Professional Documents
Culture Documents
o Input Validation
o Output Encoding
o Authentication and Password Management
o Session Management
o Access Control
o Cryptographic Practices
o Error Handling and Logging
o Data Protection
o Communication Security
o System Configuration
o Database Security
o File Management
o Memory Management
o General Coding Practices
https://www.owasp.org/index.php/Application_Threat_Modeling#Security_Controls
o Authentication:
o Ensure all internal and external connections (user and entity) go through an
appropriate and adequate form of authentication. Be assured that this
control cannot be bypassed.
o Ensure all pages enforce the requirement for authentication.
o Ensure that whenever authentication credentials or any other sensitive
information is passed, only accept the information via the HTTP “POST”
method and will not accept it via the HTTP “GET” method.
o Any page deemed by the business or the development team as being outside
the scope of authentication should be reviewed in order to assess any
possibility of security breach.
o Ensure that authentication credentials do not traverse the wire in clear text
form.
o Ensure development/debug backdoors are not present in production code.
o Authorization:
o Data/Input Validation:
o Ensure that all method/function calls that return a value have proper error
handling and return value checking.
o Ensure that exceptions and error conditions are properly handled.
o Ensure that no system errors can be returned to the user.
o Ensure that the application fails in a secure manner.
o Ensure resources are released if an error occurs.
o Logging/Auditing:
o Cryptography:
o Examine the file structure. Are any components that should not be directly
accessible available to the user?
o Examine all memory allocations/de-allocations.
o Examine the application for dynamic SQL and determine if it is vulnerable to
injection.
o Examine the application for “main()” executable functions and debug
harnesses/backdoors.
o Search for commented out code, commented out test code, which may
contain sensitive information.
o Ensure all logical decisions have a default clause.
o Ensure no development environment kit is contained on the build directories.
o Search for any calls to the underlying operating system or file open calls and
examine the error possibilities.
o Session Management:
o Examine how and when a session is created for a user, unauthenticated and
authenticated.
o Examine the session ID and verify if it is complex enough to fulfill
requirements regarding strength.
o Examine how sessions are stored: e.g. in a database, in memory etc.
o Examine how the application tracks sessions.
o Determine the actions the application takes if an invalid session ID occurs.
o Examine session invalidation.
o Determine how multithreaded/multi-user session management is performed.
o Determine the session HTTP inactivity timeout.
o Determine how the log-out functionality functions.
ISO 27001: Information technology - Security techniques
o Asset management
o Responsibility for assets
Inventory of assets
Ownership of assets
Acceptable use of assets
Return of assets
o Information classification
Classification of information
Labelling of information
Handling of assets
o Media handling
Management of removable media
Disposal of media
Physical media transfer
o Access control
o Business requirements of access control
Access control policy
Access to networks and network services
o User access management
User registration and de-registration
User access provisioning
Management of privileged access rights
Management of secret authentication information of users
Review of user access rights
Removal or adjustment of access rights
o User responsibilities
Use of secret authentication information
o System and application access control
Information access restriction
Secure log-on procedures
Password management system
Use of privileged utility programs
Access control to program source code
o Cryptography
o Cryptographic controls
Policy on the use of cryptographic controls
Key management
o Operations security
o Operational procedures and responsibilities
Documented operating procedures
Change management
Capacity management
Separation of development, testing and operational environments
o Protection from malware
Controls against malware
o Backup
Information backup
o Logging and monitoring
Event logging
Protection of log information
Administrator and operator logs
Clock synchronization
o Control of operational software
Installation of software on operational systems
o Technical vulnerability management
Management of technical vulnerabilities
Restrictions on software installation
o Information systems audit considerations
Information systems audit controls
o Communications security
o Network security management
Network controls
Security of network services
Segregation in networks
o Information transfer
Information transfer policies and procedures
Agreements on information transfer
Electronic messaging
Confidentiality or nondisclosure agreements
o Supplier relationships
o Information security in supplier relationships
Information security policy for supplier relationships
Addressing security within supplier agreements
Information and communication technology supply chain
o Supplier service delivery management
Monitoring and review of supplier services
Managing changes to supplier services
o Compliance
o Compliance with legal and contractual requirements
Identification of applicable legislation and contractual requirements
Intellectual property rights
Protection of records
Privacy and protection of personally identifiable information
Regulation of cryptographic
o Information security reviews
Independent review of information security
Compliance with security policies and standards
Technical compliance review