Developing secure, robust web applications in the cloud is hard, very hard. If you think it is easy, you are either a higher form of life or you have a painful awakening ahead of you.
If you have drunk the MVP cool-aid and believe that you can create a product in one month that is both valuable and secure — think twice before you launch your “proto-product”.
After you review the checklist below, acknowledge that you are skipping many of these critical security issues. At the very minimum, be honest with your potential users and let them know that you don’t have a complete product yet and are offering a prototype without full security.
This checklist is simple, and by no means complete. I’ve been developing secure web applications for over 14 years and this list contains some of the more important issues that I’ve painfully learned over this period. I hope you will consider them seriously when creating a web application.
This is version 2 of the checklist. It has been re-organized from Version 1 and has a few new items by public demand (Thank you). While I try to keep the list tight and focused, please comment if you have an item that you think I should add to the list.
Credentials and Secrets
Don’t store sensitive data unless you truly need it. This means email addresses, personally identifying information and other personal information in general. Treat sensitive data like radioactive waste — i.e. there is an real, large and ongoing cost to securing it, and one day it can hurt you.
Keep a complete list of all the places you store sensitive information: databases, file systems, Dropbox, GitHub, Vault, Office docs and even the paper folder. This is useful to manage, required by GDPR and essential if hacked. You need to be able to locate all sensitive information.
If subject to GDPR, make sure you really understand the requirements and design it in from the start. For some, it will represent a major change in design and thinking. See Privacy Cheatsheet and Intro to GDPR.
Use encryption for data identifying users and sensitive data like access tokens, email addresses or billing details if possible (this will restrict queries to exact match lookups).
If your database supports low cost encryption at rest (like AWS Aurora), then enable that to secure data on disk. Make sure all backups are stored encrypted as well.
Use minimal privilege for the database access user account. Don’t use the database root account and check for unused accounts and accounts with bad passwords.
Fully prevent SQL injection by only using SQL prepared statements. For example: if using NPM, don’t use npm-mysql, use npm-mysql2 which supports prepared statements.
Denial of Service Protection
Security is a Journey
Most of all, remember that security is a journey and cannot be “baked-in” to the product just before shipping. I hope this checklist will prompt you through your entire development lifecycle to improve the security of your services.
Version 1 of this checklist can be found at Web Developer Security Checklist V1.
Start your free 14 day trial of the SenseDeep Developer Studio.