Application Security Review Checklist

Application security review checklist has been designed to address secure application design. Please provide your feedback to ketan.vyas@tcs.com or security.feedback@tcs.com. 1. Generic 1.1. How important is this application to the enterprise business? 1.2. What is application classification? (Is it High or Medium or Low risk application) 1.3. What effort has been put-in for application security at various stages of project lifecycle? (Note: Please provide absolute and % numbers) 2. Functionality 2.1. Is application tested for full functionality on production equivalent machine? Please attach functional test plan, all test cases, test methods, test results, closure reports? 2.2. Is threat modeling done for application? (Please attach document) 2.3. Is there diagnostics utility available? 2.4. Is there a document with data validation criteria? 2.5. To run application client what privileges are required? (i.e. Normal, administrative, power user) 2.6. What are administration functions within application? 2.7. Is application prints any data on console? 2.8. What are dependencies for application execution? (i.e. DOT NET 2.0) 2.9. Is developer comments present into production code? 2.10. Have all logical decisions default clause? 2.11. Is application having dependencies on platform functionality or using system specific libraries? (i.e. Encryption is OS specific) 3. Development environment 3.1. What platform, tools, technologies and languages are used for application development? 3.2. Are there any framework used for application development? (i.e. struts) 3.3. Is unmanaged code used in application or calls to unmanaged code are made from application? 3.4. What is a mechanism to track security defects (vulnerabilities)? 3.5. How source code control is managed? 3.6. What is a policy for providing access rights to various teams? 3.7. What is current snapshot of access on source code control system? 3.8. Are there any development or debug backdoors are present in production code? 3.9. Does the application make use of any virtual machine or emulation technology in order to operate? 4. Compliance management 4.1. What are compliance needs for application? 4.2. Do you have document which can map compliance needs to application functionality or architecture? 4.3. Do you have any open source or freeware component used into application? 4.3.1. If yes, is license wetted by legal?
2

5. Surface definition 5.1. Are there any screens that user can access without authentication? 5.1.1. If yes, did business team reviewed possibility of security breach? 5.2. Has data been segregated into public, restricted and administrative zone? 5.2.1. If yes, do you have functional segregation which accesses these data? 6. Least privileges 6.1. Are there application accounts that have system privileges? 6.2. Is application executes operating system command? 6.3. Is APIs available for add / delete / modify features? 6.4. Is account to access database is least privileged account? 6.5. Is server running with nobody (least privilege) account? 6.6. Is ACL metrics created? 6.6.1. If yes, is first line default deny? 6.7. Are administrative functions restricted with IP based restrictions? 7. Data security 7.1. What data is processed by application? 7.2. Is there any personally identifiable information processed by application? 7.3. How data is created, acquired, processed, transferred, stored, retrieved and deleted from application? 7.4. Explain data flow for application. Attach documents if necessary 7.5. Is there utility for application data sanity check and reconciliation? 7.6. Is application exports data? 7.6.1. If yes, what is security consideration for data export? 7.7. Are constant numbers or strings are hardcoded into application? 7.7.1. If yes, for what purpose they are used? 7.8. For web applications, is all sensitive data sent through only POST method and any request sent via GET method is rejected? 8. Communication security 8.1. What is client and server communication protocol? (For multitier application, client and front tier communication) 8.2. What is inter-component communication mechanism? (i.e. HTTP, JDBC, named pipes, sockets, shared memory, temp files, registry etc) 8.3. Are all protocols used for communication are secure? 8.4. What are external interfaces for application? (i.e. HTTP, RMI, DCOM, modem, serial links, SOAP) 9. Trust relationship 9.1. Do you have document that defines trust boundaries for each component of application? 9.2. Do you have functionality vs role metrics? 9.3. Is application component has trust dependency on external system?
3

