DIGIT Core
PlatformDomainsAcademyDesign SystemFeedback
2.9-LTS
2.9-LTS
  • 🖥️Platform
    • Overview
    • Why DIGIT?
    • Principles
    • Architecture
      • Service Architecture
      • Technology Architecture
        • Open Source Tools
      • Infrastructure Architecture
      • Deployment Architecture
    • API Specifications
      • Access Control
      • Boundary
      • Document Uploader
      • Encryption
      • File Store
      • ID Generation
      • Indexer
      • Localisation
      • Master Data Management
      • OTP
      • Payment Gateway
      • PDF Generation
      • URL Shortner
      • WhatsApp Chatbot
      • Workflow
    • Core Services
      • Access Control Services
      • Audit Service
        • Signed Audit Performance Testing Results
      • API Gateway
        • Configuring Gateway Rate Limiting
      • Boundary Service
        • Migrate Old Boundary Data - Steps
      • Email Notification Service
      • Encryption Service
        • Encryption Client Library
        • User Data Security Architecture
        • Guidelines for supporting User Privacy in a module
      • FileStore Service
      • ID Generation Service
      • Indexer Service
        • Indexer Configuration
      • Internal Gateway
      • Location
      • Localization Service
        • Configuring Localization
          • Setup Base Product Localisation
          • Configure SMS and Email
      • MDMS V2 (Master Data Management Service)
        • Adopt New MDMS - Steps
        • MDMS (Master Data Management Service)
          • Setting up Master Data
            • MDMS Overview
            • MDMS Rewritten
            • Configuring Tenants
            • Configuring Master Data
            • Adding New Master
            • State Level Vs City Level Master
        • MDMS Migration
      • OTP Service
      • Payment Gateway Service
      • PDF Generation Service
      • Persister Service
        • Persister Configuration
      • Service Request
      • SMS Notification Service
        • Setting Up SMS Gateway
          • Using The Generic GET & POST SMS Gateway Interface
      • User
        • User Session Management
      • User OTP Service
      • URL Shortening Service
      • Workflow
        • Setting Up Workflows
        • Configuring Workflows For An Entity
        • Workflow Auto Escalation
        • Migration To Workflow 2.0
      • Libraries
        • Tracer Library
        • Encryption Client
      • Accelerators
        • Inbox Service
    • DIGIT: How-Tos
      • SMS Template Approval Process
      • Notification Enhancement Based On Different Channel
    • Releases
      • DIGIT 2.9 LTS
        • Test Automation
        • Release Checklist
        • Service Build Updates
          • Hotfix
        • Test Cases
        • Automated DIGIT Deployment
        • Upgrade Guide: Transitioning DIGIT Modules to Spring Boot Version 3.2.2
        • Postgres Upgrade: Service Code Changes
        • Updating RDS Version in AWS
        • LTS DIGIT Migration - v2.8 To v2.9
        • Changelog
        • Backup PostgreSQL Database In AWS - Steps
    • Source Code
  • 📓Guides
    • Installation Guide
      • Infrastructure Setup
        • AWS
          • 1. Pre-requisites
          • 2. Setup AWS Account
          • 3. Provision Infrastructure
          • FAQ
        • Azure
          • 1. Azure Pre-requisites
          • 2. Understanding AKS
          • 3. Infra-as-code (Terraform)
        • SDC
          • 1. SDC Pre-requisites
          • 2. Infra-as-code (Kubespray)
          • CI/CD Setup On SDC
        • CI/CD Set Up
          • CI/CD Build Job Pipeline Setup
      • DIGIT Deployment
        • Full Deployment
          • Deploy DIGIT
            • Prepare Deployment Configuration
        • Full Deployment (Beta)
          • Creating New HelmChart
          • Prepare Helm Release Chart
      • Quick Setup (AWS)
    • Data Setup Guide
      • Bootstrap DIGIT
      • Productionize DIGIT
      • User Module
