Checklist for Application Secu

Category Application Security Controls

1. Ensure strong password policies are in place, such as minimum length and complexity
requirements

2. Two-Factor Authentication: Verify that the application supports two-factor authentication for
an additional layer of security.

3. Session Management: Check if the application implements proper session management

controls, such as automatic logout and session timeouts.

Authentication 4.Encryption: Ensure that sensitive data is encrypted both in transit and at rest.

5.Access Controls: Verify that the application has proper access controls in place, such as role-
based access and least privilege principles.

6. Identity Management: Check if the application implements an identity management system

to control access to the application and data.

7. Logging and Monitoring: Ensure that the application logs and monitors all authentication
activities to detect and respond to any security incidents.

1. Verify that the application implements proper access controls, such as role-based access,
least privilege, and separation of duties

2. Check if the application has a system in place for managing and granting permissions to users
for different actions and resources.

3. Ensure that access to sensitive data and resources is properly restricted and controlled.

4. Verify that the application logs and monitors all authorization activities to detect and respond
Authorization
to any security incidents.
Authorization

5. Check if the application implements dynamic authorization mechanisms, such as policy-based

access control, to adjust permissions based on the context of the request.

6. Ensure that the application has an auditing mechanism in place to track and record changes
to authorization policies and permissions.

7. Confirm that the application follows the principle of least privilege, where users are granted
the minimum permissions necessary to perform their job functions.

1. Verify that sensitive data is encrypted when transmitted between the application and client
or between the application and a database.

2. nsure that sensitive data is encrypted when stored in the application's database or other
storage systems
Encryption
3. Verify that the application uses strong encryption algorithms, such as AES or RSA, and
appropriate key sizes.

4. Ensure that the application uses SSL/TLS for secure communication between the client and
server.

1. Verify that the application logs all significant events, such as authentication failures, access
violations, and data changes.

2. Ensure that logs are stored for a sufficient amount of time to support investigations and
audits

3. Check if the application implements proper log management, including log aggregation,
indexing, and archiving.
Logging and
Monitoring
4. Verify that log access is controlled and restricted to authorized personnel only.

5. Ensure that the application implements real-time monitoring to quickly detect and respond
to security incidents.
 6. Verify if the application integrates with a SIEM to provide centralized log management and
analysis.

1. Verify that SAST has been implemented in the application development process

2. Verify that SCA has been implemented in the application development process
Secure
Application
Development
3. Verify that DAST has been implemented in the application development process

4. Verify that Secure code review has been implemented in the application development process

4. Ensure that input validation is implemented both on Client side and Server side

1. Verify that the infrastructure and application comply with relevant security standards and
regulations, such as PCI DSS or HIPAA

Infra Security 2. Ensure that the application has a disaster recovery and business continuity plan in place to
Controls ensure the availability of the application during disruptions.

3. Ensure that regular patch management process is implemented for servers

4. Ensure that Firewall with DDOS is enabled for the application

ecklist for Application Security Design and Review
Impact if controls not
Controls Implemented (Y/N) Comments Remediations
implemented

8 characters length,
th and complexity
Y 1 number, 1 special
chracter

This can result in account

tor authentication for
N Not enabled takeover or system MFA should be enabled fo
compromise

ssion management
ts.

it and at rest.

n place, such as role-

management system

s all authentication
ts.

s role-based access,

g permissions to users

ted and controlled.

to detect and respond

 , such as policy-based
he request.

k and record changes

ere users are granted

nctions.

application and client

s database or other

as AES or RSA, and

tween the client and

ation failures, access

investigations and

ng log aggregation,

ersonnel only.

y detect and respond

og management and

pment process

pment process

pment process

development process

and Server side

curity standards and

nuity plan in place to

ons.

d for servers

cation
 Remediations

Sample Data

MFA should be enabled for all users Sample Data