Created by User b6b4a, last modified on Sep 09, 2022

(blue star) Overview

Most of the software security flaws were found at code level implementations due to insecure cryptographic keys, ciphers, channels. Software security flaws can be introduced by:

  • Not identifying security requirements up front

  • Introducing flaws during maintenance or updating

(blue star)  Reviewing process with the checklists

The review process is simply cross-checking the implemented code with the checklist. The checklist were categorized per critical implementation checkpoints. Each of checkpoints were listed below:

Cryptographic Practices

  • All cryptographic functions used to protect secrets from the application user must be implemented on a trusted system. (e.g., The server)

  • Protect master secrets from unauthorized access.

  • Cryptographic modules should fail securely.

  • All random numbers, random filenames, random GUIDs, and random strings should be generated using the cryptographic module’s approved random number generator when these random values are intended to be un-guessable.

  • Establish and utilize a policy and process for how cryptographic keys will be managed.

Communication Security

  • Implement encryption for the transmission of all sensitive information. This should include TLS for protecting the connection and may be supplemented by discrete encryption of sensitive files or non-HTTP based connections.

  • TLS certificates should be valid and have the correct domain name, not be expired, and be installed with intermediate certificates when required.

  • Failed TLS connections should not fall back to an insecure connection

  • Utilize TLS connections for all content requiring authenticated access and for all other sensitive information.

  • Utilize TLS for connections to external systems that involve sensitive information or functions.

  • Utilize a single standard TLS implementation that is configured appropriately.

  • Specify character encodings for all connections.

  • Filter parameters containing sensitive information from the HTTP referer, when linking to external sites.

  • Do not use self-signed certificates.

  • Do not use test certificates in production.

  • Check SSL configuration with https://ssl-config.mozilla.org .

Attachments:

85cccca9-b516-4dde-ab8f-f8a2babb7aa9 (image/png)
877582b7-39f1-43ce-9a17-7c845066f169 (image/png)
2df9b06a-b050-426a-80bd-f0acda42ce58 (image/png)