Home
Business Guide
 
simplicable technology guide   »  security   »  web security checklist

Web Security Checklist

        posted by , March 10, 2011

A high level web security checklist.

Security Requirements

☐ security requirements documentation
☐ security requirements validation

Risk Analysis

☐ risk analysis
☐ risk mitigation strategy

Architecture and Design

☐ security architecture
☐ infrastructure planning
☐ design outlines data flows, entry and exit points, trust boundaries, processes and components

Secure Code Development

☐ authorization
☐ authentication
☐ session management
☐ user management
☐ non-repudiation
☐ transaction integrity
☐ secure and efficient memory management (buffer overruns etc...)
☐ server-side validation of all input and data
☐ web services, SOA services and integrations are secure
☐ applications fail securely (error handling)
☐ logging and audit
☐ language and platform best practices are followed (eg. Java best practices)
☐ redundant code, testing harnesses and back doors removed
☐ secure resource usage (OS commands, files etc...)
☐ developers' security tests (unit tests)
secure code review

Security Testing

☐ information gathering
☐ server / network profile
☐ application fingerprint
☐ threat modelling
☐ manual inspections & reviews
penetration testing

Cryptographic Controls

☐ all sensitive data is protected in flight, memory and storage
☐ use of standard cryptographic libraries
☐ strong algorithms
☐ strong key sizes
☐ secure cryptographic key storage

Secure Infrastructure

☐ deactivate unused accounts on server
☐ keep OS, software and libraries up-to-date
☐ restrict access to directories and files
☐ secure passwords enforced
☐ remove unused commands, servers, applications, web pages and scripts
☐ controlled / limited access to root permissions
☐ close unnecessary ports
☐ best practices applied for database security
☐ best practices applied for all servers, tools and software
☐ use IPsec to secure communications
☐ enforce role separation to limit administrative rights

Physical Security

☐ physically secure infrastructure

Secure Application Deployment

☐ artifacts from development are removed
☐ no development tools deployed in production
☐ source code not copied to production
☐ web based admin tools removed or secured

Configuration Management

☐ secure / limited access to configuration management tools
☐ control access to backups

Continuity & Resiliency

☐ business continuity planning
☐ regular data back ups

Customized Checklist

This checklist is a good starting point but is not complete. It is recommended to build a customized checklist for your organization with input from:

- Enterprise and solution architects
- Senior web developers
- Product and service SMEs
- Security SMEs
- Business stakeholders
- Audits

This checklist could serve as a starting point.




Related Articles



 Enterprise Architecture
How to architect an organization.



Most Popular Articles This Month

Understand the threats to your organization.

What is the value of your EA project in 9 words or less?

Continuous Controls Monitoring for Transactions (CCM-T) is a governance, risk and compliance technology. There are 4 typical functions of a CCM system.

Current state blueprints capture business, data and implementation architecture at the conceptual, logical and physical levels.


Recently on Simplicable


Security Risks

posted by Anna Mar
Security threats and security risk management.

Security Vulnerabilities

posted by John Spacey
Exploitable flaws and weaknesses.

Multifactor Authentication Explained

posted by Anna Mar
How to confirm the identity of users and entities.

Security Principles

posted by Anna Mar
The maxims of security.

about     contact     sitemap     privacy     terms of service     copyright    

Cookies help us deliver our services. By using our services, you agree to our use of cookies.

Copyright 2002-2024 Simplicable. All rights reserved. This material may not be published, broadcast, rewritten or redistributed. Report violations here.