Checklist for Testing of Operational Security of Web Applications
Security testing checklist is a very powerful fact-gathering tool deployed to ensure that our new web application behaves as expected from operational security related considerations.
Sr. |
Check Point |
Yes/No |
Check Points related to Privacy |
||
1. |
Is sensitive data restricted to be viewed by unauthorized users? | |
2. | Is proprietary content copyrighted? | |
3. | Is information about company employees limited on public web site? | |
4. | Is the privacy policy communicated to users and customers? | |
5. | Is there adequate legal support and accountability of privacy practices? | |
Check Points related to Access Control |
||
1. | Is there a defined standard for login names/passwords? | |
2. | Are good aging procedures in place for passwords? | |
3. | Are users locked out after a given number of password failures? | |
4. | Is there a link for help (e.g., forgotten passwords?) | |
5. | Is there a process for password administration? | |
6. | Have authorization levels been defined? | |
7. | Is management sign-off in place for authorizations? | |
Check Points related to Proxy Servers |
||
1. | Have undesirable / unauthorized external sites been defined and screened out? (e.g. gaming sites, etc.) | |
2. | Is traffic logged? | |
3. | Is user access defined? | |
Check Points related to Firewalls |
||
1. | Was the software installed correctly? | |
2. | Are firewalls installed at adequate levels in the organization and architecture? (e.g., corporate data, human resources data, customer transaction files, etc.) | |
3. | Have firewalls been tested? (E.g., to allow & deny access). | |
4. | Is the security administrator aware of known firewall defects? | |
5. | Is there a link to access control? | |
6. | Are firewalls installed in effective locations in the architecture? (E.g., proxy servers, data servers, etc.) | |
Check Points related to Monitoring |
||
1. | Are network monitoring tools in place? | |
2. | Are network monitoring tool working effectively? | |
3. | Do monitors detect
– Network time-outs? |
|
4. | Is personnel access control monitored? | |
5. | Is personnel internet activity monitored?
– Sites visited |
|
Check Points related to Security Administration |
||
1. | Have security administration procedures been defined? | |
2. | Is there a way to verify that security administration procedures are followed? | |
3. | Are security audits performed? | |
4. | Is there a person or team responsible for security administration? | |
5. | Are checks & balances in place? | |
6. | Is there an adequate backup for the security administrator? | |
Check Points related to Virus Protectiopn |
||
1. | Are virus detection tools in place? | |
2. | Have the virus data files been updated on a current basis? | |
3. | Are virus updates scheduled? | |
4. | Is a response procedure for virus attacks in place? | |
5. | Are notifications of updates to virus files obtained from anti-virus software vendor? | |
6. | Does the security administrator maintain an informational partnership with the anti-virus software vendor? | |
7. | Does the security administrator subscribe to early warning e-mail services? | |
8. | Has a key contact been defined for the notification of a virus presence? | |
9. | Has an automated response been developed to respond to a virus presence? | |
10. | Is the communication & training of virus prevention and response procedures to users adequate? |
Download Many More Checklists for QA Managers & Team Leads
Download Several Checklists for Testers & Developers
Download Several Testing Templates – Prepared By Experts
An expert on R&D, Online Training and Publishing. He is M.Tech. (Honours) and is a part of the STG team since inception.
Very nice, i like the way you explained. I also wrote something on similar lines on Security Testing Check List. Hope you would like it – bit.ly/1RaHeDx