OWasp Web App Developer Checklist

Question 1

System Configuration

What principle should be followed for application privileges?

Answer 1

Applications, processes, and service accounts should be restricted to the least privileges possible.

Question 2

System Configuration

How should elevated privileges for an application be handled?

Answer 2

Raise privileges as late as possible and drop them as soon as possible.

Question 3

System Configuration

What should be removed before deployment?

Answer 3

All unnecessary functionality, files, test code, or functionality not intended for production.

Question 4

System Configuration

How should the application’s security configuration store be maintained?

Answer 4

It should be available in human-readable form to support auditing.

Question 5

System Configuration

What should be done to separate environments?

Answer 5

Isolate development environments from production and restrict access to authorized development and test groups.

Question 6

System Configuration

What system should be implemented for managing code changes?

Answer 6

A software change control system to manage and record changes in both development and production.

Question 7

Cryptographic Practices

What type of cryptographic modules should be used?

Answer 7

Peer-reviewed and open solution cryptographic modules.

Question 8

Cryptographic Practices

Where should cryptographic functions protecting secrets be implemented?

Answer 8

On a trusted system.

Question 9

Cryptographic Practices

How should cryptographic modules handle failures?

Answer 9

They must fail securely.

Question 10

Cryptographic Practices

What is required for generating random elements?

Answer 10

Use a cryptographic module with an approved random number generator.

Question 11

Cryptographic Practices

What compliance standard should cryptographic modules meet?

Answer 11

FIPS 140-2 or an equivalent standard.

Question 12

Cryptographic Practices

How should cryptographic keys be managed?

Answer 12

Establish a policy and process for key management, and ensure secret keys are protected.

Question 13

Cryptographic Practices

Where should cryptographic keys be stored?

Answer 13

In a proper secrets vault.

Question 14

Cryptographic Practices

What feature should applications include regarding cryptographic keys?

Answer 14

Support for key rotation and changing algorithms or keys when needed.

Question 15

File Management

Should user-supplied data be passed to a dynamic include function?

Answer 15

No, avoid passing user-supplied data directly to such functions.

Question 16

File Management

What is required before allowing a file to be uploaded?

Answer 16

Authentication.

Question 17

File Management

How should file upload types be limited?

Answer 17

Only allow file types needed for business purposes.

Question 18

File Management

How should uploaded files be validated?

Answer 18

Check file headers, not just file extensions.

Question 19

File Management

Where should files not be saved?

Answer 19

In the same web context as the application.

Question 20

File Management

How can you prevent executable file uploads?

Answer 20

Turn off execution privileges in file upload directories.

Question 21

File Management

How should file referencing be managed?

Answer 21

Use an allow-list for file names and types.

Question 22

File Management

What must not be sent to the client regarding files?

Answer 22

Absolute file paths.

Question 23

File Management

How should user-uploaded files be checked for safety?

Answer 23

Scan files for viruses and malware.

Question 24

Security Frameworks and Libraries

What should be ensured for servers, frameworks, and system components?

Answer 24

They should run the latest approved versions and patches.

Question 25

# Security Frameworks and Libraries Where should libraries and frameworks be sourced from?

Answer 25

Trusted sources that are actively maintained and widely used.

Question 26

# Security Frameworks and Libraries What must be done for secondary applications and third-party libraries?

Answer 26

Review them for business necessity and validate safe functionality.

Question 27

# Security Frameworks and Libraries How can you track third-party libraries?

Answer 27

Create and maintain an inventory catalog using Software Composition Analysis (SCA).

Question 28

# Security Frameworks and Libraries How can you reduce the attack surface when using libraries?

Answer 28

Encapsulate the library and expose only the required behavior into your software.

Question 29

# Security Frameworks and Libraries When possible, what type of code should be used for common tasks?

Answer 29

Tested and approved managed code rather than new unmanaged code.

Question 30

# Security Frameworks and Libraries How can you ensure the integrity of code and configuration files?

Answer 30

Use checksums or hashes to verify their integrity.

