Login
Sign Up
Applied Filters
No filters currently applied.
Guidance Views
Fundamentals of Security
Authentication and Authorization
Communication Security
Database Security
Encryption
Error Handling
Input Validation
Least Privilege
Logging
Output Encoding
Secure by Default
Session Management
OWASP Top 10 2010
A01: Injection
A02: Cross-Site Scripting (XSS)
A03: Broken Authentication and Session Management
A04: Insecure Direct Object References
A05: Cross-Site Request Forgery (CSRF)
A06: Security Misconfiguration
A07: Insecure Cryptographic Storage
A08: Failure to Restrict URL Access
A09: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards
PCI DSS Code Review
6.5.1: Injection Flaws
6.5.2: Buffer Overflows
6.5.3: Cryptographic Storage
6.5.4: Communications
6.5.5: Error Handling
6.5.7: XSS
6.5.8: Access Control
6.5.9: CSRF
PCI DSS Compliance
PCI 01: Routers and Firewalls
PCI 02: Secure Configuration
PCI 03: Encryption
PCI 04: Secure Communications
PCI 05: Anti-Virus
PCI 06: Application Security
PCI 07: Access Restrictions
PCI 08: User Management
PCI 09: Physical Access
PCI 10: Network Monitoring
PCI 11: Security Testing
PCI 12: Policy and Procedures
Security Engineering
Deployment Activities
Design Activities
Implementation Activities
Test Activities
Top 5 Rich Client Vulnerabilities
Improper Authentication and Authorization
Input Validation
Insecure Communications
Poor Encryption and File Management
Secure By Default
Top 5 Web Service Vulnerabilities
Failure to Properly Constrain Input
Failure to Restrict URL and Method Access
Improper Authentication and Authorization
Improper Exception and Error Handling
Insecure Communications
You may have noticed the new look of TeamMentor. We've just upgraded to the latest version.
All the great content is still here, but we've made it more secure and added some features.
Please
sign up
or
login
and have a look around.
Search
Technology
Any
.NET 2.0
.NET 3.5
ADO.NET 2.0
ASP.NET 2.0
ASP.NET 3.5
ASP.NET 4.0
C++
Java
PCI DSS
SQL Server 2000
WCF 3.5
Web Application
Phase
Deployment
Design
Implementation
Test
Type
Attack
Checklist Item
Code Example
Guideline
How To
Inspection Question
Principle
Question and Answer
Category
Anti-Virus
APIs
Application State
Assembly Level Checks
Auditing and Logging
Authentication
Authentication and Authorization
Authorization
Bindings
Code Access Security
Code Analysis
Communication Security
Concurrency
Configuration
Cookies
Cryptography
Data Access
Delegates
Deployment Considerations
Design Considerations
Documentation and Policy
Elevation of Privileges
Encryption
Error and Exception Management
Error Handling
Event Log
Exception Management
File I/O
Forms Authentication
Hosting
Impersonation and Delegation
Information Disclosure
Input and Data Validation
Networking
Obfuscation
Other
Parameter Manipulation
Reflection
Registry
Role Manager Settings
Security Engineering
Security Policies
Security Token Service
Sensitive Data
Serialization
Server Hardening
Session Management
SQL Injection
Strong Naming and Signing
Threading
Unmanaged Code
Web Services
Windows Authentication
Now showing 1 - 30 of 3041
|<<
<
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
...
>
>>|
Title
Technology
Phase
Type
Category
A centralized log server is deployed
PCI DSS
Deployment
Checklist Item
Auditing and Logging
A centralized log server should be deployed.
A certificate is installed on the database server to support SSL communication
SQL Server 2000
Deployment
Checklist Item
Deployment Considerations
Check to ensure that a certificate is installed on the database server to support SSL communication and the automatic encryption of SQL account credentials (optional).
A control flow analysis is performed
Any
Implementation
Checklist Item
Security Engineering
Project documentation should include the results of a control flow analysis.
A custom ASP.NET policy is used to access non-SQL Server databases from partial trust ASP.NET applications.
ADO.NET 2.0
Implementation
Checklist Item
Code Access Security
Check to ensure that your application uses a custom policy to access database types other than SQL Server by using an alternate provider from partial trusted ASP.NET applications.
A custom least-privileged anonymous account is created for anonymous access.
Web Application
Deployment
Checklist Item
Server Hardening
Check to ensure that a custom least-privileged anonymous account is created if your applications require anonymous access.
A Custom Trust Policy is used if Your Application Needs Additional Permissions
ASP.NET 3.5
Implementation
Checklist Item
Code Access Security
Check to ensure that a custom trust policy file is created if your application requires additional permissions beyond those provided at a particular trust level, and it does not need the additional permissions provided by the next trust level.
