General
Check | Category | Chapter |
Code compiled with GS (if using Visual C++ .NET) | 5 | |
Debug builds compiled with RTC1 (if using Visual C++ .NET) | 5 | |
Check all untrusted input is verified prior to being used or stored | 10 | |
All buffer management functions are safe from buffer overruns | 5 | |
Review Strsafe.h for potential use in your code | 5 | |
Review the latest update of dangerous or outlawed functions | Appendix A | |
All DACLs well formed and good not NULL or Everyone (Full Control) | 6 | |
No hard-coded 14-character password fields (should be at least PWLEN + 1 for NULL, PWLEN is defined in LMCons.h, and is 256) | 23 | |
No references to any internal resources (server names, user names) in code | 23 | |
Security support provider calls not hard-coded to NTLM (use Negotiate) | 16 | |
Temporary file names are unpredictable | 23 | |
Calls to CreateProcess[AsUser] do not have NULL as first argument if you know the full path name to the .EXE | 23 | |
Unauthenticated connections cannot consume large resources | 17 | |
Error messages do no give too much info to an attacker | 24 | |
Highly privileged processes are scrutinized by more than one person does the process require elevated privileges? | 7 | |
Security sensitive code is commented appropriately | 23 | |
No decisions made on the name of files | 11 | |
Check that file requests are not for devices (i.e., COM1, PRN, etc.) | 11 | |
No shared or writable PE segments | 23 | |
No user data written to HKLM in the registry | 7 | |
No user data written to c:\program files | 7 | |
No resources opened for GENERIC_ALL, when lesser permissions will suffice | 7 | |
Application allows binding to appropriate IP address, rather than 0 or INADDR_ANY | 15 | |
Exported APIs with byte count vs. word count documented | 5 | |
Impersonation function return values checked | 23 | |
For every impersonation, there is a revert | 7, 23 | |
Service code does not create windows and is not marked interactive | 23 |
Web and Database-Specific
Check | Category | Chapter |
No Web page issues output based on unfiltered output | 13 | |
No string concatenation for SQL statements | 12 | |
No connections to SQL Server as sa | 12 | |
No ISAPI applications running in process with IIS 5 | 13 | |
Force a codepage in all Web pages | 13 | |
No use of eval function with untrusted input in server pages | 13 | |
No reliance on REFERER header | 13 | |
Any client-side access and validity checks are performed on the server also | 23 |