Security Assessment Checklist
A comprehensive checklist for assessing application and infrastructure security, covering OWASP Top 10 and common vulnerabilities.
How to Use This Checklist
This checklist is designed for:
- Pre-deployment security reviews
- Regular security assessments
- New application onboarding
- Compliance verification
Rating Scale:
- ✅ Implemented and verified
- ⚠️ Partially implemented or needs improvement
- ❌ Not implemented
- N/A Not applicable
1. Authentication & Access Control
Authentication
| Item | Status | Notes |
|---|
| Multi-factor authentication available | | |
| Strong password policy enforced (12+ chars, complexity) | | |
| Password hashing uses modern algorithm (bcrypt, Argon2) | | |
| Account lockout after failed attempts | | |
| Session timeout configured appropriately | | |
| Secure session token generation (cryptographically random) | | |
| Sessions invalidated on logout | | |
| Sessions invalidated on password change | | |
| ”Remember me” tokens are secure | | |
| Password reset is secure (time-limited tokens) | | |
Authorization
| Item | Status | Notes |
|---|
| Principle of least privilege applied | | |
| Role-based access control implemented | | |
| Authorization checked on every request | | |
| Direct object references protected | | |
| Horizontal privilege escalation prevented | | |
| Vertical privilege escalation prevented | | |
| API endpoints enforce authorization | | |
| Administrative functions protected | | |
| Sensitive operations require re-authentication | | |
| Item | Status | Notes |
|---|
| All input validated server-side | | |
| Input validated against allowlist where possible | | |
| Input length limits enforced | | |
| Input type validation (numbers, dates, etc.) | | |
| File uploads validated (type, size, content) | | |
| File uploads stored outside web root | | |
| URL parameters validated | | |
| JSON/XML input validated against schema | | |
Output Encoding
| Item | Status | Notes |
|---|
| HTML output encoded to prevent XSS | | |
| JavaScript output encoded appropriately | | |
| URL output encoded | | |
| CSS output encoded | | |
| Content-Type headers set correctly | | |
| X-Content-Type-Options: nosniff header set | | |
3. SQL/NoSQL Injection Prevention
| Item | Status | Notes |
|---|
| Parameterized queries used for all database access | | |
| ORM used with safe query patterns | | |
| Dynamic SQL avoided or carefully reviewed | | |
| Database user has minimal required permissions | | |
| Database errors not exposed to users | | |
| NoSQL injection patterns reviewed | | |
| LDAP injection prevented | | |
| Command injection prevented | | |
4. Cryptography & Data Protection
Encryption
| Item | Status | Notes |
|---|
| TLS 1.2+ enforced for all connections | | |
| Strong cipher suites configured | | |
| Certificate valid and properly configured | | |
| HSTS header enabled | | |
| Sensitive data encrypted at rest | | |
| Encryption keys stored securely (HSM, KMS) | | |
| Key rotation process defined | | |
| No deprecated algorithms (MD5, SHA1, DES, RC4) | | |
Sensitive Data Handling
| Item | Status | Notes |
|---|
| Sensitive data identified and classified | | |
| PII minimized (collect only what’s needed) | | |
| Sensitive data not logged | | |
| Sensitive data not in URLs | | |
| Sensitive data masked in displays | | |
| Cache-Control headers prevent caching of sensitive data | | |
| Data retention policies implemented | | |
| Secure deletion processes defined | | |
5. API Security
| Item | Status | Notes |
|---|
| API authentication required | | |
| API rate limiting implemented | | |
| API versioning strategy in place | | |
| Unnecessary API methods disabled | | |
| API responses don’t leak sensitive data | | |
| CORS configured restrictively | | |
| API documentation doesn’t expose security details | | |
| GraphQL: Query depth limiting | | |
| GraphQL: Introspection disabled in production | | |
6. Error Handling & Logging
Error Handling
| Item | Status | Notes |
|---|
| Custom error pages configured | | |
| Stack traces not exposed to users | | |