A data flow analysis is performed
Any
Implementation
Checklist Item
Security Engineering
Project documentation should include the results of a data flow analysis.
A DMZ is implemented
PCI DSS
Design
Checklist Item
Communication Security
The network should have a segment designated as the DMZ. The DMZ is the network segment that has Internet access and may handle incoming Internet traffic. There may be more than one DMZ.
A Global Exception Handler is Used for Unhandled Exceptions
Java
Implementation
Checklist Item
Error Handling
Ensure that a global exception handler has been implemented.
A Least Privileged Account is Used for Running Applications
Java
Deployment
Checklist Item
Deployment Considerations
Ensure your application is running with the minimum set of local system privileges.
A Least-privileged Account is used for Running Applications
ASP.NET 3.5
Deployment
Checklist Item
Deployment Considerations
Ensure the account used to run an ASP.Net application has the minimum privilege levels necessary.
A least-privileged local/domain account is used to run the various SQL Server services, for example, back up and replication.
SQL Server 2000
Deployment
Checklist Item
Deployment Considerations
Check to ensure that a least-privileged local/domain account is used to run the various SQL Server services, for example, back up and replication.
A new ID is assigned on login
ASP.NET 4.0
Implementation
Checklist Item
Session Management
Verify that a new session ID is assigned on login.
A new or blank session ID is assigned on logout
ASP.NET 4.0
Implementation
Checklist Item
Session Management
Verify that a new or blank session ID is assigned on logout.
A new session ID is assigned on reauthentication
ASP.NET 4.0
Implementation
Checklist Item
Session Management
Verify that a new session ID is assigned on reauthentication.
A Secure Approach to Exception Management is Identified
ASP.NET 3.5
Design
Checklist Item
Design Considerations
Check that your application identifies a secure approach to exception management and ensure that it fails securely in the event of exceptions.
A secure approach to exception management is identified.
ASP.NET 2.0
Design
Checklist Item
Design Considerations
Check that your application identifies a secure approach to exception management and ensure that it fails securely in the event of exceptions.
A Secure Key Storage Location is used
ASP.NET 3.5
Implementation
Checklist Item
Deployment Considerations
Ensure that application keys are stored in a well defined location, such as the encrypted sections of the application's web.config or encrypted in the Windows Registry. Verify that they are not hard coded into the application or stored as plaintext inside configuration files.
A security code review is performed
Any
Implementation
Checklist Item
Security Engineering
Project documentation should include the results of a security code review.
A security deployment review is performed
Any
Deployment
Checklist Item
Security Engineering
Check project documentation to verify that a security deployment review has been performed.
A Security Policy is Defined
ASP.NET 3.5
Design
Checklist Item
Code Access Security
Ensure that a security policy is defined for your application that uses the Principle of Least Privilege. Verify that your application is allowed to execute only the minimum set of necessary actions.
A Security Policy is Defined
Java
Design
Checklist Item
Security Policies
Ensure that your application has a defined security policy that applies the principle of least privilege. Restrict application execution to only allow the minimum set of necessary actions.
A strong password is applied for the sa account or any other member of the sysadmin role.
SQL Server 2000
Deployment
Checklist Item
Server Hardening
Check to ensure that a strong password is applied for the sa account or any other member of the sysadmin role. Use strong passwords for all accounts.
A strong sa password is used (for all accounts).
SQL Server 2000
Deployment
Checklist Item
Configuration
Check to ensure that a strong sa (System Administrator) password is used for all accounts.
A valid SSL certificate is used
ASP.NET 4.0
Implementation
Checklist Item
Communication Security
Verify that a valid SSL certificate is used.
A web application firewall is used
PCI DSS
Deployment
Checklist Item
Deployment Considerations
Public-facing web applications should be protected by a web application firewall or be reviewed periodically. This checklist item refers to using a web application firewall.
A wireless analyzer is used regularly
PCI DSS
Deployment
Checklist Item
Networking
A wireless analyzer should be used at least quarterly to identify all wireless devices in use, or a wireless IDS/IPS should be implemented.
A wireless IDS or IPS is deployed
PCI DSS
Deployment
Checklist Item
Auditing and Logging
A wireless IDS/IPS should be deployed or a wireless analyzer should be used at least quarterly. The wireless IDS/IPS solution should identify all wireless devices in use and generate alerts when unauthorized devices or attacks are detected.
Absolute URLs are used for navigating secure pages
ASP.NET 4.0
Design
Checklist Item
Communication Security
Ensure that absolute URLs are used for navigation where the site is partitioned with secure and non-secure folders.
Absolute URLs are used for Navigation where the Site is Partitioned with Secure and non-Secure Folders
ASP.NET 3.5
Implementation
Checklist Item
Authentication
Ensure that absolute URLs are used for navigation where the site is partitioned with secure and non-secure folders.
|<<
<
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
...
>
>>|