The following checklist, available in the Security Templates folder in the book's companion content, is a minimum set of items a designer, architect, or team lead should ask herself as she is designing the product. Consider this document to be completed as a sign-off requirement for the application design phase.
Check |
Category |
Chapter |
---|---|---|
o |
Education in place for team |
2 |
o |
Someone on team signed up to monitor BugTraq and NTBugtraq |
1 |
o |
Competitor’s vulnerabilities analyzed to determine if the issues exist in this product |
3 |
o |
Past vulnerabilities in previous versions of product analyzed for root cause |
3 |
o |
Application attack surface is as small as possible |
3 |
o |
If creating new user accounts, they are low privilege and have strong passwords |
3, 7 |
o |
Safe-for-scripting ActiveX controls thoroughly reviewed |
16 |
o |
Sample code reviewed for security issues. You must treat sample code as production code. |
23 |
o |
Default install is secure |
3 |
o |
Threat models complete for design phase |
2 |
o |
Product has layered defenses |
3 |
o |
Security failures logged for later analysis |
23 |
o |
Privacy implications understood and documented |
22 |
o |
Plans in place to migrate appropriate code to managed code |
23 |
o |
"End-of-life" plans in place for features that will eventually be deprecated |
2 |
o |
Security response process in place |
2 |
o |
Documentation reflects good security practice |
24 |
18.225.254.192