9.4. Is there a third party or freeware (or open source) component used into your application? (i.e. JGraph, Log4j) 10. Authentication 10.1. Is authentication mandatory to gain access to application functionality and data? 10.2. Is unique account is created for each user? 10.3. Is application provision for integration with the enterprise identity management system? 10.4. What type of authentication token mechanism is used? (i.e. Form based, RSA) 10.5. What authentication protocol is used? (i.e. LDAP, Kerberos) 10.6. Is network and application authentication uses same set of credentials for each user? 10.7. Is successful and failed login details are logged? 10.7.1. If yes, what data is logged? 10.8. Are there service accounts available? (i.e. maintenance, default accounts) 10.9. Can application automatically lock user account after a predetermined number of consecutive unsuccessful logon attempts? What is maximum unsuccessful attempt count? 10.10.Is application enforcing password change during first time login? 10.11.What is account re-enabling policy and how it is implemented? 10.12.How authentication tokens are stored? (i.e. Active directory, database) 10.13.What is a mechanism to renew authentication tokens? (i.e. 30 days) 10.14.Can user renew authentication token any time? 10.15.Is it Can user renew authentication token any time? 10.16.Is complexity of authentication token configurable? (i.e. Password complexity) 10.16.1.If yes, what is complexity policy? 10.17.If authentication token expiration policy? 10.18.Is application prevents users from using previous authentication tokens? 10.19.Is authentication token communicated and stored encrypted and unviewable to administrators? 10.20.Are authentication token stored in plain text format? 10.21.What is a password change mechanism? 10.22.What is a account creation process? 10.23.How temporary accounts are managed? 11. Authorization 11.1. Is Role based access control (RBAC) is available for application? 11.2. What roles are available in application? 11.3. Do you have Role Functionality Data metrics? 11.4. Is users assigned least privileges at the time of creation? 11.5. How authorization enforced in application? 11.6. Is authorization is checked for every request? 11.7. Is there external authorization framework used? (i.e. IAM, site minder) 11.8. How each component in application enforces authorization? 11.9. How authorization tokens are stored and communicated? (i.e. cookie, hidden parameter, session) 11.10.Is successful and failed authorization details are logged? 11.11.If yes, what data is logged? 11.12.Is there a mechanism for authorization review?
4

11.13.Is it possible to remove users access privileges without deleting user account? 12. Accounting and logging 12.1. Are logging timestamp synchronized with NTP and other application & systems? 12.2. What application events and data are logged? 12.3. How application events are logged? 12.4. What data is logged into log? 12.5. Is sensitive data logged? 12.6. If data is encrypted during logging, what algorithm is used? 12.7. What is a format of log? Can it be exported to database for further processing? 12.8. Is it possible to distinguish events and errors in log? 12.9. Is there external tool / library used for logging (i.e. Log4j) 12.10.Is there a centralized logging mechanism? (i.e. syslogs) 12.11.How logs are stored and retrieved? 12.12.Is user inputs logged? 12.12.1.If yes, under what conditions it is logged? 12.12.2.Is input validation done before logging? 12.13.Are authentication events logged? 12.14.Are authorization events logged? 12.15.Are configuration changes logged? 12.16.Are sensitive actions are logged? 12.17.Are errors & exceptions logged? 12.18.Are user/role/privilege changes are always logged? 12.19.Are all administrative events logged? 12.20.Are failed functional calls logged by the application? 12.21.Has application configuration for inclusion or exclusion of events in logging? 12.22.What is application behavior when log exceeds its capacity? (i.e. application will suspend or start a new log or overwrite existing log) 12.23.What is maximum size limit for one event logging? 13. Log management 13.1. Where log files are stored? 13.2. What are the privileges for log files? 13.3. Are log files written on write once media? 13.4. Who all have access to logs? 13.5. Can system administrator access application logs? 13.6. What is log backup and retention policy? 14. Error & exception handling 14.1. What is mechanism to handle errors and exceptions? 14.2. Is centralized exception management deployed? 14.3. Is there an external framework or component used for exception handling? 14.4. How errors and exceptions logged? 14.5. Is there a mechanism to generate security alerts on specific errors or exceptions? 14.6. Are there empty try/catch blocks available in application source? 14.7. Are stack prints logged or shown on console? 14.8. How application errors are displayed to end users?
5

