ari/research-school-2024
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
research-school-2024/writeups/mini-checklist.md
Ari Archer fa36a731e4
 Make mini-checklist more consistent with the main checklist. 
Signed-off-by: Ari Archer <ari@ari.lt>
2024-12-22 16:53:38 +02:00

2.4 KiB
Raw Permalink Blame History

Security checklist

  • Validate and sanitize all user inputs. (XSS, SQL injection)
  • Use parameterized queries and prepared statements. (SQL injection)
  • Perform output encoding for dynamic content. (XSS)
  • Make use of Content Security Policy (CSP). (XSS, data injection)
  • Implement proper authorizations for user actions. (Authorization)
  • Enforce strong password policies. (Brute force attacks, account takeover)
  • Implement anti-CSRF tokens. (CSRF)
  • Set SameSite attribute for cookies. (CSRF)
  • Encrypt or hash sensitive data in transit and at rest. (Data breach)
  • Minimize storage of sensitive data. (Data exposure)
  • Audit and harden security configurations. (Misconfiguration, exploitation of default credentials)
  • Keep libraries and dependencies up-to-date. (Outdated library vulnerabilities)
  • Implement comprehensive logging. (Undetected attacks/vulnerabilities)
  • Configure alerts for suspicious activities. (Brute force attacks, unauthorized access)
  • Continuously monitor for vulnerabilities. (Undetected vulnerabilities)
  • Regularly back critical data up. (Data loss)
  • Test data backup processes. (Data loss)
  • Follow secure coding guidelines. (Various vulnerabilities)
  • Set permissions to least privilege wherever possible. (Privilege escalation)
  • Remove unused functionality before deployment. (Attack surface exposure)
  • Use peer-reviewed open source cryptographic modules. (Weak cryptography)
  • Protect cryptographic keys properly. (Key exposure)
  • Use strong cryptographic functions for handling of data from strong crypto systems. (Weak cryptography)
  • Restrict uploads/data to required file MIME types. (Malicious file upload)
  • Scan uploaded/sent files/data for malware. (Malicious file upload)
  • Authenticate users before allowing uploads. (Malicious file upload)
  • Disable execution privileges for upload directories. (Remote code execution)
  • Isolate development environments from production. (Data exposure, unauthorized access)
  • Apply security patches when possible. (Exploitation of known vulnerabilities)
  • Automate vulnerability scans. (New vulnerabilities)
  • Ensure that the reverse proxy and the firewall are correctly configured. (Information disclosure)
  • Ensure application security even if the source code is public. (Data exposure)
  • Pass security and linting checks with common tools. (Various vulnerabilities and style)