|
|
| (2 intermediate revisions by the same user not shown) |
| Line 1: |
Line 1: |
| == Overview == | | == Overview == |
| Describe the goals and objectives of the web application:
| | This page is still under review. A new page will be posted soon.. |
| | |
| == Security and Privacy ==
| |
| *What potential security issues are possible within the web application and what have you addressed?
| |
| *Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced?
| |
| *What part of the web application is the biggest risk?
| |
| *What are the types of data being accepted as part of this web application?
| |
| **example: file uploads, user comments,.etc..etc.
| |
| *What methods are used to ensure the code base on the servers hasn't change or to detect if the web code has been modified? (This might be a sysadmin function)
| |
| | |
| == Coding Structure ==
| |
| *What coding frameworks are being used?
| |
| *Are dangerous system functions used as part of this application? Examples in PHP would be eval, system, passthru, and shell_exec.
| |
| | |
| == Application Administrative Functions ==
| |
| *Please describe the administrative functions and what controls have been put in place to ensure these are locked down to only administrators?
| |
| *Is there any special logging around admin functions?
| |
| *Are admin accounts treated differently then general user accounts?
| |
| | |
| == User and Authentication ==
| |
| *Where is user information including passwords stored or is an external authentication system used for user authentication?
| |
| *How is user information including password information stored. Algorithms, salts, length of salts..etc?
| |
| *Are any Anti-CSRF frameworks being used and/or what anti-CSRF techniques are being used?
| |
| *What are the potential security issues with the user registration, forgot password and password reset functions? What has been used to mitigate these risks?
| |
| *Are users and admins required to change their passwords after a given time period?
| |
| *What methods are used around password strength, length, and password rotation?
| |
| *Are users are locked out after X failed attempts and can users be barred from logging in?
| |
| | |
| == Data ==
| |
| *What methods are used in order to ensure user input is sanitized?
| |
| *Is output sanitized and how is it sanitized?
| |
| | |
| == Database Security ==
| |
| *Is a database used as part of this application? (if so, what kind?)
| |
| *What libraries are being used?
| |
| *What accounts and what privileges are being used?
| |
| *Is the web application susceptible to SQL injection and what issues have been addressed to deal with these issues?
| |
| *Is data being encrypted and if so, what methods are being used?
| |
| | |
| == Relationships to other projects ==
| |
| Are there relationships to other web application?
| |
| *If so, what are some potential security issues with these relationships?
| |
| *Is there any code which is being used from other internal projects?
| |
| | |
| == Review Comments ==
| |