14.9. Are user inputs displayed as part of error message? 15. Session management 15.1. What type of session identifiers are used in application? 15.2. How session identifiers are generated? (i.e. before authentication, after authentication) 15.3. Is framework based session identifier used? 15.4. How session identifiers are communicated to client? 15.5. Is session identifiers are communicated over unencrypted channels? 15.6. Are client side session place holders carry data (i.e. employee ID, role, application state) 15.7. During what conditions sessions are renewed for same account? 15.8. Is application permit reuse of expired session identifiers? 15.9. Are user login and logout events captured for audit? 15.10.Is application automatically logout a user off after a predefined period of inactivity? 15.11.What is a session expiration time for inactive users? 15.12.Is application force logout a user after a predefined period of activity (even with non idle time)? 15.13.When user logs out, are server side session details and client side cookies are removed? 15.14.How session identifier stored? (i.e. in memory, database, cache) 15.15.Is it possible to cache session token at proxy? 15.16.Prior to critical transactions (or function or action), existing session token is expired and new session is generated? 15.17.Is application allows user to use application from more than one machine at the same time with the same account? 15.17.1.If yes, please specify reason 15.18.Is application allows user to use two accounts from same machine to access application? 15.18.1.If yes, please specify reason 15.19.What is application flow once invalid session is identified? 15.20.What is application flow after logout event? 16. Cookie management 16.1. What information is stored into cookies? 16.2. Is authorization information stored in cookie? 16.3. Is data encrypted when it is stored in persistent cookie? 16.4. Is there a document that defines all cookies used in application with reasons? 16.5. Is cookies travel in encrypted manner? 16.6. Is cookies validated to detect manipulation? 16.7. Are only non-persistent cookies used and if persistent cookies are used then what is expiry time? 17. Input validations 17.1. What types of inputs are accepted by application? (i.e. user input, text files, feeds, binary files, xml files, picture files) 17.1.1. If files are accepted as input, what all formats supported by application?
6

17.1.2. If XML inputs are validated through schema? 17.2. Are all external inputs examined and validated? 17.2.1. If no, what inputs are not validated by application? (Please provide details with reason) 17.3. Is inputs are normalized in common format during processing? 17.4. Is input validation logic centralized or decentralized? 17.5. What are input validation criteria for each input? (Please supplement document) 17.6. Is each request checked to ensure that all input (i.e. headers, input fields, cookies, hidden fields, drop down lists & other web components) are properly validated? 17.7. Is input validation is done on known good data, known bad data or both? 17.8. Messages for end user are generic or input specific? 17.9. Which validation failures are logged by application? 17.10.Is application support client side validation? 17.11.How validation takes place at server side? 17.12.Is input validation done for business logic only? 17.13.Is application performing encoding of output data? 17.14.Is any third party validation libraries used? (i.e. Microsoft anti XSS) 18. Database interactions 18.1. Where access credentials for data are stored? 18.2. Is database users and system users are different? 18.3. Is sensitive data kept into the database is encrypted? 18.4. Which application components directly access database? 18.5. How are database queries constructed within application components? 18.6. How is input passed to queries? 18.7. Are stored procedures directly receiving user inputs? 18.8. Is application making use of any dynamically constructed query statements? 18.9. Is application making use of prepared statements for all queries? 18.10.Is application data exported to external sources? 18.11.Are communications to and from the database server encrypted? 19. Securing runtime files 19.1. Is temporary files are used in application? 19.1.1. If yes, where do they create? 19.2. What is naming convention to create temporary file? 19.3. What privilege level is required to access temporary file? 19.4. How temporary files are removed from disk? 20. Encryption & random numbers 20.1. Is application uses cryptography? 20.1.1. What algorithms are used? 20.1.2. What is key strength? 20.1.3. Where keys are stored? 20.1.4. What is key rotation policy? 20.2. How cryptography is used in communication? 20.3. How random numbers are generated in application? 20.4. Are certificates used in authentication? (i.e. X.509)
7

