Secure Code Review Checklist
Secure Code Review Checklist
## TLDR;
- [ ] What security vulnerabilities is this code susceptible to?
- [ ] Are authorization and authentication handled in the right way?
- [ ] Is (user) input validated, sanitized, and escaped to prevent security attacks
such as cross-site scripting, SQL injection?
- [ ] Is sensitive data like user data, credit card information securely handled
and stored?
- [ ] Does this code change reveal some secret information like keys, passwords, or
usernames?
- [ ] Is data retrieved from external APIs or libraries checked accordingly?
- [ ] Does error handling or logging expose us to vulnerabilities?
- [ ] Is the right encryption used?
## Input Validation
- [ ] Are inputs from external sources validated?
- [ ] Is user input validated by testing type, length, format, and range, and by
enforcing appropriate limits?
- [ ] Are there flaws in regular expression that cause problems with data
validation?
- [ ] Are exact match approaches used whenever possible?
- [ ] If exact match is not possible, is the content of string variables checked
for only expected values (allowed list)?
- [ ] If allowed listing is not feasible, are entries rejected that contain
inappropriate values such as binary data, escape sequences, and comment characters
(block list)?
- [ ] Are XML documents validate against their schemas?
- [ ] Do you see string concatenations for user input?
- [ ] Are SQL statements dynamically created by using user input?
- [ ] Is data validated on the server side?
- [ ] Is there a strong separation between data and commands?
- [ ] Is there a strong separation between data and client-side scripts?
- [ ] Is contextual escaping used before passing data to SQL, LDAP, OS and third-
party commands?
- [ ] http headers are validated for each request (e.g. referrer)
## Authorization
- [ ] Is authentication and authorization the first logic executed for each
request?
- [ ] Are authorization checks granular (page and directory level)?
- [ ] Is access to pages and data denied by default?
- [ ] Is re-authenticate for requests that have side-effects enforced?
- [ ] Are there clearly defined roles for authorization?
- [ ] Can authorization be circumvented by parameter manipulation?
- [ ] Can authorization be bypassed by cookie manipulation?
## Session Management
- [ ] Are session parameters passed in URLs?
- [ ] Do session cookies expire in a reasonably short time?
- [ ] Are session cookies encrypted?
- [ ] Is session data being validated?
- [ ] Is private data in cookies kept to a minimum?
- [ ] Does the application avoid excessive cookie use?
- [ ] Is the session id complex?
- [ ] Is the session storage secure?
- [ ] Does the application properly handle invalid session ids?
- [ ] Are session limits e.g., inactivity timeouts enforced?
- [ ] Are logouts invalidating the session?
- [ ] Are session resources released when session invalidated?
## Exception Handling
- [ ] Do all methods have appropriate exceptions?
- [ ] Does the error shown to users reveal sensitive information or open us up for
attacks, .ie. includes stack trace, ids, etc.?
- [ ] Does the application fails securely when exceptions occur?
- [ ] Are system errors never shown to users?
- [ ] Are resources released and transactions rolled back when there is an error?
- [ ] Are all user / system actions are logged?
- [ ] Do we make sure that sensitive information is not logged (e.g. passwords)?
- [ ] Do we make sure we have logs or all important user management events (e.g.
password reset)?
- [ ] Are unusual activity such as multiple login attempts logged?
- [ ] Do logs have enough detail to reconstruct events for audit purposes?