Components Security Templates SecurityReview - DevClusterAI/DOD-definition GitHub Wiki
Security Review Template
Project Information
Project Name: [Project Name]
Review Date: [YYYY-MM-DD]
Reviewer(s): [Name(s)/Role(s)]
System/Application Owner: [Name/Role]
Development Team Lead: [Name/Role]
Executive Summary
[Provide a brief summary of the security review, including high-level findings and overall risk assessment]
Scope
Components Reviewed:
- [List specific components, modules, or features]
- [List APIs or interfaces]
- [List integrations with other systems]
Out of Scope:
- [List components explicitly excluded from this review]
- [Indicate any deferred review areas]
Review Methodology
[Describe the approach used for the security review, including tools, techniques, and standards applied]
Security Assessment
Authentication
| Control |
Status |
Finding |
Risk Level |
Recommendation |
| Authentication mechanisms |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
| Multi-factor authentication |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
| Password policies |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
| Account lockout |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
| Session management |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
| Token-based authentication |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
Authorization
| Control |
Status |
Finding |
Risk Level |
Recommendation |
| Role-based access control |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
| Principle of least privilege |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
| Authorization checks |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
| API endpoint permissions |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
| Authorization bypass tests |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
| Administrative function restrictions |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
Data Protection
| Control |
Status |
Finding |
Risk Level |
Recommendation |
| Data encryption at rest |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
| Data encryption in transit |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
| PII protection |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
| Data anonymization/pseudonymization |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
| Data retention |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
| Key management |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
Audit Logging
| Control |
Status |
Finding |
Risk Level |
Recommendation |
| Security events logging |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
| Authentication logging |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
| Authorization failure logging |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
| Administrative action logging |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
| Log tampering prevention |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
| Log storage and retention |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
Vulnerability Assessment
| Vulnerability Category |
Status |
Finding |
Risk Level |
Recommendation |
| OWASP Top 10 |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
| Dependency vulnerabilities |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
| SAST results |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
| DAST results |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
Additional Security Controls
| Control |
Status |
Finding |
Risk Level |
Recommendation |
| [Additional control 1] |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
| [Additional control 2] |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
| [Additional control 3] |
[✓/✗] |
[Description] |
[Critical/High/Medium/Low] |
[Recommendation] |
Risk Assessment Summary
Critical Findings
- [Critical finding 1]
- [Critical finding 2]
- [...]
High Findings
- [High finding 1]
- [High finding 2]
- [...]
Medium Findings
- [Medium finding 1]
- [Medium finding 2]
- [...]
Low Findings
- [Low finding 1]
- [Low finding 2]
- [...]
Remediation Plan
| Finding |
Risk Level |
Recommended Action |
Owner |
Target Date |
Status |
| [Finding 1] |
[Level] |
[Action] |
[Name/Role] |
[YYYY-MM-DD] |
[Open/In Progress/Resolved] |
| [Finding 2] |
[Level] |
[Action] |
[Name/Role] |
[YYYY-MM-DD] |
[Open/In Progress/Resolved] |
| [Finding 3] |
[Level] |
[Action] |
[Name/Role] |
[YYYY-MM-DD] |
[Open/In Progress/Resolved] |
Accepted Risks
| Risk |
Justification |
Approved By |
Review Date |
| [Risk 1] |
[Justification] |
[Name/Role] |
[YYYY-MM-DD] |
| [Risk 2] |
[Justification] |
[Name/Role] |
[YYYY-MM-DD] |
Appendices
Tools Used
- SAST: [Tool name and version]
- DAST: [Tool name and version]
- Dependency Scanning: [Tool name and version]
- Penetration Testing: [Tool name and version]
- Compliance Checking: [Tool name and version]
References
- [Relevant security standards]
- [Internal policies referenced]
- [Other documentation]
Approval
Review Completed By: [Name, Role]
Date: [YYYY-MM-DD]
Approved By: [Name, Role]
Date: [YYYY-MM-DD]