Application Review Questions

Several general questions about the application are asked below. These questions do not necessarily cover everything that may be used to determine the security level of the application. These questions are intended to help the reader consider major potential security features that may be required by the application.

Application Questions

  1. What is the name of the application?
  2. What functions does the application perform?
  3. Is the application critical to required business functions?
  4. Is all the data the application reads or writes publically available through the Freedom of Information Act (FOIABLE)?
  5. Can the application data be made public without causing harm?
  6. Does the data include items like social security numbers or other confidential information?
  7. What is the damage if data is not kept confidential? Low, Medium, or High
  8. What is the damage if data integrity is lost? Low, Medium, or High
  9. What is the damage if the data is not available? Low, Medium, or High
  10. Of items 7,8,and 9 what is the worst case? Low, Medium, or High This determines the application security requirements.
  11. Does the application operate over the intranet?
  12. What is the URL of the web site if it operates on the internet or intranet?
  13. Are there any laws or regulations that apply to the application?
  14. How is a password reset handled? Are the passwords sent in the clear?
  15. What do the clients use on their computer to access the system such as an internet browser or custom client program?
  16. Are all user IDs and passwords unique?
  17. Is there a documented maintenance and patch management plan for the application?
  18. What users use the application? How many?
  19. What types of users use the system and how many of each type?
  20. What components of the application exist?
  21. What are the names of the databases it accesses?
  22. What are the peak use times for the application?
  23. Where is data stored?

Application Security Controls

  1. Does the application verify all user input to be sure there is no possibility of malformed input which may be hostile such as SQL or email injection? If no or unknown, this is a security issue that must be resolved.
  2. Does the application refer to privacy and/or security policies on pages where it applies? If no or unknown, this is a issue that must be resolved.
  3. Is the application tested to ensure that the application has no security flaws, especially for public facing applications? If the answer is not yes, the application has low level to no level security controls.
  4. Can someone page through the login screen allowing access on the same computer after the original user has logged off the application? If yes, the application has low level to no level security controls.
  5. Is any sensitive information stored in cookies by the application? If yes, the application has low level to no level security controls.
  6. Are user passwords stored on the client computer in plaintext form at any time? If yes, the application has no level to low level security controls. This should be changed.
  7. Are user passwords transmitted in the clear? If yes, the application has no level to low level security controls. This should be changed.
  8. Is access to sensitive data allowed without authentication? If yes, the application has no level security controls.