├── .gitignore
├── README.md
└── Secure_Code_Checklist.xlsx
/.gitignore:
--------------------------------------------------------------------------------
1 | # Ghostwrite backup
2 | *.backup
3 |
4 | # Excel temporary
5 | ~$*.xls*
6 |
7 | # Excel Backup File
8 | *.xlk
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # secure-code-review-checklist
2 | A starter secure code review checklist
3 |
4 | - Available in [Xlsx](Secure_Code_Checklist.xlsx) for offline testing
5 |
6 | ## Table of Contents
7 |
8 | * [Information Gathering](#Information)
9 | * [Configuration](#Configuration)
10 | * [Secure Transmission](#Transmission)
11 | * [Authentication](#Authentication)
12 | * [Session Management](#Session)
13 | * [Authorization](#Authorization)
14 | * [Data Validation](#Validation)
15 | * [Application Output](#Output)
16 | * [Cryptography](#Cryptography)
17 | * [Log Management](#Log)
18 |
19 | ------
20 | ### Information Gathering
21 | - [ ] Get a copy of the code
22 | - [ ] Manually explore the file structure of the code
23 | - [ ] Look for any missing pieces of code
24 | - [ ] Check for frameworks / libraries / dependencies
25 | - [ ] Check for application routes and their inputs
26 |
27 | ### Configuration
28 | - [ ] Sensitive data is not hard-coded in configuration files
29 | - [ ] Develop and test code are properly segregated from production
30 | - [ ] Dependencies are up to date
31 |
32 | ### Secure Transmission
33 | - [ ] Sensitive data is only transmitted over an SSL connection
34 | - [ ] Site is partitioned into private and public URLs
35 | - [ ] Sensitive data has been secured in memory, storage and transit
36 | - [ ] Sensitive data doesn’t leak to non private channels
37 |
38 |
39 | ### Authentication
40 | - [ ] Test for user enumeration
41 | - [ ] Passwords are encrypted using a framework / library
42 | - [ ] Users are unable to login over GET, only POST
43 | - [ ] User credentials are encrypted using framework/library
44 | - [ ] Strong password policy in effect
45 |
46 | ### Session Management
47 | - [ ] Establish how session management is handled in the application
48 | - [ ] Session cookies are encrypted and have a length of at least 128 bits and are complex
49 | - [ ] Session cookies are not persistent
50 | - [ ] Session cookies use cookie attributes httponly, secure, samesite
51 | - [ ] Session tokens are not passed in URLs
52 | - [ ] Session Cookies expire in a reasonable amount of time
53 | - [ ] Logout will invalidate the session
54 |
55 | ### Authorization
56 | - [ ] Sensitive transactions require re authentication
57 | - [ ] Authentication and Authorization checks are done on each private request
58 | - [ ] Authorization checks are granular, per page / directory / action
59 | - [ ] Authorization checks are appropriate for each HTTP Verb the application supports
60 |
61 |
62 | ### Data Validation
63 | - [ ] All user input is validated for proper type, length, format and range
64 | - [ ] Validation on user input is done server side
65 | - [ ] Uploaded files are validated for content type, size, file type and filename
66 | - [ ] Special characters are sanitized before being used in external systems, like databases
67 | - [ ] Does invalid input trigger handled exceptions
68 |
69 | ### Application Output
70 | - [ ] All page output is properly encoded
71 | - [ ] All header output is URL encoded
72 | - [ ] Cache headers are properly set on sensitive data
73 | - [ ] Security headers are properly set on the application
74 | - [ ] Sensitive Application information is not revealed to the user
75 | - [ ] Error messages don’t reveal sensitive information
76 | - [ ] Error messages aren't user controllable
77 |
78 | ### Cryptography
79 | - [ ] User passwords are encrypted using a stretching algorithm and uniquely salted
80 | - [ ] Block ciphers operate in CBC and IV values are not reused
81 | - [ ] Salts are unique per user, have over 64 bits of secure random data
82 | - [ ] Check for known bad ciphers (RC4), cryptographic hash functions (MD5) and insecure random number generation
83 |
84 | ### Log Management
85 | - [ ] All sensitive user actions are logged with the following: Where, What, When, Who, How answered
86 | - [ ] All sensitive system actions are logged with the following: Where, What, When, Who, How answered
87 | - [ ] Sensitive info is not logged
88 | - [ ] User input is sanitized and validated before being placed in application logs
89 |
90 |
91 | #### Sources:
92 |
93 | - Modelled after: [OWASP-Web-Checklist](https://github.com/0xRadi/OWASP-Web-Checklist)
94 | - [Secure Code Review Checklist]()https://arch.simplicable.com/arch/new/secure-code-review-checklist)
95 | - [Internal Software Secured Checklist](Private)
96 | - [Code Review Checklist – To Perform Effective Code Reviews](https://www.evoketechnologies.com/blog/code-review-checklist-perform-effective-code-reviews/)
97 | - [Java Code Review Checklist](https://dzone.com/articles/java-code-review-checklist)
98 | - [Software Integrity](https://www.synopsys.com/blogs/software-security/code-review-checklist/)
99 | - [Security Audit Checklist: Code Perspective](https://courses.cs.washington.edu/courses/cse403/10wi/lectures/security_audit_checklist.pdf)
100 | - [Stop More Bugs with out Code Review Checklist](https://jesseheines.com/~heines/91.462/Resources/CodeReviewChecklists/StopMoreBugsWithOurCodeReviewChecklist_FogCreekBlog_2015-03-23.pdf)
101 |
102 |
--------------------------------------------------------------------------------
/Secure_Code_Checklist.xlsx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/softwaresecured/secure-code-review-checklist/7a1537b169c3931ff4a0c11126d859387506381d/Secure_Code_Checklist.xlsx
--------------------------------------------------------------------------------