| Detailed errors logged server-side only | | |
| Error messages don’t reveal system information | | |
| Failed operations fail securely (default deny) | | |
Security Logging
| Item | Status | Notes |
|---|
| Authentication events logged | | |
| Authorization failures logged | | |
| Input validation failures logged | | |
| Application errors logged | | |
| Admin activities logged | | |
| Log integrity protected | | |
| Logs centralized for analysis | | |
| Log retention meets requirements | | |
| Sensitive data excluded from logs | | |
| Header | Expected Value | Status | Notes |
|---|
| Content-Security-Policy | Restrictive policy | | |
| X-Content-Type-Options | nosniff | | |
| X-Frame-Options | DENY or SAMEORIGIN | | |
| Strict-Transport-Security | max-age=31536000; includeSubDomains | | |
| X-XSS-Protection | 0 (rely on CSP) | | |
| Referrer-Policy | strict-origin-when-cross-origin | | |
| Permissions-Policy | Restrictive policy | | |
8. Infrastructure Security
Network
| Item | Status | Notes |
|---|
| Firewall rules follow least privilege | | |
| Unnecessary ports closed | | |
| Network segmentation implemented | | |
| Internal services not exposed publicly | | |
| WAF deployed and configured | | |
| DDoS protection in place | | |
Server/Container
| Item | Status | Notes |
|---|
| OS and software patched | | |
| Unnecessary services disabled | | |
| Default credentials changed | | |
| File permissions restrictive | | |
| Container images scanned for vulnerabilities | | |
| Container runs as non-root | | |
| Secrets not baked into images | | |
Cloud
| Item | Status | Notes |
|---|
| IAM roles follow least privilege | | |
| MFA enforced for console access | | |
| Cloud resources not publicly accessible unless required | | |
| Storage buckets/blobs access controls reviewed | | |
| Cloud security services enabled (GuardDuty, Security Center) | | |
| Resource tagging for security compliance | | |
9. Secrets Management
| Item | Status | Notes |
|---|
| Secrets not in source code | | |
| Secrets not in environment variables (use secret manager) | | |
| Secret management solution in place (Vault, AWS Secrets Manager) | | |
| Secrets rotated regularly | | |
| Access to secrets audited | | |
| Development secrets separate from production | | |
| API keys scoped to minimum permissions | | |
10. Dependency Security
| Item | Status | Notes |
|---|
| Dependencies scanned for vulnerabilities | | |
| Automated scanning in CI/CD pipeline | | |
| Process for addressing critical vulnerabilities | | |
| Dependency versions pinned | | |
| Unnecessary dependencies removed | | |
| License compliance reviewed | | |
| Private package registry used where appropriate | | |
11. Business Logic Security
| Item | Status | Notes |
|---|
| Business rules enforced server-side | | |
| Race conditions prevented | | |
| Workflow steps cannot be skipped | | |
| Price/quantity manipulation prevented | | |
| Time-based attacks considered | | |
| Abuse scenarios documented and mitigated | | |
12. Third-Party Integrations
| Item | Status | Notes |
|---|
| Third-party security posture assessed | | |
| Data shared with third parties minimized | | |
| Third-party access scoped appropriately | | |
| Webhooks validated | | |
| Third-party JavaScript reviewed | | |
| Subresource Integrity (SRI) used for CDN resources | | |
Assessment Summary
| Category | ✅ | ⚠️ | ❌ | N/A |
|---|
| Authentication & Access Control | | | | |
| Input Validation & Output Encoding | | | | |
| Injection Prevention | | | | |
| Cryptography & Data Protection | | | | |
| API Security | | | | |
| Error Handling & Logging | | | | |
| Security Headers | | | | |
| Infrastructure Security | | | | |
| Secrets Management | | | | |
| Dependency Security | | | | |
| Business Logic Security | | | | |
| Third-Party Integrations | | | | |
Critical Findings
| Finding | Severity | Remediation |
|---|
| | |
| | |
| | |
Recommendations
Assessed by: ____________________
Date: ____________________
Next review: ____________________
For comprehensive security assessment, contact our team.
