| Vulnerability
| Questions
|
| SQL Injection
|
- Non-validated input used to generate SQL queries
|
- Is the application susceptible to SQL injection?
- Does the code use parameterized stored procedures?
- Does the code use parameters in SQL statements?
- Does the code attempt to filter input?
|
| Cross-Site Scripting
|
- Unvalidated and untrusted input in the HTML output stream
|
- Does the code echo user input or URL parameters back to a Web page?
- Does the code persist user input or URL parameters to a data store that could later be displayed on a Web page?
|
| Input/Data Validation
|
- Reliance on client-side validation
- Use of input file names, URLs, or user names for security decisions
- Application-only filters for malicious input
|
- Does the code rely on client-side validation?
- Is the code susceptible to canonicalization attacks?
- Does the code validate data from all sources?
- Does the code use a centralized approach to input and data validation?
|
| Code Access Security
|
- Improper use of link demands or asserts
- Code allows untrusted callers
|
- Does the code use link demands or assert calls?
- Does the code use AllowPartiallyTrustedCallersAttribute?
- Does the code use potentially dangerous permissions?
- Does the code give dependencies too much trust?
|
| Exception Management
|
- Failing to use structured exception handling
- Revealing too much information to the client
|
- Does the code handle errors and exception conditions?
- Does the application fail securely in the event of exceptions?
- Does the application expose sensitive information in user sessions?
|
| Impersonation
|
- Revealing service account credentials to the client
- Code executes with higher privileges than expected
|
- Does the application use hard-coded impersonation credentials?
- Does the application clean up properly when it uses impersonation?
|
| Sensitive Data
|
- Storing secrets in code
- Storing secrets in clear text
- Passing sensitive data in clear text over networks
|
- Does the code store secrets?
- Is sensitive data stored in predictable locations?
- Does the code store secrets?
|
| Cryptography
|
- Using custom cryptography
- Using the wrong algorithm or too small a key size
- Failing to secure encryption keys
- Using the same key for a prolonged period of time
|
- Does the code use custom cryptographic algorithms?
- Does the code use the correct algorithm and an adequate key size?
- Does the code generate random numbers for cryptographic purposes?
- How does the code manage and store encryption keys?
|
| Unsafe Code
|
- Buffer overrun in unmanaged code or code marked /unsafe
- Integer overflow in unmanaged code or code marked /unsafe
- Format string problem in unmanaged code or code marked /unsafe
- Array out of bounds in unmanaged code or code marked /unsafe
|
- Is the code susceptible to buffer overruns?
- Is the code susceptible to integer overflows?
- Is the code susceptible to format string problems?
- Is the code susceptible to array out of bound errors?
|
| Potentially Dangerous Unmanaged APIs
|
- A potentially dangerous unmanaged API is called improperly
|
- Does the code call potentially dangerous unmanaged APIs?
|
| Auditing and Logging
|
- Sensitive data revealed in logs
|
- Does the application log sensitive data?
|
