OWasp Web App Developer Checklist Flashcards
Developer real time development skills for learners based on content at https://owasp.org/www-project-developer-guide/release/design/web_app_checklist/define_security_requirements/
System Configuration
What principle should be followed for application privileges?
Applications, processes, and service accounts should be restricted to the least privileges possible.
System Configuration
How should elevated privileges for an application be handled?
Raise privileges as late as possible and drop them as soon as possible.
System Configuration
What should be removed before deployment?
All unnecessary functionality, files, test code, or functionality not intended for production.
System Configuration
How should the application’s security configuration store be maintained?
It should be available in human-readable form to support auditing.
System Configuration
What should be done to separate environments?
Isolate development environments from production and restrict access to authorized development and test groups.
System Configuration
What system should be implemented for managing code changes?
A software change control system to manage and record changes in both development and production.
Cryptographic Practices
What type of cryptographic modules should be used?
Peer-reviewed and open solution cryptographic modules.
Cryptographic Practices
Where should cryptographic functions protecting secrets be implemented?
On a trusted system.
Cryptographic Practices
How should cryptographic modules handle failures?
They must fail securely.
Cryptographic Practices
What is required for generating random elements?
Use a cryptographic module with an approved random number generator.
Cryptographic Practices
What compliance standard should cryptographic modules meet?
FIPS 140-2 or an equivalent standard.
Cryptographic Practices
How should cryptographic keys be managed?
Establish a policy and process for key management, and ensure secret keys are protected.
Cryptographic Practices
Where should cryptographic keys be stored?
In a proper secrets vault.
Cryptographic Practices
What feature should applications include regarding cryptographic keys?
Support for key rotation and changing algorithms or keys when needed.
File Management
Should user-supplied data be passed to a dynamic include function?
No, avoid passing user-supplied data directly to such functions.
File Management
What is required before allowing a file to be uploaded?
Authentication.
File Management
How should file upload types be limited?
Only allow file types needed for business purposes.
File Management
How should uploaded files be validated?
Check file headers, not just file extensions.
File Management
Where should files not be saved?
In the same web context as the application.
File Management
How can you prevent executable file uploads?
Turn off execution privileges in file upload directories.
File Management
How should file referencing be managed?
Use an allow-list for file names and types.
File Management
What must not be sent to the client regarding files?
Absolute file paths.
File Management
How should user-uploaded files be checked for safety?
Scan files for viruses and malware.
Security Frameworks and Libraries
What should be ensured for servers, frameworks, and system components?
They should run the latest approved versions and patches.
Security Frameworks and Libraries
Where should libraries and frameworks be sourced from?
Trusted sources that are actively maintained and widely used.
Security Frameworks and Libraries
What must be done for secondary applications and third-party libraries?
Review them for business necessity and validate safe functionality.
Security Frameworks and Libraries
How can you track third-party libraries?
Create and maintain an inventory catalog using Software Composition Analysis (SCA).
Security Frameworks and Libraries
How can you reduce the attack surface when using libraries?
Encapsulate the library and expose only the required behavior into your software.
Security Frameworks and Libraries
When possible, what type of code should be used for common tasks?
Tested and approved managed code rather than new unmanaged code.
Security Frameworks and Libraries
How can you ensure the integrity of code and configuration files?
Use checksums or hashes to verify their integrity.
Security Frameworks and Libraries
What should updates be implemented with?
Safe updates using encrypted channels.
Secure Queries
How can SQL injection be prevented?
By using query parameterization to prevent untrusted input from being interpreted as part of a SQL command.
Secure Queries
What input handling measures should be applied?
Utilize input validation, output encoding, and address meta characters.
Secure Queries
Where should connection strings not be stored?
They should not be hard-coded within the application.
Secure Queries
How and where should connection strings be stored?
In a separate configuration file on a trusted system, and they should be encrypted.
Secure Configuration
What privilege level should applications use when accessing a database?
The lowest possible level of privilege.
Secure Configuration
How should access to base tables in the database be handled?
Use stored procedures to abstract data access and allow permissions to be removed from the base tables.
Secure Configuration
When should database connections be closed?
As soon as possible.
Secure Configuration
What default vendor content should be removed?
Any unnecessary default content, such as sample schemas.
Secure Configuration
What should be done with unused default accounts?
They should be disabled if not required for business purposes.
Secure Authentication
What must be done with default database administrative passwords?
They should be removed or changed.
Secure Authentication
How should application connections to the database be structured?
Different credentials should be used for every trust distinction (e.g., user, read-only user, guest, administrators).
Secure Authentication
What kind of credentials should be used for database access?
Secure credentials.
Character Encoding and Canonicalization
When should output encoding be applied?
Just before the content is passed to the target system.
Character Encoding and Canonicalization
Where should all output encoding be conducted?
On a trusted system.
