Application Security Checklist

best-practices documentation

Key App Security Requirements

  • Authentication and Authorization

    • Set up a third party Identity Provider

    • Prefer MFA

    • Enforce the principle of least privilege.

  • Data Protection

    • Encrypt data at rest and in transit.

    • Secure storage with only authorized user access

    • Secure delete when no longer required.

    • Input validation and sanitization

      • Prevents and mitigates attacks such as SQL Injection or XSS

  • Secure Session Management

    • Poor session management can lead to session hijacking.

  • Error Handling and Logging

    • Do not send error traces to the client

    • Log user activity and errors

  • Configuration Management

    • Confirm that default settings are secure.

    • Disable unnecessary server features.

    • Regularly update and patch servers and applications.

Security in Application Development Lifecycle

  • Planning/requirement analysis

    • Identify Security Requirements

    • Should include compliance requirements, data security needs, and user privacy.

    • Threat modeling

  • Design

    • Architecture should meet the security requirements identified.

    • Incorporate security controls for identified threats.

    • Consider secure design principles like least privilege, defense in depth, and fail-safe defaults.

  • Implementation/development

    • Leverage Static Application Security Testing(SAST) tools to scan the code for security issues.

    • Security focused code reviews.

  • Testing

    • Dynamic Application Security Testing (DAST) identifies vulnerabilities while the application is running.

    • Pen testing

  • Deployment

    • Review before deployment

    • Regularly conduct security audits.

    • Keep an eye out for server or operating system security patches.

  • Legal and compliance in App Security

    • General Data Protection Regulation (GDPR)

    • California Consumer Privacy Act (CCPA)

    • Health Insurance Portability and Accountability Act (HIPAA)

  • Utilize Threat Modeling

    • Helps understand potential attack vectors

    • The damage these could cause

    • The mitigation required to prevent or decrease damage

  • Practice shift-left security

    • It is the practice of implementing security measures over the entire development cycle rather than waiting until it is nearly complete.

  • Provide security training for developers

  • Leverage application security testing tools

    • SAST

    • DAST

References