Application Security Checklist
Key App Security Requirements
-
Authentication and Authorization
-
Set up a third party Identity Provider
-
Prefer MFA
-
Enforce the principle of least privilege.
-
-
Data Protection
-
Encrypt data at rest and in transit.
-
Secure storage with only authorized user access
-
Secure delete when no longer required.
-
Input validation and sanitization
-
Prevents and mitigates attacks such as SQL Injection or XSS
-
-
-
Secure Session Management
-
Poor session management can lead to session hijacking.
-
-
Error Handling and Logging
-
Do not send error traces to the client
-
Log user activity and errors
-
-
Configuration Management
-
Confirm that default settings are secure.
-
Disable unnecessary server features.
-
Regularly update and patch servers and applications.
-
Security in Application Development Lifecycle
-
Planning/requirement analysis
-
Identify Security Requirements
-
Should include compliance requirements, data security needs, and user privacy.
-
Threat modeling
-
-
Design
-
Architecture should meet the security requirements identified.
-
Incorporate security controls for identified threats.
-
Consider secure design principles like least privilege, defense in depth, and fail-safe defaults.
-
-
Implementation/development
-
Leverage Static Application Security Testing(SAST) tools to scan the code for security issues.
-
Security focused code reviews.
-
-
Testing
-
Dynamic Application Security Testing (DAST) identifies vulnerabilities while the application is running.
-
Pen testing
-
-
Deployment
-
Review before deployment
-
Regularly conduct security audits.
-
Keep an eye out for server or operating system security patches.
-
-
Legal and compliance in App Security
-
General Data Protection Regulation (GDPR)
-
California Consumer Privacy Act (CCPA)
-
Health Insurance Portability and Accountability Act (HIPAA)
-
-
Utilize Threat Modeling
-
Helps understand potential attack vectors
-
The damage these could cause
-
The mitigation required to prevent or decrease damage
-
-
Practice shift-left security
-
It is the practice of implementing security measures over the entire development cycle rather than waiting until it is nearly complete.
-
-
Provide security training for developers
-
Leverage application security testing tools
-
SAST
-
DAST
-