Business Guide
simplicable technology guide   »  security   »  web security checklist

Web Security Checklist

        posted by , March 10, 2011

A high level web security checklist.

Security Requirements

☐ security requirements documentation
☐ security requirements validation

Risk Analysis

☐ risk analysis
☐ risk mitigation strategy

Architecture and Design

☐ security architecture
☐ infrastructure planning
☐ design outlines data flows, entry and exit points, trust boundaries, processes and components

Secure Code Development

☐ authorization
☐ authentication
☐ session management
☐ user management
☐ non-repudiation
☐ transaction integrity
☐ secure and efficient memory management (buffer overruns etc...)
☐ server-side validation of all input and data
☐ web services, SOA services and integrations are secure
☐ applications fail securely (error handling)
☐ logging and audit
☐ language and platform best practices are followed (eg. Java best practices)
☐ redundant code, testing harnesses and back doors removed
☐ secure resource usage (OS commands, files etc...)
☐ developers' security tests (unit tests)
secure code review

Security Testing

☐ information gathering
☐ server / network profile
☐ application fingerprint
☐ threat modelling
☐ manual inspections & reviews
penetration testing

Cryptographic Controls

☐ all sensitive data is protected in flight, memory and storage
☐ use of standard cryptographic libraries
☐ strong algorithms
☐ strong key sizes
☐ secure cryptographic key storage

Secure Infrastructure

☐ deactivate unused accounts on server
☐ keep OS, software and libraries up-to-date
☐ restrict access to directories and files
☐ secure passwords enforced
☐ remove unused commands, servers, applications, web pages and scripts
☐ controlled / limited access to root permissions
☐ close unnecessary ports
☐ best practices applied for database security
☐ best practices applied for all servers, tools and software
☐ use IPsec to secure communications
☐ enforce role separation to limit administrative rights

Physical Security

☐ physically secure infrastructure

Secure Application Deployment

☐ artifacts from development are removed
☐ no development tools deployed in production
☐ source code not copied to production
☐ web based admin tools removed or secured

Configuration Management

☐ secure / limited access to configuration management tools
☐ control access to backups

Continuity & Resiliency

☐ business continuity planning
☐ regular data back ups

Customized Checklist

This checklist is a good starting point but is not complete. It is recommended to build a customized checklist for your organization with input from:

- Enterprise and solution architects
- Senior web developers
- Product and service SMEs
- Security SMEs
- Business stakeholders
- Audits

This checklist could serve as a starting point.

3 Shares Google Twitter Facebook

Related Articles

Enterprise Architecture
How to architect an organization.

A simple checklist for secure code reviews.

The most important diagram in all of business architecture — without it your EA efforts are in vain.

The reality is that SOA is a simple concept.

ESB vs. ETL — what you need to know to make an informed choice.

Recently on Simplicable

Security Principles

posted by Anna Mar
The maxims of security.

Physical Security Explained

posted by Anna Mar
Physical security is real world security. The type of security that existed long before the information revolution.

Canary Trap Explained

posted by Anna Mar
A digital signature embedded in information that can be tied to a source such as an individual or an IP address.

Honeypot Explained (Security)

posted by Anna Mar
A honeypot is decoy designed to distract attackers from your information infrastructure.


about     contact     sitemap     privacy     terms of service     copyright