Scribd
Upload
34 views3 pages

Web App Security Code Review Checklist

Uploaded by

aze ra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
34 views3 pages

Web App Security Code Review Checklist

Uploaded by

aze ra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Security Code Review: Checklist

Authentication and Authorization:

1. Secure Password Storage:


- Check if passwords are hashed and salted.
- Ensure the use of a strong hashing algorithm (e.g., bcrypt, Argon2).

2. Authentication Bypass:
- Verify that authentication is enforced for all relevant parts of the application.
- Check for any flawed session management.

3. Authorization Issues:
- Review roles and permissions to ensure proper access controls.
- Confirm that sensitive operations require proper authorization.

Data Security:

4. SQL Injection:
- Check for SQL injection vulnerabilities by reviewing database queries.
- Use parameterized queries or prepared statements.

5. Cross-Site Scripting (XSS):


- Validate and sanitize user inputs to prevent XSS attacks.
- Implement Content Security Policy (CSP) headers.

6. Cross-Site Request Forgery (CSRF):


- Use anti-CSRF tokens to protect against CSRF attacks.
- Ensure that state-changing requests require proper authorization.

Network Security:

7. Transport Layer Security (TLS):


- Ensure that sensitive data is transmitted over HTTPS.
- Check for secure TLS configurations.

8. Security Headers:
- Implement security headers like Content Security Policy (CSP), Strict-Transport-Security (HSTS),
etc.
Code Quality and Configuration:

9. Code Injection:
- Review code for any injection vulnerabilities (e.g., OS command injection).
- Validate and sanitize user inputs.

10. File Upload Security:


- If applicable, ensure that file uploads are restricted and properly validated.
- Check for executable file uploads.

11. Error Handling:


- Avoid exposing sensitive information in error messages.
- Implement custom error pages and log errors securely.

Logging and Monitoring:

12. Logging Security:


- Ensure that sensitive information is not logged.
- Regularly review logs for signs of security incidents.

13. Security Monitoring:


- Implement security monitoring to detect and respond to suspicious activities.
- Set up alerts for potential security incidents.

Third-Party Libraries and Components:

14. Dependency Scanning:


- Regularly scan and update third-party libraries for security vulnerabilities.
- Use only trusted and up-to-date dependencies.

15. Security Patching:


- Keep all software, including web servers, databases, and frameworks, up to date with security
patches.

Session Management:

16. Session Fixation and Hijacking:


- Implement secure session management practices.
- Use secure, random session identifiers.
- Monitor and protect against session fixation attacks.

Business Logic:

17. Business Logic Vulnerabilities:


- Review the application's business logic for security flaws.
- Verify that critical transactions are protected against tampering.
Compliance:

18. Regulatory Compliance:


- Ensure compliance with relevant security standards (e.g., GDPR, HIPAA, PCI DSS).

Miscellaneous:

19. Rate Limiting:


- Implement rate limiting to prevent brute-force attacks.

20. Security Training:


- Ensure developers are trained in secure coding practices.
- Conduct periodic security training for the development team.

21. Incident Response Plan:


- Have an incident response plan in place.
- Regularly test and update the plan.

You might also like