Checklist: Architecture and Design Review

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

patterns & practices Developer Center

Improving Web Application Security: Threats and Countermeasures

J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan

Microsoft Corporation

Published: June 2003

Applies to:

  • Web Applications
  • ASP.NET version 1.1
  • .NET Framework version 1.1

See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.

See the Landing Page for the starting point and a complete overview of Improving Web Application Security: Threats and Countermeasures.

Summary: Architecture and Design ReviewChecklist covers aspects of the architecture and design stages of the project life cycle, including: input validation, authentication, authorization, configuration management, sensitive data, session management, cryptography, parameter manipulation, exception management, and auditing and logging.

Contents

How to Use This Checklist Deployment and Infrastructure Considerations Application Architecture and Design Considerations

How to Use This Checklist

This checklist is a companion to Chapter 4, "Design Guidelines for Secure Web Applications," and Chapter 5, "Architecture and Design Review for Security." Use it to help you perform architecture and design reviews to evaluate the security of your Web applications and to implement the design guidelines in Chapter 4.

This checklist should evolve based on the experience you gain from performing reviews. You might also want to perform custom checks that are based on a specific aspect of your architecture or design to ensure that your deployment environment the design.

Deployment and Infrastructure Considerations

Check Description
Ff647464.z02bthcm01(en-us,PandP.10).gif The design identifies, understands, and accommodates the company security policy.
Ff647464.z02bthcm01(en-us,PandP.10).gif Restrictions imposed by infrastructure security (including available services, protocols, and firewall restrictions) are identified.
Ff647464.z02bthcm01(en-us,PandP.10).gif The design recognizes and accomodates restrictions imposed by hosting environments (including application isolation requirements).
Ff647464.z02bthcm01(en-us,PandP.10).gif The target environment code-access-security trust level is known.
Ff647464.z02bthcm01(en-us,PandP.10).gif The design identifies the deployment infrastructure requirements and the deployment configuration of the application.
Ff647464.z02bthcm01(en-us,PandP.10).gif Domain structures, remote application servers, and database servers are identified.
Ff647464.z02bthcm01(en-us,PandP.10).gif The design identifies clustering requirements.
Ff647464.z02bthcm01(en-us,PandP.10).gif The design identifies the application configuration maintenance points (such as what needs to be configured and what tools are available for an IDC admin).
Ff647464.z02bthcm01(en-us,PandP.10).gif Secure communication features provided by the platform and the application are known.
Ff647464.z02bthcm01(en-us,PandP.10).gif The design addresses Web farm considerations (including session state management, machine specific encryption keys, Secure Sockets Layer (SSL), certificate deployment issues, and roaming profiles).
Ff647464.z02bthcm01(en-us,PandP.10).gif The design identifies the certificate authority (CA) to be used by the site to support SSL.
Ff647464.z02bthcm01(en-us,PandP.10).gif The design addresses the required scalability and performance criteria.

Application Architecture and Design Considerations

Input Validation

Check Description
Ff647464.z02bthcm01(en-us,PandP.10).gif All entry points and trust boundaries are identified by the design.
Ff647464.z02bthcm01(en-us,PandP.10).gif Input validation is applied whenever input is received from outside the current trust boundary.
Ff647464.z02bthcm01(en-us,PandP.10).gif The design assumes that user input is malicious.
Ff647464.z02bthcm01(en-us,PandP.10).gif Centralized input validation is used where appropriate.
Ff647464.z02bthcm01(en-us,PandP.10).gif The input validation strategy that the application adopted is modular and consistent.
Ff647464.z02bthcm01(en-us,PandP.10).gif The validation approach is to constrain, reject, and then sanitize input.
(Looking for known, valid, and safe input is much easier than looking for known malicious or dangerous input.)
Ff647464.z02bthcm01(en-us,PandP.10).gif Data is validated for type, length, format, and range.
Ff647464.z02bthcm01(en-us,PandP.10).gif The design addresses potential canonicalization issues.
Ff647464.z02bthcm01(en-us,PandP.10).gif Input file names and file paths are avoided where possible.
Ff647464.z02bthcm01(en-us,PandP.10).gif The design addresses potential SQL injection issues.
Ff647464.z02bthcm01(en-us,PandP.10).gif The design addresses potential cross-site scripting issues.
Ff647464.z02bthcm01(en-us,PandP.10).gif The design does not rely on client-side validation.
Ff647464.z02bthcm01(en-us,PandP.10).gif The design applies defense in depth to the input validation strategy by providing input validation across tiers.
Ff647464.z02bthcm01(en-us,PandP.10).gif Output that contains input is encoded using HtmlEncode and UrltEncode.