Question 31

# Security Frameworks and Libraries What should updates be implemented with?

Answer 31

Safe updates using encrypted channels.

Question 32

# Secure Queries How can SQL injection be prevented?

Answer 32

By using query parameterization to prevent untrusted input from being interpreted as part of a SQL command.

Question 33

# Secure Queries What input handling measures should be applied?

Answer 33

Utilize input validation, output encoding, and address meta characters.

Question 34

# Secure Queries Where should connection strings not be stored?

Answer 34

They should not be hard-coded within the application.

Question 35

# Secure Queries How and where should connection strings be stored?

Answer 35

In a separate configuration file on a trusted system, and they should be encrypted.

Question 36

# Secure Configuration What privilege level should applications use when accessing a database?

Answer 36

The lowest possible level of privilege.

Question 37

# Secure Configuration How should access to base tables in the database be handled?

Answer 37

Use stored procedures to abstract data access and allow permissions to be removed from the base tables.

Question 38

# Secure Configuration When should database connections be closed?

Answer 38

As soon as possible.

Question 39

# Secure Configuration What default vendor content should be removed?

Answer 39

Any unnecessary default content, such as sample schemas.

Question 40

# Secure Configuration What should be done with unused default accounts?

Answer 40

They should be disabled if not required for business purposes.

Question 41

# Secure Authentication What must be done with default database administrative passwords?

Answer 41

They should be removed or changed.

Question 42

# Secure Authentication How should application connections to the database be structured?

Answer 42

Different credentials should be used for every trust distinction (e.g., user, read-only user, guest, administrators).

Question 43

# Secure Authentication What kind of credentials should be used for database access?

Answer 43

Secure credentials.

Question 44

# Character Encoding and Canonicalization When should output encoding be applied?

Answer 44

Just before the content is passed to the target system.

Question 45

# Character Encoding and Canonicalization Where should all output encoding be conducted?

Answer 45

On a trusted system.

Question 46

# Character Encoding and Canonicalization What should be specified for all outputs?

Answer 46

Character sets, such as UTF-8.

Question 47

# Character Encoding and Canonicalization How should Unicode data be handled?

Answer 47

Apply canonicalization to convert Unicode data into a standard form.

Question 48

# Character Encoding and Canonicalization How should output used for OS commands be treated?

Answer 48

It must be sanitized.

Question 49

# Contextual Output Encoding How is contextual output encoding determined?

Answer 49

Based on how data will be utilized by the target system, e.g., HTML entity encoding.

Question 50

# Contextual Output Encoding What data must be contextually encoded?

Answer 50

All data returned to the client from untrusted sources and output of untrusted data to SQL, XML, and LDAP queries.

Question 51

# Syntax and Semantic Validity What should be done with all data sources?

Answer 51

Identify and classify them into trusted and untrusted.

Question 52

# Syntax and Semantic Validity When should input be encoded?

Answer 52

Before validating it, using a common character set.

Question 53

# Syntax and Semantic Validity What should be verified in protocol header values?

Answer 53

Ensure they contain only ASCII characters.

Question 54

# Syntax and Semantic Validity How should data validation handle failures?

Answer 54

All validation failures should result in input rejection.

Question 55

# Syntax and Semantic Validity How can obfuscation attacks be addressed?

Answer 55

Utilize canonicalization.

Question 56

# Libraries and Frameworks Where should all input validation occur?

Answer 56

On a trusted system.

Question 57

# Libraries and Frameworks How should input validation be implemented?

Answer 57

Use a centralized input validation library or framework.

Question 58

# Libraries and Frameworks What approach should be used for expected data types?

Answer 58

Validate using an allow-list rather than a deny-list.

Question 59

# Validate Serialized Data How can serialized objects be protected?

Answer 59

Implement integrity checks or encryption.

Question 60

# Validate Serialized Data Where should deserialization features run?

Answer 60

In very low-privilege environments, such as temporary containers.

Question 61

# Validate Serialized Data How should security failures in deserialization be handled?

Answer 61

Log all exceptions and failures.