      • Localisation Module
      • Location Module
      • MDMS - V2
    • Design Guide
      • Model Requirements
      • Design Services
      • Design User Interface
      • Checklists
    • Developer Guide
      • Pre-requisites Training Resources
      • Backend Developer Guide
        • Section 0: Prep
          • Development Pre-requisites
          • Design Inputs
            • High Level Design
            • Low Level Design
          • Development Environment Setup
        • Section 1: Create Project
          • Generate Project Using API Specs
          • Create Database
          • Configure Application Properties
          • Import Core Models
          • Implement Repository Layer
          • Create Validation & Enrichment Layers
          • Implement Service Layer
          • Build The Web Layer
        • Section 2: Integrate Persister & Kafka
          • Add Kafka Configuration
          • Implement Kafka Producer & Consumer
          • Add Persister Configuration
          • Enable Signed Audit
        • Section 3: Integrate Microservices
          • Integrate IDGen Service
          • Integrate User Service
          • Add MDMS Configuration
          • Integrate MDMS Service
          • Add Workflow Configuration
          • Integrate Workflow Service
          • Integrate URL Shortener Service
        • Section 4: Integrate Billing & Payment
          • Custom Calculator Service
          • Integrate Calculator Service
          • Payment Back Update
        • Section 5: Other Advanced Integrations
          • Add Indexer Configuration
          • Certificate Generation
        • Section 6: Run Final Application
        • Section 7: Build & Deploy Instructions
        • FAQs
      • UI Developer Guide
        • DIGIT-UI
          • UI Components Standardisation
            • DIGIT UI Core React Components
            • DIGIT UI Core Flutter Components
              • Input Field
              • Radio
              • Toggle
              • Button
              • Dropdown
              • Checkbox
              • Toast
              • Info Card
            • DIGIT UI Components v0.2.0
              • Foundation
                • Typography
                • Colour Pallete
                • Spacer
              • Atom
                • Accordion
                • Button
                • Checkbox
        • DIGIT UI Development Pre-requisites
        • UI Configuration (DevOps)
        • Local Development Setup
        • Run Application
        • Build & Deploy
        • Pre-defined Screens In DIGIT-UI
          • Create Screen (FormComposer)
          • Inbox/Search Screen
          • Workflow Component
        • Create a New UI Module/Package
          • Project Structure
          • Install Dependency
          • Module.js
          • Import Required Components
          • Common Hooks
        • Employee Module Setup
          • Write Employee Module Code
          • Create Form - Create Screen
        • Citizen Module Setup
          • Sample screenshots
          • Citizen Landing Screen
          • Write Citizen Module Code
        • Customisation
          • Integrate External Web Application/UI With DIGIT UI
          • Utility - Pre-Process MDMS Configuration
          • CSS Customisation
          • Kibana Dashboard Integration With DSS Module
          • Login Page
        • Setup Monitoring Tools
        • Android Web View & How To Generate APK
        • FAQs
          • Troubleshoot Using Browser Network Tab
          • Debug Android App Using Chrome Browser
      • Flutter (Mobile App) UI Developer Guide
        • Introduction to Flutter
          • Flutter - Key Features
          • Flutter Architecture & Approach
          • Flutter Pre-Requisites
        • Setup Development Environment
          • Flutter Installation & Setup Guide
          • Setup Device Emulators/Simulators
          • Run Application
        • Build User Interfaces
          • Create Form Screen
        • Build Deploy & Publish
