Appendix E: A Tester s Security Checklist

Appendix E

A Tester's Security Checklist

The following checklist, available as a softcopy in the Security Templates folder in the book's companion content, is a minimum set of items a tester should ask herself as she is testing the product. Consider this document to be completed as a sign-off requirement for the application design phase.

Check

Category

Chapter

List of attack points derived from threat model decomposition process

4

Comprehensive data mutation tests in place

19

Comprehensive SQL and XSS tests in place

12, 19

Application tested with SafeDllSearchMode registry setting set to 2 on Windows XP or tested on the default install of Microsoft Windows .NET Server 2003

11

Competitor's vulnerabilities analyzed to determine whether the issues exist in this product

3

Past vulnerabilities in previous versions of product analyzed for root cause

3

If the application is not an administrative tool, test that it runs correctly when user has no administrative rights

7

If the application is an administrative tool, test that it fails gracefully and early if the user is not an admin

7

Application attack surface is as small as possible

3

Default install is as secure as possible

3

Tested all Safe-for-scripting ActiveX controls methods, properties, and events to verify that all such interfaces are indeed safe to call from script

16

Sample code tested for security issues

23



Writing Secure Code
Writing Secure Code, Second Edition
ISBN: 0735617228
EAN: 2147483647
Year: 2001
Pages: 286

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net