Scribd
Upload
6 views6 pages

Secure Code Checklist

The document outlines a checklist for secure code review, listing various security practices and their status as 'Not Set'. It emphasizes the importance of validating user input, securing sensitive data, and implementing proper authentication and authorization checks. Additionally, it provides links to various resources for further guidance on secure coding practices.

Uploaded by

nivedha raju
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
6 views6 pages

Secure Code Checklist

The document outlines a checklist for secure code review, listing various security practices and their status as 'Not Set'. It emphasizes the importance of validating user input, securing sensitive data, and implementing proper authentication and authorization checks. Additionally, it provides links to various resources for further guidance on secure coding practices.

Uploaded by

nivedha raju
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd

Test Case is Vulnerable?

Site is partitioned into private and public URLs Not Set


Sensitive data is not hardcoded in configuration files Not Set

Sensitive data is only transmitted over an SSL connection Not Set


User credentials are encrypted using framework/library using a stret Not Set
n/a
Session cookies are encrypted and have a length of at least 128 bits Not Set
Session cookies are not persistent Not Set
Session cookies use cookie attributes httponly, secure, samesite Not Set
Strong passwords are enforced Not Set
Users are unable to login over GET, only POST Not Set
Block ciphers operate in CBC and IV values are not reused Not Set
Salts are unique per user, have over 64 bits of secure random data Not Set

Sensitive transactions require re authentication Not Set


Authentication andAuthorization checks are done on each private re Not Set
Authorization checks are granular, per page / directory / action Not Set
Authorization checks are approriate for each HTTP Verb the applicat Not Set

Session tokens are not passed in URLs Not Set


Session Cookies expire in a resonable amount of time Not Set
Logout will invalidate the session Not Set

all user input is validated for proper type, length, format and range Not Set
validation on user input is done server side Not Set
Uploaded files are validated for content type, size, file type and file Not Set
special characters are sanitized before being used in external system Not Set
Are invalid input values handled Not Set

All page output is properly encoded Not Set


All header output is URL encoded Not Set
Cache headers are properly set on sensitive data Not Set
Security headers are properly set on the application Not Set
Sensitive Application information is not revealed to the user Not Set
Error messages don’t reveal sensitive information Not Set
Error messages arent user controllable Not Set

Sensitive data has been secured in memory, storage and transit Not Set
Sensitive data doesn’t leak to non private channels Not Set

All sensitive user actions are logged with the following: Where, W Not Set
All sensitive system actions are logged with the following: Where Not Set
Sensitive info is not logged Not Set
User input is sanitized and validated before being placed in applicati Not Set

Dependencies are up to date Not Set


code has not back doors Not Set
Dev and test code are properly segregated Not Set

Check for known bad ciphers (RC4), cryptographic hash functions Not Set
Notes
General Tips for Secure Code
Whitelist over blacklist
Deny by default
Least privilege principle
Limit resource Consumption
Judicious use of system calls, eval functions
Source Link
Secure Code Review Checklist [Link]
Software Secured Checklist Private
Code Review Checklist – To Perform Effective Co [Link]
Java Code Review Checklist [Link]
Software Integrity [Link]
Security Audit Checklist: Code Perspective [Link]
Stop More Bugs with out Code Review Checklit [Link]
ecure-code-review-checklist

g/code-review-checklist-perform-effective-code-reviews/
ew-checklist
e-security/code-review-checklist/
s/cse403/10wi/lectures/security_audit_checklist.pdf
Resources/CodeReviewChecklists/StopMoreBugsWithOurCodeReviewChecklist_FogCreekBlog_2015-[Link]

You might also like