynamic SQL in Database Response Strategy Unvalidated Email Addresses in Email Response Strategy Avoid: Denial of Service in Message Queues Unauthenticated Messages Unauthorized Messages Dynamic SQL in Database Response Strategy Unvalidated Email Addresses in Email Response Strategy

20. Domain Store Avoid: Interpreter Injection Improper Closing of Resources Unencrypted Storage of Connection Strings Avoid: Interpreter Injection Improper Closing of Resources Unencrypted Storage of Connection Strings

21. Avoid: Sending stack trace and other detailed information in SOAP faults Publishing WSDL files Using DTDs Unauthenticated or unauthorized web service requests Using user-supplied data without input validation Excessively large XML messages Avoid: Sending stack trace and other detailed information in SOAP faults Publishing WSDL files Using DTDs Unauthenticated or unauthorized web service requests Using user-supplied data without input validation Excessively large XML messages Web Services Broker