Design review some key points - rinku191/AppSec_Topics_for_Interview GitHub Wiki

  1. Lack of encryption of sensitive data in transmission and rest mode
  2. Sensitive data like SSN, Aadhar, Account no should be mask while displaying
  3. Strong encryption algo should be used
  4. Insecure encryption key, Password,token and session
  5. Using insecure places to store sensitive information e.g. app data held in a cache which is accessible to other applications.
  6. Improper exception handling
  7. Logging properly not configure- Dev env should not store sensitive info, Stack trace, debug info
  8. Secure Protocol like TLS 1.2, HTTPS, FTPS and secure SMTP should be configure by default
  9. Strong hashing algo with salt is used for hashing
  10. Password must be hashed with salting.
  11. DB administrative portal should be only accessible by administrator.
  12. Certificate should not be self signed and expired
  13. Encryption key should be rotated
  14. Cookie must be configure with HTTP-only, secure, scope with domain and starting path of the app
  15. Policy document should be temper proof while passing from Server to Client app
  16. Policy should be store in safe place and standard user can’t do temper.
  17. Mitigate single point of failure
  18. Unused port should not open and expose to the outside world.
  19. OS should be updated and patched
  20. Unused process should be stopped from OS
  21. Firewall only expose serving port to outside world
  22. Antivirus should be install and updated on the System
  23. Unused feature should be removed from the app
  24. RBAC should be implemented and user has to assign access based on principal of least privilege.