Introduction:

Every application becomes vulnerable as soon as it's open to the internet, but luckily there are many ways you can protect your application and it's security when your app is being developed. 

Application security should be an essential part of developing any application in order to prevent your company and its users' sensitive information from getting into the wrong hands. 

Running an application security audit regularly allows you to protect your app from any potential threats and be prepared with a backup if anything were to happen. It's unrealistic to expect to be able to avoid every possible problem that may come up, but there are definitely many known recurrent threats that are avoidable when taking the right measures and auditing your application regularly.

This is exactly why we at Process Street have created this application security audit checklist. It outlines all of the common tasks and checks needed to tighten up your team's application security and can easily be repeated whenever you might need.

Create model of application

Before all else, you and your development team should focus on creating the application and getting it approved by the management and IS security team.

Because this process involves multiple people, you can make things easier for yourself by assigning roles.

Use the Members feature below to specify who will be doing what.

When the application is finished, make sure the designated people approve it.

Approval: Application model

Will be submitted for approval:
  • Create model of application
    Will be submitted

Make sure the application’s authentication system is up-to-date

Next step is making sure your application's authentication system is up-to-date.

Consider utilizing a two-factor authentication, so users would need to not only enter a password, but also to enter a code sent to the phone number or email that's attached to their account to get in.

This means that if someone is trying to break into your user's account, they won’t be be able to even if they're able to guess the password. 

Restrict access to application directories and files

Ensure that no one except administrative users have access to application's directories and files.

Implement session expiration timeout

How long should a session timeout be?

Normal session timeouts range between 2-5 minutes for high-risk applications and between 15-30 minutes for low-risk applications. 

Forbid multiple concurrent sessions

How to prevent multiple concurrent user logins for the same username

There are many ways to do this; a simple approach might be:

  • 1
    Set one flag at the time of login into database
  • 2
    Check flag every time when you are sign in
  • 3
    Remove flag at time of logout

Provide least privilege to application users

What is the Principle of Least Privilege (POLP)

The idea of POLP means that all users should only have access to what they absolutely need and no more than that. 

For example, if a user account was created to have access to database records, that account doesn't need administrative privileges.

This principle is widely accepted as one of the best practices in information security.

Implement CAPTCHA and email verification system

CAPTCHA and email verification serve different purposes, but are both equally as important.

CAPTCHA makes sure it's actual people submitting forms and not scripts.

Email verification makes sure that the email address that was entered actually exists and is working.

Use encryption algorithms that meet data security requirements

Depending on what your organization's data security requirements call for, you might want to consider using a data encryption algorithm.

Some data encryption algorithms include:

Avoid vulnerable API or function calls

APIs are the keys to a company's databases, so it’s very important to restrict and monitor who has access to them.

Run security audit on source codes

Source code analysis tools are made to look over your source code or compiled versions of code to help spot any security flaws.

Free Security Audit Tools

  • Bandit - bandit is a comprehensive source vulnerability scanner for Python
  • Brakeman - Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications
  • Codesake Dawn - Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino for Ruby on Rails applications. It also works on non-web applications written in Ruby
  • Deep Dive - Byte code analysis tool for discovering vulnerabilities in Java deployments (Ear, War, Jar).
  • FindBugs - (Legacy - NOT Maintained - Use SpotBugs (see below) instead) - Find bugs (including a few security flaws) in Java programs
  • FindSecBugs - A security specific plugin for SpotBugs that significantly improves SpotBugs’s ability to find security vulnerabilities in Java programs. Works with the old FindBugs too,
  • Flawfinder Flawfinder - Scans C and C++
  • GolangCI-Lint - A Go Linters aggregator - One of the Linters is gosec (Go Security), which is off by default but can easily be enabled.

Conduct web application vulnerability scan

Conducting an application vulnerability scan is a security process used to find weaknesses in your computer security. 

Vulnerability scanning should be performed by your network administrators for security purposes. Otherwise, it could potentially be used to fraudulently gain access to your systems.

These are some of the best open source web application penetration testing tools:

Conduct penetration test

penetration test is a test cyber attack set against your computer system to check for any security vulnerabilities. Penetration testing is typically used to strengthen an application's firewall.

Free Security Testing Tools

Sources:

Sign up for a FREE account and
search thousands of checklists in our library.

Sign up for a FREE account and search thousands of checklists in our library.