Character Encoding and Canonicalization
What should be specified for all outputs?
Character sets, such as UTF-8.
Character Encoding and Canonicalization
How should Unicode data be handled?
Apply canonicalization to convert Unicode data into a standard form.
Character Encoding and Canonicalization
How should output used for OS commands be treated?
It must be sanitized.
Contextual Output Encoding
How is contextual output encoding determined?
Based on how data will be utilized by the target system, e.g., HTML entity encoding.
Contextual Output Encoding
What data must be contextually encoded?
All data returned to the client from untrusted sources and output of untrusted data to SQL, XML, and LDAP queries.
Syntax and Semantic Validity
What should be done with all data sources?
Identify and classify them into trusted and untrusted.
Syntax and Semantic Validity
When should input be encoded?
Before validating it, using a common character set.
Syntax and Semantic Validity
What should be verified in protocol header values?
Ensure they contain only ASCII characters.
Syntax and Semantic Validity
How should data validation handle failures?
All validation failures should result in input rejection.
Syntax and Semantic Validity
How can obfuscation attacks be addressed?
Utilize canonicalization.
Libraries and Frameworks
Where should all input validation occur?
On a trusted system.
Libraries and Frameworks
How should input validation be implemented?
Use a centralized input validation library or framework.
Libraries and Frameworks
What approach should be used for expected data types?
Validate using an allow-list rather than a deny-list.
Validate Serialized Data
How can serialized objects be protected?
Implement integrity checks or encryption.
Validate Serialized Data
Where should deserialization features run?
In very low-privilege environments, such as temporary containers.
Validate Serialized Data
How should security failures in deserialization be handled?
Log all exceptions and failures.
Validate Serialized Data
What should be monitored to ensure safety?
Incoming and outgoing network connectivity from deserialization systems.
Authentication
How should access control authentication be designed?
Thoroughly up-front.
Authentication
What should all requests go through unless public?
Access control checks.
Authentication
What method should be used for high-value transactional accounts?
Multi-Factor Authentication (MFA).
Passwords
How should authentication controls be handled?
They must be enforced on a trusted system and fail securely.
Passwords
How should credentials be stored?
Use a cryptographically strong one-way salted hash and store them securely.
Passwords
How should password reset operations be handled?
They require the same controls as account creation and authentication.
Passwords
How should non-temporary passwords be transmitted?
Over an encrypted connection or as encrypted data.
Passwords
What should happen after an established number of invalid login attempts?
Enforce account disabling.
Passwords
How should temporary passwords and links be managed?
They must have a short expiration time and require a change on next use.
Cryptographic-Based Authentication
What should be used for session management?
Use the server or framework’s session management controls.
Cryptographic-Based Authentication
Where must session identifier creation occur?
On a trusted system.
Cryptographic-Based Authentication
What kind of algorithms should session management controls use?
Well-vetted algorithms ensuring sufficiently random session identifiers.
Cryptographic-Based Authentication
What should be set for cookies with authenticated session identifiers?
Set the domain and path to appropriately restricted values.
Cryptographic-Based Authentication
What must logout functionality do?
Fully terminate the associated session or connection and be available on all authorized pages.
Cryptographic-Based Authentication
What should be established for session inactivity?
A timeout that balances risk and business functional requirements.
Cryptographic-Based Authentication
What must happen if a session was created before login?
Close it and establish a new session after successful login.
Cryptographic-Based Authentication
What is required on any re-authentication?
Generate a new session identifier.
Cryptographic-Based Authentication
Should concurrent logins with the same user ID be allowed?
No, they must not be allowed.
Cryptographic-Based Authentication
How should session identifiers be protected?
They must not be exposed in URLs, error messages, or logs.
Cryptographic-Based Authentication
What attributes should cookies with session identifiers have?
Set the secure attribute for TLS connections and the HttpOnly attribute unless required by client-side scripts.
Authorization
How should access control and authorization be designed?
Thoroughly up-front.
Authorization
What should happen to all requests unless public?
They must go through access control checks.
Authorization
What is the default stance for access control?
Deny by default if a request is not explicitly allowed.
Authorization
What principle should be applied when granting access?
Least privilege, providing only the necessary access.
Authorization
What events should be logged?
All authorization events.
Access Control
How should authorization controls be applied?
They must be enforced on every request.
Access Control
What objects should be used to make access authorization decisions?
Only trusted system objects.
Access Control
How can access authorization be centralized?
Use a single site-wide component for checking access.
Access Control
What should happen if the application cannot access its security configuration?
Deny all access.
Access Control
How can transaction limits protect against automated attacks?
Limit the number of transactions a single user or device can perform in a given period of time.
Access Control
What must be periodically re-validated in long authenticated sessions?
A user’s authorization.
Access Control
What should be supported for terminated accounts or sessions?
Termination of sessions when authorization ceases.
