Application Security Checklist_Draft Version.pdf

ajaykj13 15 views 4 slides Sep 04, 2025

Slide 1 of 4

About This Presentation

Security Checklist for new application

Size: 410.64 KB

Language: en

Added: Sep 04, 2025

Slides: 4 pages

Slide Content

Questionnaire
Y/N
Does application require external access (Public Internet Accessible)
Solution should have feasibility of securely integrating with other business
applications
Will application be hosted at vendor DC
Is SLA and NDA signed with vendor
How application will be accessed? Web / WAP / Client -Server/ Mobile
Does solution supports latest and high end encryption while processing and
sharing data
Connectivity with all content providers should be encrypted and need to have
data security controls at either ends to ensure authorized access and storage of
the data
Does system support Role based access?
Remote access required for operational support?
IPv6 support available
Have all built-in user IDs, testing user IDs, Generic IDs and IDs with default
passwords been removed from the operating system, web servers and application
itself?
Solution should be compliant with multi factor authentication
Is the password policy implemented as per guidelines?
If the authentication is based on passwords, are the password stored in
"password store" in encrypted format?
Is the application required to authenticate each and every session?
Is the audit trail logging mechanism implemented?
Solution should be capable of generating event logs and interface with third
party logging and monitoring system
Solution provider’s roadmap for the solution being offered from development
and release point of view
Are the application audit records vulnerable to unauthorised deletion,
modification or disclosure?
Has the VA assessment conducted for application?
Arrangement for regular security assessment at OS, App and network level
Has the backup / restore policy defined for critical information for this
application?
No dependency / integration of any type of third party software, freeware etc. to
achieve the end result and output of the solution. If any needed, it should be
clearly defined and declared with proper risk assessment and approved through
SEF process
Solution should ensure that any sensitive / historical /statistical data pulled from
various other integrated applications and databases is secured with access control
and authorization mechanism
System error messages should not be displayed to end-users (output sanitization)
Solution includes hardware + OS + App + network setup collectively

How are error messages handled? Is there any chance of an information leak that
could be utilised in a subsequent attack? Would an application failure result in the
system entering an insecure state?
Regular Security advisory and bug fix support from solution provider related to
updated security patches, known vulnerabilities to ensure zero day attack
protection
Solution should be capable and designed to provide high level of availability
(HA) services at OS, Network, Application, DB and Hard Ware level.

Additional
Information
Remarks
Solution includes hardware + OS + App + network setup collectively