Authentication

Check Description
Ff647464.z02bthcm01(en-us,PandP.10).gif Application trust boundaries are identified by the design.
Ff647464.z02bthcm01(en-us,PandP.10).gif The design identifies the identities that are used to access resources across the trust boundaries.
Ff647464.z02bthcm01(en-us,PandP.10).gif The design partitions the Web site into public and restricted areas using separate folders.
Ff647464.z02bthcm01(en-us,PandP.10).gif The design identifies service account requirements.
Ff647464.z02bthcm01(en-us,PandP.10).gif The design identifies secure storage of credentials that are accepted from users.
Ff647464.z02bthcm01(en-us,PandP.10).gif The design identifies the mechanisms to protect the credentials over the wire (SSL, IPSec, encryption and so on).
Ff647464.z02bthcm01(en-us,PandP.10).gif Account management policies are taken into consideration by the design.
Ff647464.z02bthcm01(en-us,PandP.10).gif The design ensure that minimum error information is returned in the event of authentication failure.
Ff647464.z02bthcm01(en-us,PandP.10).gif The identity that is used to authenticate with the database is identified by the design.
Ff647464.z02bthcm01(en-us,PandP.10).gif If SQL authentication is used, credentials are adequately secured over the wire (SSL or IPSec) and in storage (DPAPI).
Ff647464.z02bthcm01(en-us,PandP.10).gif The design adopts a policy of using least-privileged accounts.
Ff647464.z02bthcm01(en-us,PandP.10).gif Password digests (with salt) are stored in the user store for verification.
Ff647464.z02bthcm01(en-us,PandP.10).gif Strong passwords are used.
Ff647464.z02bthcm01(en-us,PandP.10).gif Authentication tickets (cookies) are not transmitted over non-encrypted connections.

Authorization

Check Description
Ff647464.z02bthcm01(en-us,PandP.10).gif The role design offers sufficient separation of privileges (the design considers authorization granularity).
Ff647464.z02bthcm01(en-us,PandP.10).gif Multiple gatekeepers are used for defense in depth.
Ff647464.z02bthcm01(en-us,PandP.10).gif The application's login is restricted in the database to access-specific stored procedures.
Ff647464.z02bthcm01(en-us,PandP.10).gif The application's login does not have permissions to access tables directly.
Ff647464.z02bthcm01(en-us,PandP.10).gif Access to system level resources is restricted.
Ff647464.z02bthcm01(en-us,PandP.10).gif The design identifies code access security requirements. Privileged resources and privileged operations are identified.
Ff647464.z02bthcm01(en-us,PandP.10).gif All identities that are used by the application are identified and the resources accessed by each identity are known.

Configuration Management

Check Description
Ff647464.z02bthcm01(en-us,PandP.10).gif Administration interfaces are secured (strong authentication and authorization is used).
Ff647464.z02bthcm01(en-us,PandP.10).gif Remote administration channels are secured.
Ff647464.z02bthcm01(en-us,PandP.10).gif Configuration stores are secured.
Ff647464.z02bthcm01(en-us,PandP.10).gif Configuration secrets are not held in plain text in configuration files.
Ff647464.z02bthcm01(en-us,PandP.10).gif Administrator privileges are separated based on roles (for example, site content developer or system administrator).
Ff647464.z02bthcm01(en-us,PandP.10).gif Least-privileged process accounts and service accounts are used.

