Web Application Security Design Inspection Questions
From Guidance Share
- J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan
Use security design inspection questions for performing high-level design inspections. Questions put you in the right state of mind when analyzing the code. The questions are organized by categories that are both actionable and tend to contain security issues. You can also chunk up your security inspection by the categories for iterative or incremental approaches.
- Does the Network Provide Secure Communication?
- Does Your Deployment Topology Include an Internal Firewall?
- Does Your Deployment Topology Include a Remote Application Server?
- What Restrictions Does Infrastructure Security Impose?
- Have You Considered Web Farm Issues?
- What Trust Levels Does the Target Environment Support?
- Have you identified key activities to audit?
- Have you considered how to flow original caller identity?
- Have you considered secure log file management policies?
- Do you separate public and restricted access?
- Have you identified service account requirements?
- How do you authenticate the caller?
- How do you authenticate with the database?
- Do you enforce strong account management practices?
- How do you authorize end users?
- How do you authorize the application in the database?
- How do you restrict access to system-level resources?
- Do you support remote administration?
- Do you secure configuration stores?
- Do you separate administrator privileges?
- Do you validate all input parameters?
- Do you pass sensitive data in parameters?
- Do you use HTTP header data for security?
- Do you store secrets?
- How do you store sensitive data?
- Do you pass sensitive data over the network?
- Do you log sensitive data?
- How are session identifiers exchanged?
- Do you restrict session lifetime?
- How is the session state store secured?