Web Application Security Design Inspection Questions
From Guidance Share
Revision as of 12:16, 18 December 2007; JD (Talk | contribs)
(diff) ←Older revision | Current revision | Newer revision→ (diff)
(diff) ←Older revision | Current revision | Newer revision→ (diff)
- J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan
Contents |
[edit]
Summary
Use security design inspection questions for performing high-level design inspections. Questions put you in the right state of mind when analyzing the code. The questions are organized by categories that are both actionable and tend to contain security issues. You can also chunk up your security inspection by the categories for iterative or incremental approaches.
[edit]
Deployment and Infrastructure Considerations
- Does the Network Provide Secure Communication?
- Does Your Deployment Topology Include an Internal Firewall?
- Does Your Deployment Topology Include a Remote Application Server?
- What Restrictions Does Infrastructure Security Impose?
- Have You Considered Web Farm Issues?
- What Trust Levels Does the Target Environment Support?
[edit]
Auditing and Logging
- Have you identified key activities to audit?
- Have you considered how to flow original caller identity?
- Have you considered secure log file management policies?
[edit]
Authentication
- Do you separate public and restricted access?
- Have you identified service account requirements?
- How do you authenticate the caller?
- How do you authenticate with the database?
- Do you enforce strong account management practices?
[edit]
Authorization
- How do you authorize end users?
- How do you authorize the application in the database?
- How do you restrict access to system-level resources?
[edit]
Configuration Management
- Do you support remote administration?
- Do you secure configuration stores?
- Do you separate administrator privileges?
[edit]
Cryptography
[edit]
Exception Management
[edit]
Input and Data Validation
[edit]
Parameter Manipulation
- Do you validate all input parameters?
- Do you pass sensitive data in parameters?
- Do you use HTTP header data for security?
[edit]
Sensitive Data
- Do you store secrets?
- How do you store sensitive data?
- Do you pass sensitive data over the network?
- Do you log sensitive data?
[edit]
Session Management
- How are session identifiers exchanged?
- Do you restrict session lifetime?
- How is the session state store secured?
[edit]
