Appendix C: A Designer s Security Checklist
Appendix C
A Designer's Security Checklist
The following checklist, available in the Security Templates folder in the book's companion content, is a minimum set of items a designer, architect, or team lead should ask herself as she is designing the product. Consider this document to be completed as a sign-off requirement for the application design phase.
Check | Category | Chapter |
| Education in place for team | 2 |
| Someone on team signed up to monitor BugTraq and NTBugtraq | 1 |
| Competitor's vulnerabilities analyzed to determine if the issues exist in this product | 3 |
| Past vulnerabilities in previous versions of product analyzed for root cause | 3 |
| Application attack surface is as small as possible | 3 |
| If creating new user accounts, they are low privilege and have strong passwords | 3, 7 |
| Safe-for-scripting ActiveX controls thoroughly reviewed | 16 |
| Sample code reviewed for security issues. You must treat sample code as production code. | 23 |
| Default install is secure | 3 |
| Threat models complete for design phase | 2 |
| Product has layered defenses | 3 |
| Security failures logged for later analysis | 23 |
| Privacy implications understood and documented | 22 |
| Plans in place to migrate appropriate code to managed code | 23 |
| End-of-life plans in place for features that will eventually be deprecated | 2 |
| Security response process in place | 2 |
| Documentation reflects good security practice | 24 |
EAN: 2147483647
Pages: 286