          • Build & Deploy Flutter Web Application
          • Generate Android APKs & App Bundles
          • Publishing App Bundle To Play Store
        • State Management With Provider & Bloc
          • Provider State Management
          • BloC State Management
        • Best Practices & Tips
        • Troubleshooting
    • Operations Guide
      • DIGIT - Infra Overview
      • Kubernetes
        • RBAC Management
        • Database Dump - Playground
      • Setup Jenkins - Docker way
      • GitOps
        • Git Client installation
        • GitHub organization creation
        • Adding new SSH key to it
        • GitHub repo creation
        • GitHub Team creation
        • Enabling Branch protection:
        • CODEOWNER Reviewers
        • Adding Users to the Git
        • Setting up an OAuth with GitHub
        • Fork (Fork the mdms,config repo with a tenant-specific branch)
      • Working with Kubernetes
        • Installation of Kubectl
      • Containerizing application using Docker
        • Creation of Dockerhub account
      • Infra Provisioning Using Terraform
        • Installation of Terraform
      • Customise Existing Terraform Templates
      • Cert-Manager
        • Obtaining SSL certificates with the help of cluster-issuer
      • Moving Docker Images
      • Pre and post deployment checklist
      • Multi-tenancy Setup
      • Availability
        • Infrastructure
        • Backbone services
          • Database
          • Kafka
          • Kafka Connect
          • Elastic search
            • Elastic Search Rolling Upgrade
            • ElasticSearch Direct Upgrade
        • Core services
        • DIGIT apps
        • DSS dashboard
      • Observability
        • ES-Curator - Clear Old Logs/indices
        • Monitoring
        • Environment Changes
        • Tracing
        • Jaeger Tracing Setup
        • Logging
        • eGov Monitoring & Alerting Setup
        • eGov Logging Setup
      • Performance
        • What to monitor?
          • Infrastructure
          • Backbone services
          • Core services
        • Identifying bottlenecks
        • Solutions
      • Handling errors
      • Security
      • Reliability and disaster recovery
      • Privacy
      • Skillsets/hiring
      • Incident management processes
      • Kafka Troubleshooting Guide
        • How to clean up Kafka logs
        • How to change or reset consumer offset in Kafka?
      • SRE Rituals
      • FAQs
        • I am unable to login to the citizen or employee portal. The UI shows a spinner.
        • My DSS dashboard is not reflecting accurate numbers? What can I do?
      • Deployment using helm
        • Helm Installation
        • Helm chart creation
        • Helm chart customization
      • How to Dump Elasticsearch Indexes
      • Deploy Nginx-Ingress-Controller
      • Deployment Job Pipeline Setup
      • OAuth2-Proxy Setup
      • Jira Ticket Creation
    • Implementation Guide
    • Security & Privacy Guide
      • Security & Privacy Guidelines For Product Developers
      • Security & Privacy Guidelines For Solution Implementing Agencies
      • Security & Privacy Guidelines For Program Owners
  • 🚀Accelerators
    • UI Frameworks
      • Service Build Updates
    • Integrations
      • Payment
      • Notification
      • Transaction
      • Verification
      • View
      • Calculation
    • Concepts
      • Deployment - Key Concepts
        • Security Practices
        • Readiness & Liveness
        • Resource Requests & Limits
        • Deploying DIGIT Services
        • Deployment Architecture
        • Routing Traffic
        • Backbone Deployment
    • API Playground
    • Sandbox
    • Checklists
      • API Checklist
      • Security Checklist
        • Security Guidelines Handbook
        • Security Flow - Exemplar
      • Performance Checklist
      • Deployment Checklist
    • Contribute
    • Discussion Board
    • Academy
    • Events
Powered by GitBook

