Security Resources
Practical checklists and guidance for development teams. Copy these into tickets, PR reviews, and security documentation.
How to use these resources: These checklists are designed to be actionable starting points.
They're not exhaustive security standards—they're quick references for common security concerns that frequently
appear in real-world assessments.
Application Security
Critical
Authorization (BOLA/IDOR)
Authorization failures are consistently the most critical vulnerabilities we identify in assessments.
✓ Validate access using server-side policy, never UI state or client data
✓ Test horizontal access (user A accessing user B's data)
✓ Test vertical access (regular user accessing admin functions)
✓ Don't rely on unpredictable IDs as security controls
✓ Implement centralized authorization middleware
✓ Log all access denials with user context
✓ Test with multiple users at different privilege levels
✓ Test horizontal access (user A accessing user B's data)
✓ Test vertical access (regular user accessing admin functions)
✓ Don't rely on unpredictable IDs as security controls
✓ Implement centralized authorization middleware
✓ Log all access denials with user context
✓ Test with multiple users at different privilege levels
Critical
Authentication
Weak authentication enables all other attacks. Get the fundamentals right.
✓ Enforce MFA for privileged accounts
✓ Rate-limit authentication endpoints (lockout after N failures)
✓ Implement secure session management (rotation, timeout)
✓ Use HttpOnly, Secure, and SameSite cookie flags
✓ Harden password reset flows (time-limited tokens, account verification)
✓ Prevent username enumeration through timing or responses
✓ Use bcrypt/Argon2 for password hashing (never MD5/SHA1)
✓ Rate-limit authentication endpoints (lockout after N failures)
✓ Implement secure session management (rotation, timeout)
✓ Use HttpOnly, Secure, and SameSite cookie flags
✓ Harden password reset flows (time-limited tokens, account verification)
✓ Prevent username enumeration through timing or responses
✓ Use bcrypt/Argon2 for password hashing (never MD5/SHA1)
Input Validation
✓ Server-side validation always
✓ Use allowlists over denylists
✓ Parameterized queries for SQL
✓ Validate JSON structure and types
✓ Sanitize logs (no PII, no secrets)
✓ Limit file upload size and types
✓ Validate redirects and callbacks
✓ Use allowlists over denylists
✓ Parameterized queries for SQL
✓ Validate JSON structure and types
✓ Sanitize logs (no PII, no secrets)
✓ Limit file upload size and types
✓ Validate redirects and callbacks
API Security
✓ Authenticate every API request
✓ Rate limit all endpoints
✓ Validate content-type headers
✓ Implement proper CORS policies
✓ Version your APIs explicitly
✓ Return consistent error messages
✓ Document authentication requirements
✓ Rate limit all endpoints
✓ Validate content-type headers
✓ Implement proper CORS policies
✓ Version your APIs explicitly
✓ Return consistent error messages
✓ Document authentication requirements
Security Headers
✓ HSTS (max-age=31536000)
✓ Content-Security-Policy
✓ X-Content-Type-Options: nosniff
✓ X-Frame-Options: DENY
✓ Referrer-Policy: no-referrer
✓ Disable verbose errors in production
✓ Proper cache headers for sensitive data
✓ Content-Security-Policy
✓ X-Content-Type-Options: nosniff
✓ X-Frame-Options: DENY
✓ Referrer-Policy: no-referrer
✓ Disable verbose errors in production
✓ Proper cache headers for sensitive data
Cloud Security
IAM & Identity
Identity & Access Management
✓ Implement least privilege policies
✓ No shared admin credentials
✓ Rotate access keys regularly
✓ Use temporary credentials where possible
✓ Require MFA for console access
✓ Implement service control policies (SCPs)
✓ Audit unused permissions quarterly
✓ Use IAM roles for service-to-service auth
✓ Enable CloudTrail/equivalent logging
✓ No shared admin credentials
✓ Rotate access keys regularly