Sensitive Data

Check Description
Ff647464.z02bthcm01(en-us,PandP.10).gif Secrets are not stored unless necessary. (Alternate methods have been explored at design time.)
Ff647464.z02bthcm01(en-us,PandP.10).gif Secrets are not stored in code.
Ff647464.z02bthcm01(en-us,PandP.10).gif Database connections, passwords, keys, or other secrets are not stored in plain text.
Ff647464.z02bthcm01(en-us,PandP.10).gif The design identifies the methodology to store secrets securely. (Appropriate algorithms and key sizes are used for encryption. It is preferable that DPAPI is used to store configuration data to avoid key management.)
Ff647464.z02bthcm01(en-us,PandP.10).gif Sensitive data is not logged in clear text by the application.
Ff647464.z02bthcm01(en-us,PandP.10).gif The design identifies protection mechanisms for sensitive data that is sent over the network.
Ff647464.z02bthcm01(en-us,PandP.10).gif Sensitive data is not stored in persistent cookies.
Ff647464.z02bthcm01(en-us,PandP.10).gif Sensitive data is not transmitted with the GET protocol.

Session Management

Check Description
Ff647464.z02bthcm01(en-us,PandP.10).gif SSL is used to protect authentication cookies.
Ff647464.z02bthcm01(en-us,PandP.10).gif The contents of authentication cookies are encrypted.
Ff647464.z02bthcm01(en-us,PandP.10).gif Session lifetime is limited.
Ff647464.z02bthcm01(en-us,PandP.10).gif Session state is protected from unauthorized access.
Ff647464.z02bthcm01(en-us,PandP.10).gif Session identifiers are not passed in query strings.

Cryptography

Check Description
Ff647464.z02bthcm01(en-us,PandP.10).gif Platform-level cryptography is used and it has no custom implementations.
Ff647464.z02bthcm01(en-us,PandP.10).gif The design identifies the correct cryptographic algorithm (and key size) for the application's data encryption requirements.
Ff647464.z02bthcm01(en-us,PandP.10).gif The methodology to secure the encryption keys is identified.
Ff647464.z02bthcm01(en-us,PandP.10).gif The design identifies the key recycle policy for the application.
Ff647464.z02bthcm01(en-us,PandP.10).gif Encryption keys are secured.
Ff647464.z02bthcm01(en-us,PandP.10).gif DPAPI is used where possible to avoid key management issues.
Ff647464.z02bthcm01(en-us,PandP.10).gif Keys are periodically recycled.

Parameter Manipulation

Check Description
Ff647464.z02bthcm01(en-us,PandP.10).gif All input parameters are validated (including form fields, query strings, cookies, and HTTP headers).
Ff647464.z02bthcm01(en-us,PandP.10).gif Cookies with sensitive data are encrypted.
Ff647464.z02bthcm01(en-us,PandP.10).gif Sensitive data is not passed in query strings or form fields.
Ff647464.z02bthcm01(en-us,PandP.10).gif HTTP header information is not relied on to make security decisions.
Ff647464.z02bthcm01(en-us,PandP.10).gif View state is protected using MACs.

Exception Management

Check Description
Ff647464.z02bthcm01(en-us,PandP.10).gif The design outlines a standardized approach to structured exception handling across the application.
Ff647464.z02bthcm01(en-us,PandP.10).gif Application exception handling minimizes the information disclosure in case of an exception.
Ff647464.z02bthcm01(en-us,PandP.10).gif The design identifies generic error messages that are returned to the client.
Ff647464.z02bthcm01(en-us,PandP.10).gif Application errors are logged to the error log.
Ff647464.z02bthcm01(en-us,PandP.10).gif Private data (for example, passwords) is not logged.

Auditing and Logging

Check Description
Ff647464.z02bthcm01(en-us,PandP.10).gif The design identifies the level of auditing and logging necessary for the application and identifies the key parameters to be logged and audited.
Ff647464.z02bthcm01(en-us,PandP.10).gif The design considers how to flow caller identity across multiple tiers (at the operating system or application level) for auditing.
Ff647464.z02bthcm01(en-us,PandP.10).gif The design identifies the storage, security, and analysis of the application log files.

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

© Microsoft Corporation. All rights reserved.