Scribd Logo
Upload

Welcome to Scribd!

  • Certified Secure Advanced Web Application Audit Checklist About

    Uploaded by

    crownlesss
    45 views3 pages
    IT Check List

    Original Title

    IT Check List

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    IT Check List

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    45 views3 pages

    Certified Secure Advanced Web Application Audit Checklist About

    Uploaded by

    crownlesss
    IT Check List

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    info@certifiedsecure.

    nl
    Tel.: 070 - 310.13.40
    Fax: 070 310.13.41
    Joseph Ledelstraat 92
    2518 KM Den Haag

    Certified Secure Advanced Web Application Audit Checklist


    About
    This checklist is made freely available by Certified Secure. For Certified Specialists an annotated
    version is available in the Portal. Certified Secure also provides training and certification based on this
    checklist, visit www.certifiedsecure.nl or contact info@certifiedsecure.nl for more information.

    Scope
    This checklist should be used when the Basic Web Application Audit Checklist is completed without
    incident and a more thorough audit is desired. This checklist must always be used and presented as
    an extension of the Basic Web Application Audit Checklist.

    Usage
    This checklist must only be used once the Basic Web Application Audit Checklist is completed without
    incident, the Basic Web Application Audit Checklist and related results should always be included when
    presenting the results of this checklist.
    Every test on the checklist should be performed or explicitly marked as being not applicable. Once a
    test is completed the checklist should be updated with the appropriate result icon and an optional
    document cross reference. The filled-in checklist should not be delivered stand-alone but should be
    incorporated in a document specifying at least the results, scope and context of the performed tests.

    License
    This work is licensed under a Creative Commons Attribution-No Derivative Works 3.0 Netherlands
    License. The complete license text can be found online at http://creativecommons.org/licenses/bynd/3.0/nl/. Contact Certified Secure if you want to receive a printed copy.

    Result Icon Legend


    Icon

    Explanation
    Test was performed and results are okay
    Test was performed and results require attention
    Test was not applicable

    Document:
    Version:
    Released:
    Page:

    Certified Secure Advanced Web Application Audit Checklist


    2.0
    2008-02-14

    Certified Secure Advanced Web Application Audit Checklist

    1.0

    Documentation

    1.1

    The possible attackers of the application must be documented

    1.2

    All information stored for/by the application must be documented

    1.3

    The security related risks of the application must be documented

    1.4

    The feasibility and impact of each security risk must be documented

    1.5

    Known security issues of all 3rd party software must be documented

    2.0

    Audit Log

    2.1

    An audit log must be implemented

    2.2

    The audit log must include a priority system

    2.3

    The audit log must not log user credentials

    3.0

    Multi-system Services

    3.1

    Servers must not be trusted without explicit authentication

    3.2

    All inter-system communications must use at least use SSL/TSL or IP-Sec

    4.0

    Design

    4.1

    The user interface layer must be separated from the logic and data layer

    5.0

    Information Disclosure

    5.1

    Debug functionality must not exist on live systems

    5.2

    HTTP headers must not contain internal IP addresses

    6.0

    Authentication and Authorization

    6.1

    Authentication must be performed at a central location

    6.2

    Authentication must be enforced by the web-server configuration

    6.3

    The use of secure passwords must be enforced

    6.4

    Password brute forcing must be prevented

    6.5

    Production passwords must not be stored alongside the source code

    7.0

    User Input

    7.1

    User input must be validated at a central location

    8.0

    Sessions

    8.1

    The secure flag must be set on the session cookies

    2 of 3

    Result

    Ref

    Document:
    Version:
    Released:
    Page:

    Certified Secure Advanced Web Application Audit Checklist


    2.0
    2008-02-14

    8.2

    The httponly flag must be set on the session cookies

    8.3

    Session-ids must only by usable from a single IP address

    8.4

    Sessions must be revoked if the session-id is not received via HTTPS

    9.0

    PHP Configuration

    9.1

    The service must enforce the use of the open_basedir setting

    9.2

    The service must enforce the use of the safe_mode setting

    9.3

    The service must enforce the disabling of the register_globals setting

    9.4

    The service must enforce the use of the magic_quotes setting

    9.5

    The service must enforce the disabling of the display_errors setting

    10.0

    Miscellaneous

    10.1

    Application or setup specific problems

    3 of 3

    You might also like