Web Security Checklist
posted by John Spacey, March 10, 2011A high level web security checklist.
Security Requirements
☐ security requirements documentation☐ security requirements validation
Risk Analysis
☐ risk analysis☐ risk mitigation strategy
Architecture and Design
☐ security architecture☐ infrastructure planning
☐ design outlines data flows, entry and exit points, trust boundaries, processes and components
Secure Code Development
☐ authorization☐ authentication
☐ session management
☐ user management
☐ non-repudiation
☐ transaction integrity
☐ secure and efficient memory management (buffer overruns etc...)
☐ server-side validation of all input and data
☐ web services, SOA services and integrations are secure
☐ applications fail securely (error handling)
☐ logging and audit
☐ language and platform best practices are followed (eg. Java best practices)
☐ redundant code, testing harnesses and back doors removed
☐ secure resource usage (OS commands, files etc...)
☐ developers' security tests (unit tests)
☐ secure code review
Security Testing
☐ information gathering☐ server / network profile
☐ application fingerprint
☐ threat modelling
☐ manual inspections & reviews
☐ penetration testing
Cryptographic Controls
☐ all sensitive data is protected in flight, memory and storage☐ use of standard cryptographic libraries
☐ strong algorithms
☐ strong key sizes
☐ secure cryptographic key storage
Secure Infrastructure
☐ deactivate unused accounts on server☐ keep OS, software and libraries up-to-date
☐ restrict access to directories and files
☐ secure passwords enforced
☐ remove unused commands, servers, applications, web pages and scripts
☐ controlled / limited access to root permissions
☐ close unnecessary ports
☐ best practices applied for database security
☐ best practices applied for all servers, tools and software
☐ use IPsec to secure communications
☐ enforce role separation to limit administrative rights
Physical Security
☐ physically secure infrastructureSecure Application Deployment
☐ artifacts from development are removed☐ no development tools deployed in production
☐ source code not copied to production
☐ web based admin tools removed or secured
Configuration Management
☐ secure / limited access to configuration management tools☐ control access to backups
Continuity & Resiliency
☐ business continuity planning☐ regular data back ups
Customized Checklist
This checklist is a good starting point but is not complete. It is recommended to build a customized checklist for your organization with input from:- Enterprise and solution architects
- Senior web developers
- Product and service SMEs
- Security SMEs
- Business stakeholders
- Audits
This checklist could serve as a starting point.
Continuous Controls Monitoring for Transactions (CCM-T) is a governance, risk and compliance technology. There are 4 typical functions of a CCM system. |
Current state blueprints capture business, data and implementation architecture at the conceptual, logical and physical levels. |
Recently on Simplicable
Multifactor Authentication Explainedposted by Anna MarHow to confirm the identity of users and entities. |