https://github.com/lastmjs/security-audit
Web application security audit to be performed once per quarter.
https://github.com/lastmjs/security-audit
Last synced: 5 months ago
JSON representation
Web application security audit to be performed once per quarter.
- Host: GitHub
- URL: https://github.com/lastmjs/security-audit
- Owner: lastmjs
- License: mit
- Created: 2019-08-11T03:17:50.000Z (over 6 years ago)
- Default Branch: master
- Last Pushed: 2019-08-14T03:26:51.000Z (over 6 years ago)
- Last Synced: 2025-01-19T22:50:26.970Z (11 months ago)
- Homepage:
- Size: 18.6 KB
- Stars: 5
- Watchers: 3
- Forks: 5
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Security Audit
Web application security audit to be performed once per quarter.
- [ ] Review latest OWASP Top 10
- [ ] Run automatic security checks
- [ ] Mozilla Observatory: https://observatory.mozilla.org
- [ ] Google CSP Evaluator: https://csp-evaluator.withgoogle.com/
- [ ] Security header scanner: https://securityheaders.com/
- [ ] Lighthouse (Chrome dev tools)
- [ ] Ensure encryption of data in transit (force SSL connections everywhere possible)
- [ ] Ensure encryption of data at rest (databases, harddrives, passwords, etc should be encrypted)
- [ ] Update all dependencies
- [ ] Use LTS versions (Node.js, Ubuntu, etc)
- [ ] No vulnerabilities found in dependencies (GitHub and npm security reports, etc)
- [ ] Lock down ports (tcp, udp, etc)
- [ ] Only open ports that are absolutely necessary
- [ ] Only open the smallest subset of absolutely necessary IP addresses on each port
- [ ] Ensure strong authentication system
- [ ] Study up on the latest authentication best practices
- [ ] up-to-date and secure
- [ ] Cookies, JWTs, private and public keys, web storage, etc all used correctly
- [ ] Ensure strong authorization system
- [ ] Study up on the latest authorization best practices
- [ ] Automated tests to ensure data integrity
- [ ] Physical/logistical access controls should be in place (locking screens, not sharing passwords, etc)
- [ ] Analyze all endpoints and ensure proper authentication and authorization
- [ ] All processes that are accessible through tcp/ip ports should be audited to ensure each endpoint has proper authentication and authorization
- [ ] Analyze the types of operations, reads or writes, that are permitted
- [ ] Rotate all keys
- [ ] public and private keys
- [ ] secrets
- [ ] passwords (minimum of 10 characters in length)
- [ ] All cryptographic algorithms up-to-date (i.e. do not use sha1)
- [ ] For example, use a good hashing algorithm
- [ ] For example, choose a proper ECDSA curve
- [ ] Ensure physical integrity of all keys
- [ ] You must be able to physically access all keys
- [ ] Consider having multiple physical locations for each key (these cannot be lost)
- [ ] Know where all keys are stored (laptop, USB drive, environment variables, cloud storage, safes, etc)
- [ ] Review organizational access control policies
- [ ] Who has access to what data
- [ ] Password length
- [ ] Password lifetimes
- [ ] Access to secrets
- [ ] Password sharing
- [ ] Screen locking
- [ ] Proper channels for sharing data (Gmail, Slack, Excel, etc)
- [ ] Revoke access to terminated employees
- [ ] Review all user accounts
- [ ] Ensure all authorizations are current
- [ ] Sanitize data
- [ ] Know where all sensitive data is stored
- [ ] Only keep sensitive data that you absolutely must keep, and for no longer than absolutely necessary
- [ ] Review compliance with regulations
- [ ] Determine what type of data is sensitive
- [ ] Determine what type of data you are not allowed to store
- [ ] HIPAA, PCI, GDPR, etc
- [ ] Ensure proper logging and monitoring
- [ ] Know when there is a breach or attack
- [ ] Audit the audit
- [ ] Study the latest security practices
- [ ] Ensure the audit is up-to-date and will lead to sufficient security