application security Jan 9, 2025 | Uncategorized | 0 comments application security Test Questions Enter email to receive results: 50Business Requirement51Documentation515152Contracts5253Review5354Authentication54545470Authorization7070707055Session Management555556Input Validation565656565657Error Handling57575758Deployment585859Cryptography60Buffer Overruns71Cross-Site Scripting7163Logging636364Availability65Backup6566Architecture6667Integrations676768Source Code Security69Auditing39Compliance39Page 1 of 21Business Requirement 1. Is the security system requirement based on the business requirements?YesNo Page 2 of 21Documentation 2. Is the system architecture available?YesNo 3. Are design documents available (e.g., use case diagrams, DFD, ERD, etc.)?YesNo 4. Do you have an operating procedure document?YesNo Page 3 of 21Contracts 5. Do you have support contracts available?YesNo 6. Do you have escrow agreements (to secure software source codes in case the development vendor goes out of business)?YesNo Page 4 of 21Review 7. Is the system design reviewed?YesNo 8. Is the source code reviewed (if in-house build)?YesNo Page 5 of 21Authentication 9. Is account locking enabled (e.g., locked after 3 failures)?YesNo 10. Is password length defined?YesNo 11. Is password pattern defined (e.g., should include numbers, ASCII characters, etc.)?YesNo 12. Can a password reset policy be applied?YesNo Page 6 of 21Authorization 13. Is user access clearly defined?YesNo 14. Is resource validated for each request?YesNo 15. Is key resource access logged?YesNo 16. Do you have an access control matrix (ACL or ACM)?YesNo 17. Do you carry out periodic reviews of access rights?YesNo Page 7 of 21Session Management 18. Is session ID assigned only after successful authentication?YesNo 19. Is session timeout managed?YesNo 20. Does logout invalidate and delete the session?YesNo Page 8 of 21Input Validation 21. Does the system validate all inputs?YesNo 22. Does the system have business validations (e.g., business process checks before approvals)?YesNo 23. Does the system reject all invalid characters?YesNo 24. Is length check applied for inputs?YesNo 25. Does the system have both client-side and server-side validations?YesNo 26. Does the system use any validation frameworks?YesNo Page 9 of 21Error Handling 27. Does the system handle all exceptions?YesNo 28. Does the system use any error handling frameworks?YesNo 29. Does the system display business errors or system errors to users?YesNo 30. Does the system log all exceptions?YesNo Page 10 of 21Deployment 31. Is directory listing disabled?YesNo 32. Are there any backup files available on production?YesNo 33. Is navigation allowed to configuration directories?YesNo Page 11 of 21Cryptography 34. Does the system use custom-built or standard cryptographic algorithms?YesNo Page 12 of 21Buffer Overruns 35. Is the system vulnerable to buffer overruns or overflows?YesNo Page 13 of 21Cross-Site Scripting 36. Is the system vulnerable to cross-site scripting (XSS)?YesNo 37. Is the system vulnerable to cross-site request forgery (CSRF)?YesNo Page 14 of 21Logging 38. Does the system log authentication, authorization, and sensitive data modifications?YesNo 39. Are administrator activities captured in logs?YesNo 40. Is time synchronization followed for all logged events?YesNo Page 15 of 21Availability 41. Does the system have high availability configured (e.g., clustering)?YesNo Page 16 of 21Backup 42. Are application and database backups conducted regularly?YesNo 43. Is the backup schedule implemented as agreed with business?YesNo Page 17 of 21Architecture 44. Are the application server and database server kept in a data network?YesNo 45. Are the application and database servers separated by VLANs?YesNo Page 18 of 21Integrations 46. Is your communication channel encrypted?YesNo 47. Do you validate remote requests before processing (e.g., authentication, authorization)?YesNo 48. Is there a message time threshold specified?YesNo Page 19 of 21Source Code Security 49. Is source code present for custom-built applications?YesNo Page 20 of 21Auditing 50. Is user activity logged (e.g., approval, login, logoff)?YesNo Page 21 of 21Compliance 51. Does the application process personnel or confidential data?YesNo 52. Does the application meet the Company minimum baseline requirements (e.g., OS, database, network)?YesNo Loading... Submit a Comment Cancel replyYour email address will not be published. Required fields are marked *Comment * Name * Email * Website Save my name, email, and website in this browser for the next time I comment. Δ
