Scribd
Upload
201 views

63 Web Application Security Checklist For IT Security Auditors and Developers

The document provides a checklist of best practices for securing web applications, networks, web servers, database servers, and applications. It includes over 100 specific recommendations across various categories such as configuring firewalls and routers, hardening servers, implementing authentication and authorization, input validation, encryption, logging and auditing. The goal is to help web developers and auditors identify and address security vulnerabilities to better protect systems and data.

Uploaded by

Anil Kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
201 views

63 Web Application Security Checklist For IT Security Auditors and Developers

The document provides a checklist of best practices for securing web applications, networks, web servers, database servers, and applications. It includes over 100 specific recommendations across various categories such as configuring firewalls and routers, hardening servers, implementing authentication and authorization, input validation, encryption, logging and auditing. The goal is to help web developers and auditors identify and address security vulnerabilities to better protect systems and data.

Uploaded by

Anil Kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

63 Web Application Security

Checklist for IT Security Auditors and


Developers
As you know that every web application becomes vulnerable when they are
exposed to the Internet. Fortunately, there are a number of best practices
and coutner measures that web developers can utilize when they build their
apps. This post will list some proven counter measures that enhance web
apps security significantly.

Network security checklist


1. Most of the web applications reside behind perimeter firewalls,
routers and various types of filtering devices. Always make sure that
your perimeter devices used for filtering traffic are stateful packet
inspection device.
2. Routers and firewalls should be configured to allow necessary types
of traffic such as http or https. Block all other unnecessary types of
traffic that you do not need to support your web applications.
3.  Just like inbound traffic you need to allow outbound traffic. Configure
your router and firewall for the necessary outbound traffic from your
web applications.
4.  Make sure your perimeter devices (firewall, routers etc.)  are
equipped with appropriate DOS (denial of service) countermeasures.
If you are using Cisco routers, you can use rate-limit commands in
order to limit the committed access rate.
5. If you are using load balancers, check out whether it is disclosing any
information about your internal networks.
6.  Think about implementing a network intrusion system and establish
appropriate policies and procedures to review logs for attack
signature.
7.  Disable telnet access to all of your network devices for remote
access. Use SSH for only for the devices that you need to access for
the Internet.
8. Make a password change policy for all of your remote access devices
and also allow only specific IP addresses to access your network
remotely.
9. Conduct network vulnerability scans regularly.
10.  Every time you make major changes to your network, you may
arrange for a penetration test by a third party organization. Make a
plan to conduct penetration test at least each year.
Web Server checklist
1. Whenever your software vendor release software updates or any
security patches, apply it to your network after appropriate testing.
2.  Check your server configuration to ensure that it is not disclosing
any sensitive information about the install application software in your
server.
3.   Disallow servers to show directory listing and parent path.
4.   Disable the unnecessary services on your servers.
5.  If your software vendor recommends you to use specific security
settings, implement it appropriately.
6.  Disable or delete guest accounts, unnecessary groups and users.
7.  Enable OS auditing system and web server logging.
8.  Remove unnecessary modules or extension from your web servers.
9.  Remove default website and sample contents, if there is any, from
all of your web servers.
10.  Configure authentication mechanism properly in your server
directories.
11.  Always use SSL when you think your traffic is sensitive and
vulnerable to eavesdroppers. Make sure you use the appropriate key
length for encryption ad use only SSLv3.
12.  Deploy web contents in a virtual root that do not have any
administrative utilities. This virtual root can be a separate drive or
separate disk.
13.   Disable directory listing and parent path in your web server.
14.  Check your current error message pages in your server. If it is
leaking any information about your server, customize it.
15.  Make sure all the accounts running HTTP service do not have
high level privileged.
16.  Create access control list for all of your web directories and
files.
17.  If your servers have WebDAV (Web Distributed Authoring and
Versioning) disable it or delete it if you do not need it. If you have to
keep WebDAV, apply proper access restrictions to it.
18.  Disable web publishing functionalities (such as iPlanet
products) if you have any.
19.  Apply and fine tune your web servers security
modules( UrlSCAN in IIS or Mod-security in Apache)
20.  Scan your server with popular scanners in order to identify
vulnerabilities and mitigate the risks.
21.  Think about using host based intrusion detection system along
with network intrusion system. Make a policy to review the logs.

 
Database Server security checklist
1. Check that if your database is running with the least possible
privilege for the services it delivers.
2.  Update your database software with latest and appropriate patches
from your vendor.
3.  Remove all sample and guest accounts from your database.
4.  The dynamic sites need to communicate with the database server to
generate request contents by the users.  Restrict traffic FLOW
between database and web server using IP packet filtering.
5.  Use appropriate authentication mechanism between your web
servers and database servers.
6.  If your database has a default account, you can either change it or
use a separate password.
7. Make sure database users are granted privileges according to their
roles and requirements.
8.  Delete extended stored procedures and relevant libraries from our
database if you do not need them.
9.  Do not embed database user passwords in the application codes.
10.   Plan for a database audit.
11. Change database passwords after predefined period. After
predefined period.

Application security
1. Create a thereat model of your application and approve it by the
management and IS security team.
2.  Segregate the application development environment from the
production environment. Never use the production data in the test
environment for testing purpose.
3.  Make sure your application’s authentication system match industries
best practices.
4.  Use ACL to control access to application directories and files.
5.  Use proper input validation technique output encoding in the server
side.
6.  Secure the source codes and files of your web applications.
7.  Remove temporary files from your application servers.
8.   Cookies and session management should be implemented
according the best practices of your application development
platform. Implement a session expiration timeout and avoid allowing
multiple concurrent sessions.
9.   Assign a new session ID when users login and have a logout option.
10.  Allow least privilege to the application users.
11.  Implement a CAPTCHA and email verification system if you
allow your users to create account with your application.
12.  Use appropriate encryption algorithm to meet your data
security requirements.
13.  Always place the ‘includes’ files (the files required by the
server side scripts) outside the virtual root directory. Apply ACL to
your include files if possible. Rename the includes files into .asp in
your IIS server.
14.  Identify the vulnerable API or function calls and avoid them if
there is a work around for it.
15.  Parameterized SQL queries to prevent SQL injection.
16.  Enable error handling and security logging features.
17.  Run a security audit on your source codes.
18.  Perform a black box test on our application. If you do not have
any penetration tester in your organization, which is more likely, you
can hire a professional penetration tester.
19.  Change administration and other privileged passwords
regularly.
20. Conduct web application vulnerability scan regularly to identify
application layer vulnerabilities of your application.
21. Always conduct a proper penetration test before moving your
application from the development environment to the production
environment. Also, run a pen test when you make signification
modification to the application.

You might also like