20.5. How application uses of cryptography in data storage? (i.e. encrypted file systems, database) 20.6. Is application integrated with PKI infrastructure? 21. Client side security 21.1. Are there client side dependencies for application to run? (i.e. IE 6.0 or above, flash plug-in) 21.2. For web applications, is lowering browser security required? 21.3. What runtime resources application needs from client? 21.4. Is application uses active content? 21.4.1. Is it reviewed independently? 21.4.2. Is active content run privileged tasks? 21.5. Is application client modifies operating system properties? 21.6. Are client side certificates used for application? 22. Date & time 22.1. How date & time processing is done in application? 23. Administrative interface 23.1. Is administrative functionality available for application? 23.2. How user administration is performed? 23.3. Is administrative users are allowed to perform administration from any machine? 23.4. Are administration functions using same runtime environment as the normal user interface? 23.5. Is it possible to handover some of the administrative functionalities to helpdesk? 23.6. Is application compatible with virus scanning software for removal and prevention from malicious code? 23.7. Is user impersonation is allowed in application? (i.e. through helpdesk) 24. User manual 24.1. Is there a user manual available to provide guidance on establishing and managing security controls in application? (i.e. user access, auditing) 24.2. Is user manual explains each error or messages in detail for end user on what actions required? 25. Deployment & hosting 25.1. Is application internet facing? 25.2. How application is hosted? (Please provide physical and logical diagrams) 25.3. Which are single points of failures in hosting architecture? 25.4. Is deployment platform OS, web/app/middleware/database servers configured with a recognized security configuration benchmark? 25.5. Is network penetration testing activity done on deployment platform? 25.6. Is it possible to make changes to server and client operating system without impacting application? 25.7. Will change into deployment platform permitted without warranty or support agreement violation?
8

25.8. How updates to application are notified to end users? 25.9. What ports are opened on production server? 25.10.What is storage architecture? (Please attach document with diagrams) 25.11.Is application using file system permissions to control access? 25.12.What are installation requirements for application? 25.13.Is application installing any sample code, scripts, or examples on production server? 26. Configuration management 26.1. How application updates are handled? 26.2. Is configuration follows startup sequence each time and failures are logged? 26.3. Is production server configuration document available? 26.4. Is default configuration for any product is used? 26.5. Are test or service accounts present on production server? 26.5.1. If yes, please specify reason? 26.5.2. If no, please specify how maintenance activities are carried out? 26.6. Are connection string, credential encrypted in configuration or property file? 26.7. Are secure protocols used to manage configurations? (i.e. SSH) 27. Integrity management 27.1. Is log file setting immutable or append-only? 27.2. Are application configuration files read only? 27.3. Is end user asked file names, while loading or saving application specific files? 27.4. Are sensitive directory HASH is checked periodically? 27.5. Is user/role permission metrics periodically reviewed? 27.6. Is server synchronization periodically reviewed? 28. Patch management 28.1. Is dedicated resource available for patch management activity? 28.2. Is dedicated resources details are communicated to all product vendors for notifying patch availability immediately? 28.3. Are patches tested on test server in full load conditions before they apply to production systems? 28.4. Is network security testing done after patches applied on production server? 29. Upgrade management 29.1. Are users notified about critical bugs, fixes & failures? 29.2. When products are upgraded, what configuration checks are done? 29.3. What is backup plan incase rollout failed? 29.4. How many previous versions are supported in parallel in multi release scenario? 30. Backup management 30.1. What is backup architecture? 30.2. What is periodicity of application data, configuration and log backup? 30.3. How backup restoration is checked? 30.4. Is it possible to carryout backup concurrently without impacting application?
9

31. Emergency response plan 31.1. What is emergency response plan if application is hacked? 31.2. What is a plan if any of the application or servers crashed? 32. Security testing 32.1. Is independent security testing has been done? (Please attach test report and closure report)

10