Security Checklists

Security checklists help ensure consistent application of security controls across the development lifecycle. Use these checklists during code reviews, deployments, and security assessments.

Code Security Checklist

Input Validation

• All user input is validated on the server side
• Input length limits are enforced
• Input is validated against expected format (whitelist)
• Special characters are properly escaped or rejected
• File uploads are validated (type, size, content)

Output Encoding

• HTML output is encoded to prevent XSS
• JSON output is properly escaped
• SQL parameters are parameterized (not concatenated)
• Command line arguments are escaped
• LDAP queries use parameterization

Authentication

• Passwords are hashed using strong algorithm (bcrypt, Argon2)
• Multi-factor authentication available for sensitive operations
• Session tokens are cryptographically random
• Session timeout is appropriately configured
• Account lockout after failed attempts

Authorization

• Authorization checked on every request
• Principle of least privilege applied
• Role-based access control implemented
• Resource ownership validated
• Horizontal privilege escalation prevented

OWASP Top 10 Checklist

API Security Checklist

Authentication & Authorization

• API authentication required (API keys, OAuth, JWT)
• Tokens expire appropriately
• Refresh token rotation implemented
• Rate limiting in place
• Resource-level authorization enforced

Request/Response Security

• HTTPS required for all endpoints
• CORS configured appropriately
• Content-Type validated
• Response doesn't leak sensitive data
• Error messages don't expose internals

Input Validation

api_security:
  request_validation:
    - Validate Content-Type header
    - Validate Accept header
    - Validate request size limits
    - Validate JSON/XML schema
    - Reject unexpected fields

  parameter_validation:
    - Validate parameter types
    - Validate parameter ranges
    - Validate parameter formats
    - Sanitize string parameters
    - Validate array sizes

Infrastructure Security Checklist

Network Security

• Network segmentation implemented
• Firewalls configured with deny-by-default
• Ingress/egress filtering in place
• VPN required for administrative access
• DDoS protection enabled

Server Hardening

• Operating system patched and updated
• Unnecessary services disabled
• Default accounts disabled/removed
• Strong authentication for admin access
• Host-based firewall enabled

Cloud Security

Deployment Security Checklist

Pre-Deployment

• Security scan completed (SAST, SCA)
• No critical/high vulnerabilities
• Secrets not in code repository
• Dependencies up to date
• Security tests passing

Deployment Process

• Deployment from trusted CI/CD pipeline
• Artifacts signed and verified
• Configuration managed securely
• Secrets injected at runtime
• Audit trail of deployment

Post-Deployment

• Security monitoring active
• Logging configured
• Alerting enabled
• Vulnerability scanning scheduled
• Penetration testing scheduled

Security Headers Checklist

HTTP Security Headers:

□ Strict-Transport-Security: max-age=31536000; includeSubDomains
□ Content-Security-Policy: default-src 'self'
□ X-Content-Type-Options: nosniff
□ X-Frame-Options: DENY
□ X-XSS-Protection: 1; mode=block
□ Referrer-Policy: strict-origin-when-cross-origin
□ Permissions-Policy: geolocation=(), microphone=()

Implementation Example

// Express.js security headers
import helmet from 'helmet';

app.use(helmet({
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'"],
      styleSrc: ["'self'", "'unsafe-inline'"],
      imgSrc: ["'self'", "data:", "https:"],
    },
  },
  hsts: {
    maxAge: 31536000,
    includeSubDomains: true,
  },
}));

Secrets Management Checklist

Storage

• Secrets stored in vault (HashiCorp Vault, AWS Secrets Manager)
• Secrets never in source code
• Secrets never in logs
• Secrets encrypted at rest
• Access to secrets audited

Rotation

• Rotation schedule defined
• Automated rotation where possible
• Rotation tested in non-production
• Emergency rotation procedure documented

Detection

• Pre-commit hooks for secret detection
• CI/CD secret scanning
• Repository scanning for historical secrets
• Alerting on secret exposure

Incident Response Checklist

Preparation

• Incident response plan documented
• Contact list maintained
• Communication templates ready
• Forensic tools available
• Backup restoration tested

During Incident

□ Identify and confirm the incident
□ Activate incident response team
□ Contain the incident
□ Preserve evidence
□ Communicate to stakeholders
□ Eradicate the threat
□ Recover systems
□ Document all actions

Post-Incident

• Conduct post-mortem
• Update security controls
• Update detection rules
• Train team on lessons learned
• Update incident response plan

Related Resources

• Compliance Checklists
• Threat Modeling
• Secure Coding
• Vulnerability Scanning
• OWASP Cheat Sheets

Compliance

This section fulfills ISO 13485 requirements for control of records (4.2.4) and monitoring and measurement (8.2.4), and ISO 27001 requirements for secure development (A.8.25), vulnerability management (A.8.8), and incident management (A.5.24).

View full compliance matrix