Web application security audit to be performed once per quarter.
- Review latest OWASP Top 10
- Run automatic security checks
- Mozilla Observatory: https://observatory.mozilla.org
- Google CSP Evaluator: https://csp-evaluator.withgoogle.com/
- Security header scanner: https://securityheaders.com/
- Lighthouse (Chrome dev tools)
- Ensure encryption of data in transit (force SSL connections everywhere possible)
- Ensure encryption of data at rest (databases, harddrives, passwords, etc should be encrypted)
- Update all dependencies
- Use LTS versions (Node.js, Ubuntu, etc)
- No vulnerabilities found in dependencies (GitHub and npm security reports, etc)
- Lock down ports (tcp, udp, etc)
- Only open ports that are absolutely necessary
- Only open the smallest subset of absolutely necessary IP addresses on each port
- Ensure strong authentication system
- Study up on the latest authentication best practices
- up-to-date and secure
- Cookies, JWTs, private and public keys, web storage, etc all used correctly
- Ensure strong authorization system
- Study up on the latest authorization best practices
- Automated tests to ensure data integrity
- Physical/logistical access controls should be in place (locking screens, not sharing passwords, etc)
- Analyze all endpoints and ensure proper authentication and authorization
- All processes that are accessible through tcp/ip ports should be audited to ensure each endpoint has proper authentication and authorization
- Analyze the types of operations, reads or writes, that are permitted
- Rotate all keys
- public and private keys
- secrets
- passwords (minimum of 10 characters in length)
- All cryptographic algorithms up-to-date (i.e. do not use sha1)
- For example, use a good hashing algorithm
- For example, choose a proper ECDSA curve
- Ensure physical integrity of all keys
- You must be able to physically access all keys
- Consider having multiple physical locations for each key (these cannot be lost)
- Know where all keys are stored (laptop, USB drive, environment variables, cloud storage, safes, etc)
- Review organizational access control policies
- Who has access to what data
- Password length
- Password lifetimes
- Access to secrets
- Password sharing
- Screen locking
- Proper channels for sharing data (Gmail, Slack, Excel, etc)
- Revoke access to terminated employees
- Review all user accounts
- Ensure all authorizations are current
- Sanitize data
- Know where all sensitive data is stored
- Only keep sensitive data that you absolutely must keep, and for no longer than absolutely necessary
- Review compliance with regulations
- Determine what type of data is sensitive
- Determine what type of data you are not allowed to store
- HIPAA, PCI, GDPR, etc
- Ensure proper logging and monitoring
- Know when there is a breach or attack
- Audit the audit
- Study the latest security practices
- Ensure the audit is up-to-date and will lead to sufficient security