All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.

On this page
  • 1. Design Considerations
  • 2. Development Considerations
  • 3. CI/CD Considerations
  • 4. Testing Considerations
  • 5. Infra-Security Considerations
  • 6. Deployment Considerations

Was this helpful?

  1. Accelerators
  2. Checklists

Security Checklist

Application security checklist by various functions

PreviousAPI ChecklistNextSecurity Guidelines Handbook

Was this helpful?

Application security is a critical topic. Being a good engineer requires being aware of Application security best practices. We should practice defensive programming and ensure run security checks much earlier and more frequently during every phase of the software development. The earlier we catch vulnerabilities, the less dramatic and expensive those violations are to resolve. Waiting until release will just leave us nervous and unprepared. Delivering security alongside the continuous delivery of software, we'll identify security problems before they become hopelessly entangled in the application and therefore more difficult, and costly, to resolve.

Teams should ensure the following checks to deliver security.

1. Design Considerations

Injecting Security in the design phase means addressing design decisions that take into account the perspective of an attacker that is trying to breach weaknesses and compromise the confidentiality, integrity and other important security aspects of your software.

2. Development Considerations

Authentication

JWT (JSON Web Token)

OAuth

Access

Input

Processing

Output

Logging

3. CI/CD Considerations

4. Testing Considerations

Information Gathering

A successful web application security strategy fundamentally begins with an understanding of the interactions between the web server, users, and applications. While application deployment platforms vary, key vulnerabilities in infrastructure configuration act as a common weak link for threat actors to initiate an attack.

Some key application security information-gathering activities include:

  • Identify technologies used

  • Identify user roles

  • Identify application entry points

  • Identify client-side code

  • Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)

  • Identify co-hosted and related applications

  • Identify all hostnames and ports

  • Identify third-party hosted content

Configuration Management

A web server ecosystem is intrinsically complex with highly connected, heterogeneous services and components working together. Reviewing and managing the configuration of the server is, as a result, a very crucial aspect for maintaining robust security across multiple layers of an application.

Securing various configuration items of an application involves:

  • Check for commonly used application and administrative URLs

  • Check for old, backup and unreferenced files

  • Check HTTP methods supported and Cross Site Tracing (XST)

  • Test file extensions handling

  • Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)

  • Test for policies (e.g. Flash, Silverlight, robots)

  • Test for non-production data in live environment, and vice-versa

  • Check for sensitive data in client-side code (e.g. API keys, credentials)

Secure Transmission

  • Check SSL Version, Algorithms, Key length

  • Check for Digital Certificate Validity (Duration, Signature and CN)

  • Check credentials only delivered over HTTPS

  • Check that the login form is delivered over HTTPS

  • Check session tokens only delivered over HTTPS

  • Check if HTTP Strict Transport Security (HSTS) in use

Authentication

  • Test for user enumeration

  • Test for authentication bypass

  • Test for bruteforce protection

  • Test password quality rules

  • Test remember me functionality

  • Test for autocomplete on password forms/input

  • Test password reset and/or recovery

  • Test password change process

  • Test CAPTCHA

  • Test multi-factor authentication

  • Test for logout functionality presence

  • Test for cache management on HTTP (eg Pragma, Expires, Max-age)

  • Test for default logins

  • Test for user-accessible authentication history

  • Test for out-of-channel notification of account lockouts and successful password changes

  • Test for consistent authentication across applications with shared authentication schema / SSO

Session Management

Once a user is authenticated, their interaction with the server is managed within a session. Improperly managed sessions open doors for attackers to compromise access mechanisms by assuming those to be identities of legitimate users. More so, such compromised accesses are often taken advantage of by attack vectors that escalate privileges and penetrate deeper into the system. To avoid vulnerabilities within a session, the following processes are recommended to be tested as a best practice:

  • Establish how session management is handled in the application (eg, tokens in cookies, token in URL)

  • Check session tokens for cookie flags (httpOnly and secure)

  • Check session cookie scope (path and domain)

  • Check session cookie duration (expires and max-age)

  • Check session termination after a maximum lifetime

  • Check session termination after a relative timeout

  • Check session termination after logout

  • Test to see if users can have multiple simultaneous sessions

  • Test session cookies for randomness

  • Confirm that new session tokens are issued on login, role change and logout

  • Test for consistent session management across applications with shared session management

  • Test for session puzzling

  • Test for CSRF and clickjacking

Authorization

  • Test for path traversal

  • Test for bypassing authorization schema

  • Test for vertical Access control problems (a.k.a. Privilege Escalation)

