Skip to content

The Complete Security Vulnerability Assessment Checklist#

Excerpt#

Our essential security vulnerability assessment checklist is your playbook for comprehensively security testing a web application for vulnerabilities.

Automated dynamic scanning#

  • Choose automated scanning method. Select an appropriate commercial or open source security scanning tool, depending on the application framework, that ensures maximum coverage (e.g., Burp Suite Pro, Zap, etc.).
  • Scan the application. Reveal many common security vulnerabilities with this form of testing.

Manual testing#

  • Conduct injection and XSS testing. Check for the presence of injection flaws like SQL, JSON, XML, and LDAP injections. Test for cross-site scripting (XSS) through all input points for the application. Determine whether forms are submitted securely, without tamper.
  • Administer authentication and authorization tests. Inspect for inadequate authentication methods, improper access control definitions, and broken login processes.
  • Audit session management. Review for secure session IDs/cookies. Search for instances of cross-site request forgery (CSRF).
  • Investigate sensitive information exposure. Confirm that no sensitive information is revealed due to improper storage of NPI data, broken error handling, insecure direct object references, and comments in source code.
  • Examine secure configuration. Guarantee that security configurations aren’t defined and deployed with default settings.
  • Run transport layer security testing. Ensure that there aren’t any broken encryption algorithms and that ciphers are used to secure the communication channels.
  • Carry out application spidering. Explore the application for unconventional ways to bypass security controls.