Question 62

# Validate Serialized Data What should be monitored to ensure safety?

Answer 62

Incoming and outgoing network connectivity from deserialization systems.

Question 63

# Authentication How should access control authentication be designed?

Answer 63

Thoroughly up-front.

Question 64

# Authentication What should all requests go through unless public?

Answer 64

Access control checks.

Question 65

# Authentication What method should be used for high-value transactional accounts?

Answer 65

Multi-Factor Authentication (MFA).

Question 66

# Passwords How should authentication controls be handled?

Answer 66

They must be enforced on a trusted system and fail securely.

Question 67

# Passwords How should credentials be stored?

Answer 67

Use a cryptographically strong one-way salted hash and store them securely.

Question 68

# Passwords How should password reset operations be handled?

Answer 68

They require the same controls as account creation and authentication.

Question 69

# Passwords How should non-temporary passwords be transmitted?

Answer 69

Over an encrypted connection or as encrypted data.

Question 70

# Passwords What should happen after an established number of invalid login attempts?

Answer 70

Enforce account disabling.

Question 71

# Passwords How should temporary passwords and links be managed?

Answer 71

They must have a short expiration time and require a change on next use.

Question 72

# Cryptographic-Based Authentication What should be used for session management?

Answer 72

Use the server or framework’s session management controls.

Question 73

# Cryptographic-Based Authentication Where must session identifier creation occur?

Answer 73

On a trusted system.

Question 74

# Cryptographic-Based Authentication What kind of algorithms should session management controls use?

Answer 74

Well-vetted algorithms ensuring sufficiently random session identifiers.

Question 75

# Cryptographic-Based Authentication What should be set for cookies with authenticated session identifiers?

Answer 75

Set the domain and path to appropriately restricted values.

Question 76

# Cryptographic-Based Authentication What must logout functionality do?

Answer 76

Fully terminate the associated session or connection and be available on all authorized pages.

Question 77

# Cryptographic-Based Authentication What should be established for session inactivity?

Answer 77

A timeout that balances risk and business functional requirements.

Question 78

# Cryptographic-Based Authentication What must happen if a session was created before login?

Answer 78

Close it and establish a new session after successful login.

Question 79

# Cryptographic-Based Authentication What is required on any re-authentication?

Answer 79

Generate a new session identifier.

Question 80

# Cryptographic-Based Authentication Should concurrent logins with the same user ID be allowed?

Answer 80

No, they must not be allowed.

Question 81

# Cryptographic-Based Authentication How should session identifiers be protected?

Answer 81

They must not be exposed in URLs, error messages, or logs.

Question 82

# Cryptographic-Based Authentication What attributes should cookies with session identifiers have?

Answer 82

Set the secure attribute for TLS connections and the HttpOnly attribute unless required by client-side scripts.

Question 83

# Authorization How should access control and authorization be designed?

Answer 83

Thoroughly up-front.

Question 84

# Authorization What should happen to all requests unless public?

Answer 84

They must go through access control checks.

Question 85

# Authorization What is the default stance for access control?

Answer 85

Deny by default if a request is not explicitly allowed.

Question 86

# Authorization What principle should be applied when granting access?

Answer 86

Least privilege, providing only the necessary access.

Question 87

# Authorization What events should be logged?

Answer 87

All authorization events.

Question 88

# Access Control How should authorization controls be applied?

Answer 88

They must be enforced on every request.

Question 89

# Access Control What objects should be used to make access authorization decisions?

Answer 89

Only trusted system objects.

Question 90

# Access Control How can access authorization be centralized?

Answer 90

Use a single site-wide component for checking access.

Question 91

# Access Control What should happen if the application cannot access its security configuration?

Answer 91

Deny all access.

Question 92

# Access Control How can transaction limits protect against automated attacks?

Answer 92

Limit the number of transactions a single user or device can perform in a given period of time.

Question 93

# Access Control What must be periodically re-validated in long authenticated sessions?

Answer 93

A user’s authorization.

Question 94

# Access Control What should be supported for terminated accounts or sessions?

Answer 94

Termination of sessions when authorization ceases.