  • Test for horizontal Access control problems (between two users at the same privilege level)

  • Test for missing authorization

Data Validation

  • Test for Reflected Cross Site Scripting

  • Test for Stored Cross Site Scripting

  • Test for DOM based Cross Site Scripting

  • Test for Cross Site Flashing

  • Test for HTML Injection

  • Test for SQL Injection

  • Test for LDAP Injection

  • Test for ORM Injection

  • Test for XML Injection

  • Test for XXE Injection

  • Test for SSI Injection

  • Test for XPath Injection

  • Test for XQuery Injection

  • Test for IMAP/SMTP Injection

  • Test for Code Injection

  • Test for Expression Language Injection

  • Test for Command Injection

  • Test for Overflow (Stack, Heap and Integer)

  • Test for Format String

  • Test for incubated vulnerabilities

  • Test for HTTP Splitting/Smuggling

  • Test for HTTP Verb Tampering

  • Test for Open Redirection

  • Test for Local File Inclusion

  • Test for Remote File Inclusion

  • Compare client-side and server-side validation rules

  • Test for NoSQL injection

  • Test for HTTP parameter pollution

  • Test for auto-binding

  • Test for Mass Assignment

  • Test for NULL/Invalid Session Cookie

Denial of Service

  • Test for anti-automation

  • Test for account lockout

  • Test for HTTP protocol DoS

  • Test for SQL wildcard DoS

Business Logic

Hackers mostly leverage an application’s original programmed flow to orchestrate breaches and penetration attacks. As a result, it is recommended to assess the business and application’s configuration to identify vulnerabilities in code or business logic that could be used for potential exploits.

  • Test for feature misuse

  • Test for lack of non-repudiation

  • Test for trust relationships

  • Test for integrity of data

  • Test segregation of duties

Cryptography

Cryptography ensures the secure exchange of information by using algorithms that transform human-readable data into a ciphertext-encrypted output. While doing so, the process establishes trust between the web server and network entities using security keys, making it an important mechanism for maintaining application security. Testing cryptography for maintaining application security involves:

  • Check if the data which should be encrypted is not

  • Check for wrong algorithms usage depending on the context

  • Check for weak algorithms usage

  • Check for proper use of salting

  • Check for randomness functions

Risky Functionality - File Uploads

  • Test that acceptable file types are whitelisted

  • Test that file size limits, upload frequency and total file counts are defined and are enforced

  • Test that file contents match the defined file type

  • Test that all file uploads have Anti-Virus scanning in-place.

  • Test that unsafe filenames are sanitised

  • Test that uploaded files are not directly accessible within the web root

  • Test that uploaded files are not served on the same hostname/port

  • Test that files and other media are integrated with the authentication and authorisation schemas

Risky Functionality - Card Payment

  • Test for known vulnerabilities and configuration issues on the Web Server and Web Application

  • Test for default or guessable password

  • Test for non-production data in a live environment, and vice-versa

  • Test for Injection vulnerabilities

  • Test for Buffer Overflows

  • Test for Insecure Cryptographic Storage

  • Test for Insufficient Transport Layer Protection

  • Test for Improper Error Handling

  • Test for all vulnerabilities with a CVSS v2 score > 4.0

  • Test for Authentication and Authorization issues

  • Test for CSRF

HTML 5

  • Test Web Messaging

  • Test for Web Storage SQL injection

  • Check CORS implementation

  • Check Offline Web Application

5. Infra-Security Considerations

Kubernetes Cluster/Infra Security

Application Access

6. Deployment Considerations

Don't use Basic Auth. Use standard authentication instead (e.g. , ).

Don't store sensitive data in the JWT payload, it can be decoded .

🚀
JWT
OAuth
easily
Design considerations
Development considerations
CI/CD considerations
Testing considerations
Infra-security considerations
Deployment considerations