| Application at a glance: |
| Explanation: Questions in this section identify essential aspects of the application. |
| Is the information handled by this system considered public? | Yes | No |
| Is the system internal facing? | Yes | No |
| Does the application comply with the organization's existing security standards? | Yes | No |
| Component Interaction: |
| Explanation: Weaknesses in this category pertain to the ways data is shared between components, modules, programs, processes, threads, or systems. |
| Does the application validate all input including parameters, arguments, cookies, anything read from the network, environment variables, request headers, URL components, e-mail, files, database records and any external system that provides data to the application? | Yes | No |
Additional reading:
http://cwe.mitre.org/data/definitions/20.html
http://www.owasp.org/index.php/A1_2004_Unvalidated_Input
|
| Does the application encode or escape data prior to exchanging it with external components such as a database, LDAP server, web browser, etc? | Yes | No |
Additional reading:
http://cwe.mitre.org/data/definitions/116.html
http://cwe.mitre.org/data/definitions/89.html
http://cwe.mitre.org/data/definitions/79.html
http://www.owasp.org/index.php/Top_10_2007-A1
http://www.owasp.org/index.php/Top_10_2007-A2 |
| Does the application encrypt sensitive information such as authentication credentials, sensitive customer data, etc. prior to transmitting such information across the network? | Yes | No |
Additional reading:
http://cwe.mitre.org/data/definitions/319.html
http://www.owasp.org/index.php/Top_10_2007-A9 |
| Does the application verify the origin of sensitive POSTed form data through the use of unpredictable, unique nonces as hidden input form values? | Yes | No |
Additional reading:
http://cwe.mitre.org/data/definitions/352.html
http://freedom-to-tinker.com/sites/default/files/csrf.pdf
http://www.owasp.org/index.php/Top_10_2007-A5 |
| Does the application use thread-safe techniques to protect against race conditions that could harm system availability and/or data integrity? | Yes | No |
Additional reading:
http://www.javalobby.org/articles/thread-safe/index.jsp
http://www.ibm.com/developerworks/library/l-sprace.html
http://security.dico.unimi.it/~roberto/pubs/dimva08-web.pdf
http://www.beansoftware.com/ASP.NET-Tutorials/Manual-Synchronize-Thread.aspx |
| Does the application fail gracefully and securely without divulging details of the underlying implementation to the end user? | Yes | No |
Additional reading:
http://www.owasp.org/index.php/Top_10_2007-A6
http://www.owasp.org/index.php/A7_2004_Improper_Error_Handling
http://www.owasp.org/index.php/A10_2004_Insecure_Configuration_Management
http://cwe.mitre.org/data/definitions/12.html
http://www.owasp.org/index.php/ASP.NET_Misconfiguration:_Missing_Custom_Error_Handling |
| Does the application ensure that numeric values are within expected ranges that do not result in unanticipated consequences when used in calculations or control structures? | Yes | No |
Additional reading:
http://cwe.mitre.org/data/definitions/682.html
http://cwe.mitre.org/data/definitions/189.html
http://cwe.mitre.org/data/definitions/192.html
http://cwe.mitre.org/data/definitions/190.html
http://cwe.mitre.org/data/definitions/191.html
http://cwe.mitre.org/data/definitions/193.html
http://cwe.mitre.org/data/definitions/369.html |
| Resource Management |
| Explanation: Weaknesses in this category relate to ways in which software fails to properly manage the creation, usage, transfer and destruction of system resources. |
| Does the application store state information on the server side only or ensure client-side state variables have not been tampered with? | Yes | No |
Additional reading:
http://cwe.mitre.org/data/definitions/642.html
http://www.owasp.org/index.php/Top_10_2007-A4
http://capec.mitre.org/data/definitions/74.html
http://cwe.mitre.org/data/definitions/472.html
http://cwe.mitre.org/data/definitions/565.html |
| Does the application properly control access to the server's file system? | Yes | No |
Additional reading:
http://cwe.mitre.org/data/definitions/73.html
http://cwe.mitre.org/data/definitions/22.html
http://cwe.mitre.org/data/definitions/41.html
http://cwe.mitre.org/data/definitions/434.html |
| Porous Defenses |
| Explanation: This category is concerned with defensive techniques that are often misused, abused or ignored. |
| Does the application perform access control checks in a consistent manner across all potential execution paths? | Yes | No |
Additional reading:
http://capec.mitre.org/data/definitions/87.html
http://www.owasp.org/index.php/Top_10_2007-A10
http://www.owasp.org/index.php/A2_2004_Broken_Access_Control
http://capec.mitre.org/data/definitions/59.html
http://capec.mitre.org/data/definitions/77.html
http://capec.mitre.org/data/definitions/39.html
http://capec.mitre.org/data/definitions/51.html
http://capec.mitre.org/data/definitions/60.html
http://capec.mitre.org/data/definitions/1.html |
| Does the application use currently accepted, industry-standard cryptographic algorithms? | Yes | No |
Additional reading:
http://cwe.mitre.org/data/definitions/326.html
http://www.owasp.org/index.php/Top_10_2007-A8
http://www.owasp.org/index.php/A8_2004_Insecure_Storage
http://cwe.mitre.org/data/definitions/311.html
http://www.faqs.org/faqs/cryptography-faq/snake-oil/ |
| Is the application free of hardcoded credentials? | Yes | No |
Additional reading:
http://cwe.mitre.org/data/definitions/259.html
http://cwe.mitre.org/data/definitions/656.html
http://www.owasp.org/index.php/Top_10_2007-Broken_Authentication_and_Session_Management |
| Has the application been deployed with secure default permissions? | Yes | No |
Additional reading:
http://cwe.mitre.org/data/definitions/732.html |
| Does the application use sufficient randomness for generating session ids or in other security-sensitive contexts? | Yes | No |
Additional reading:
http://cwe.mitre.org/data/definitions/330.html
https://www.securecoding.cert.org/confluence/display/seccode/MSC30-C.+Do+not+use+the+rand()+function+for+generating+pseudorandom+numbers
https://www.securecoding.cert.org/confluence/display/seccode/MSC32-C.+Ensure+your+random+number+generator+is+properly+seeded |
| Are permissions on and ownership of security-critical resources properly configured to prevent access and/or modification by unintended actors? | Yes | No |
Additional reading:
http://cwe.mitre.org/data/definitions/732.html
http://cwe.mitre.org/data/definitions/275.html
http://www.owasp.org/index.php/A2_2004_Broken_Access_Control
http://www.owasp.org/index.php/A10_2004_Insecure_Configuration_Management |
| Are all client-side security checks verified and enforced on the server-side? | Yes | No |
Additional reading:
http://cwe.mitre.org/data/definitions/602.html
http://www.owasp.org/index.php/A1_2004_Unvalidated_Input |
| Does the application lock accounts after some number of failed login attempts? | Yes | No |
Additional reading:
http://www.owasp.org/index.php/Guide_to_Authentication#Thresholds_Governor
http://www.owasp.org/index.php/Brute_force_attack |
