8.

Application Security Checklist

Compliance
Category Control Statement
(Yes/No/NA)

Check if the application does not reveal any specific information through
generated errors at the time of log on. Ideally, generic error messages not
Yes
G revealing any information should be generated
at
he Check if the application generated error messages generated do not reveal any
ri sensitive information Yes

Fingerprinting the web server

Yes
Check if the application scans the file for viruses / scripts before upload,
wherever applicable Yes
Check if the application verifies the "Content-Type" before the user is allowed
Input ValidationConfiguration ManagementInformation

to upload the file on to the application Yes

Check if the application allows to probe for admin interfaces

Yes
Check if the application configuration data and files are secured with
appropriate permissions Yes

Check if the application default files are secured appropriately

Yes
Check if the application source code (HTML code) is appropriately secured
Yes
Check if the application disallows listing of files / directories
Yes
Make sure non default ports are configured for the application and other
associated components Yes
Check if the application validates the input data for parameters like type,
length, format and range Yes

Check if the application validates user input at client side

Yes
Check if the application validates user input at server side
Yes
Check if the application is not vulnerable to Injection Flaws Yes

Check if the application is not vulnerable to Cross Site Scripting Yes

Check if the application is not vulnerable to Frame Spoofing Attacks

Yes
 E
nv
ir Check if the application has been developed using Version Control
Yes
on
m
en

Check if the authentication credentials transmitted over secured channels

Yes
Check if the application uses a "POST" method for transmission of user input
Yes
Check if the authentication failure messages do not reveal any sensitive
information, which could be used as a precursor Yes
If the application supports certain non-human user ids, make sure that any logged
on users with valid credentials cannot go ahead and change password for these Yes

Check for the presence of CAPTCHA images on pages for registration / feedback
NA
Make sure there are no weaknesses in the password reminder facility, if one exists
in the application Yes

Make sure the input fields do not support autocomplete feature

Yes
Session ManagementAuthorizationAuthenticationDevelopment

Check if the application supports creation of User Groups for privilege management
Yes
Check if the application supports the principles of assigning least-privilege
during creation Yes

Check if the application supports segregation of duties

Yes
Check if the application restricts creation of duplicate UserIDs
Yes
Check if the application checks for authorization before giving access to
sensitive data carrying modules Yes
Check if the deep URLs within the applications cannot be accessed
without authentication Yes

Check for directory traversal in order to get access to the root directories
Yes
Check if the application supports idle session timeout of X minutes. Where X =
a value derived based on the business requirement. Yes
Check if the application enforces an inactive user to provide credential after
ideal session timeout Yes
Check if the session ID is dynamically generated for individual users accessing
the application Yes

Check if the generated session ID is not a simple string

Yes
Check if the Session ID generated is not easily guessable
Yes
Check if the application does not cache any sensitive information on the local machine
Yes
 Check if the application enforces the use of non persistent cookies
Yes
Check if the application is not vulnerable to session fixation attacks
Yes
Check if the application is not vulnerable to session hijack attacks
Yes
Check if the application is not vulnerable to a replay attack
Yes
Check if the application permits only one active user session at a time.
Also, check if the application authenticates each and every user No
session
Check if the application is not vulnerable to Cross Site Request Forgery
Yes
Check if the application supports binding the session ID with source IP Address
Yes

Check if the SSL certificate is valid

N/A

Check if the encryption methods used by SSL have strong cipher strength
N/A

Check if the application logs data for the following scenarios (not restricted) at
the bare minimum:
 Failed login attempt
 Password change
 Logout
No
 Session timeout
 Violation of any transaction
Auditing & LoggingEncryption

 Failure to provide the right input, authenticated

 Failure to provide the right input, un-authenticated
Check if the logs are stored at a different locations from the location in which
the application is stored No
Does the application support generation of Audit Account Management logs
a. For instance, at the time of creation of a user, who created it and with
what privileges must be logged
b. Other information in the audit log SHOULD contain staff ID, all No
transactions amended, created or deleted, date and time of the transaction and
all changes that are made to the system.
The system SHOULD keep the date and time of the last access of the user.
Other information retained must include:
a. Event causing the log entry
b. Date & time of occurrence
c. Application Program concerned
d. Transaction sequence number and / or unique No
identifier e. Users involved
f. New & old values
g. Name of data object concerned
h. Identifier of input device/location/source such as terminal id

All accesses (including system administrator) into the system must be logged.
No
 a. The integrity of the audit trial must be maintained at all times”
b. All logs MUST not contain any plaintext or encrypted password, or any
cryptographic keys.
c. The exception logs SHOULD clearly identify the purpose or severity of
Yes
the logged record such as INFO, WARN, ERROR, FATAL, DEBUG etc.
d. Transaction event logs SHOULD contain all successful and unsuccessful
inquiry and financial transactions.

a. The minimum length of password should not be less than

Password Policy

8. b.Does not contain the userid as part of the password.

c. Sharing of password is not allowed.
No
d. Default Passwords shipped with operating systems/program products for
use during system and product installation/setup changes upon installation.

In a scenario where passwords are set by the administrator, verify if the

password change is enforced at the first login No

Application Security Team Will provides only patch solution i.e how to fix that
issues. Patches would be applied by APPLICATION DEVELOPERS.