- Is input data validated to ensure that it contains only valid characters?
- Is input data validated to ensure that it is within appropriate ranges?
- Is validation performed by comparing with "known-good" (as opposed to "known-bad") characters or sequences?
- Is data encoded using HTMLEncode (or similar function) when forwarding to display in the browser?
- Is data provided as parameters to a parameterized SQL query (as opposed to concatenation into the query)?
- Are steps taken to avoid SQL injection, Cross Site Scripting or other injection attacks (where appropriate)?
- When supplying code and data as output, is it unambiguously clear where code and data are separated?
- Do error messages distinguish correctly between information sent to internal and external users?
- Are comments and private information removed from transmissions to the user?
- Are internal IP addresses masked from external users?
- Are debug pages, and unused pages removed from the deployed web site?
- Is debug and tracing code disabled, with no ability for unauthorized parties to use it or enable it?
- Are security measures such as input validation implemented on the server-side?
- Are all security measures implemented on the client-side backed by equivalent or greater measures on the server-side?
- Has the application (or changed components) been tested with custom clients that ignore client side restrictions?
Poor Use of Cryptography
- Have cryptography choices (key sizes, algorithms, etc.) been reviewed and approved by Policymakers?
- Are cryptographic elements configurable to change key sizes, choice of algorithms, etc.?
- Is the cryptography implementation a widely-available library (as opposed to a custom solution, or developed in-house)?
- Is provision made for regular key rotation? Emergency key changes?
Thinking Only About Features
- Has the application been tested by trying to feed it invalid input?
- Have there been any tests attempting to use SQL Injection, Cross-Site Scripting, etc.?
- Has the application been written to reject incorrect or malicious data?
- Does the application alert its operators about potential malicious behavior on the part of its users?
- Does the application alert its operators about (mis-)configurations that reduce its security level?
- Has the application been reviewed to ensure that unauthenticated and unauthorized users are not given more access than is appropriate?
- Is the code flexible enough to cope with resource requests completing earlier / later than anticipated?
- Are checks on authorization guaranteed to occur before access is granted or resources are fetched?
- Is the application able to handle rapidly repeated requests and distinguish correctly between them?
- Does the application ensure that connection state is kept out of global / shared variables or memory space?
- Are locks, mutexes, semaphores, etc. correctly used to ensure that shared resources are not shared across execution or security contexts?
- Has the review team considered changes that will occur if the compiler / optimizer change the order of execution of statements (within its limits)?
Failing Open, Ignoring Failure
- Are all return values checked?
- Where exceptions are expected, are they all caught?
- Is checking of correct input done by “deny by default” (e.g. a “white-list” of correct characters / sequences)?
- Are functions communicating failures up through their call stack?
- Is the code written to assume that requests are invalid until they prove themselves to be valid?
Failing to Recognize or Enforce Bounds
- Are all arithmetic operations guaranteed to not overflow or underflow?
- Are buffer overflows actively prevented, either by choice of development environment, language or code checks?
- Are classes and libraries used that prevent overflow or underflow (as opposed to classes that do not)?
- Are library functions prown to buffer overrun, removed and replaced with?
- Does the test plan execute edge cases on boundary checks?
- Have you checked the entrance and exit criteria for all loops in the code to ensure that they are correct, and correctly handled?
Not Managing Resources from Creation to Destruction
- Does each resource have a complete “story” that allows for a single creation and a single destruction, with managed ‘ownership’ in the middle?
- Does the test plan monitor resource usage to detect inappropriate growth in memory usage, open file handles, etc.?
- Do object constructors initialize all member variables (if only to a null value)?
- Do object constructors avoid using operations that can cause failure?
- Are circular references correctly avoided?
Hard-Coded Password/Assuming the Source Code Is Selected
- Are all passwords, keys and other secret material removed from source code to configuration files?
- Has the executable code been scanned for the clear-text presence of strings that should not be there?
- Does the code use a standard, EIS-approved, technique for storing keys in configuration files?
- If the source code was given, as a whole, to an attacker, would they still be unable to attack the running program?
- Is the code clear to read and understand, even without looking at the comments?
- Do the comments correctly describe the behavior of the source code?
- Do the comments completely describe the behavior of the source code?
- Are any hidden / surprising / clever behaviors of the source code explained in comments?
- Are the comments up to date?
- Have all unexecuted portions of code been removed?
- Are function and variable names clear and meaningful?
Static Code Analysis
- Has the code been analyzed with static code analysis tools that are configured to find security flaws?
- Have all new reports of possible security flaws been remediated correctly?