✓ Use temporary credentials where possible
✓ Require MFA for console access
✓ Implement service control policies (SCPs)
✓ Audit unused permissions quarterly
✓ Use IAM roles for service-to-service auth
✓ Enable CloudTrail/equivalent logging
Storage & Data
Data Protection
✓ Encrypt data at rest and in transit
✓ No public S3 buckets (unless explicitly required)
✓ Enable versioning for critical buckets
✓ Use KMS for encryption key management
✓ Implement backup and retention policies
✓ Tag sensitive data resources
✓ Enable access logging on storage
✓ Review bucket policies regularly
✓ No public S3 buckets (unless explicitly required)
✓ Enable versioning for critical buckets
✓ Use KMS for encryption key management
✓ Implement backup and retention policies
✓ Tag sensitive data resources
✓ Enable access logging on storage
✓ Review bucket policies regularly
Network Security
✓ Default deny security groups
✓ Segment environments (dev/staging/prod)
✓ Limit ingress to necessary IPs
✓ Use private subnets for databases
✓ Enable VPC Flow Logs
✓ Use WAF for public endpoints
✓ Implement DDoS protection
✓ Segment environments (dev/staging/prod)
✓ Limit ingress to necessary IPs
✓ Use private subnets for databases
✓ Enable VPC Flow Logs
✓ Use WAF for public endpoints
✓ Implement DDoS protection
Secrets Management
✓ Use secrets manager/vault
✓ Never commit secrets to code
✓ Rotate secrets automatically
✓ Limit secret access by role
✓ Audit secret access logs
✓ Use environment-specific secrets
✓ Implement break-glass procedures
✓ Never commit secrets to code
✓ Rotate secrets automatically
✓ Limit secret access by role
✓ Audit secret access logs
✓ Use environment-specific secrets
✓ Implement break-glass procedures
Monitoring & Logging
✓ Enable CloudTrail/equivalent
✓ Centralize logs to SIEM
✓ Alert on privilege escalation
✓ Monitor failed auth attempts
✓ Track configuration changes
✓ Set up anomaly detection
✓ Retain logs per compliance reqs
✓ Centralize logs to SIEM
✓ Alert on privilege escalation
✓ Monitor failed auth attempts
✓ Track configuration changes
✓ Set up anomaly detection
✓ Retain logs per compliance reqs
Detection & Response
SIEM & Detection
Detection Engineering Basics
✓ Log authentication events (success and failure)
✓ Log authorization denials with context
✓ Alert on impossible travel patterns
✓ Detect privilege escalation attempts
✓ Monitor admin console access
✓ Baseline normal behavior first
✓ Tune alerts to reduce false positives
✓ Document alert response procedures
✓ Test detection rules regularly
✓ Log authorization denials with context
✓ Alert on impossible travel patterns
✓ Detect privilege escalation attempts
✓ Monitor admin console access
✓ Baseline normal behavior first
✓ Tune alerts to reduce false positives
✓ Document alert response procedures
✓ Test detection rules regularly
Incident Response
Incident Response Readiness
✓ Maintain incident response playbook
✓ Define escalation procedures
✓ Document critical system owners
✓ Test backup restoration regularly
✓ Keep incident communication channels ready
✓ Define what constitutes an incident
✓ Practice tabletop exercises quarterly
✓ Review and update runbooks
✓ Document lessons learned
✓ Define escalation procedures
✓ Document critical system owners
✓ Test backup restoration regularly
✓ Keep incident communication channels ready
✓ Define what constitutes an incident
✓ Practice tabletop exercises quarterly
✓ Review and update runbooks
✓ Document lessons learned
Secure Development Practices
Code Review Checklist
✓ Authentication implemented?
✓ Authorization checked server-side?
✓ Input validated and sanitized?
✓ SQL queries parameterized?
✓ Secrets properly managed?
✓ Error handling doesn't leak info?
✓ Logging includes security events?
✓ Dependencies up to date?
✓ Authorization checked server-side?
✓ Input validated and sanitized?
✓ SQL queries parameterized?
✓ Secrets properly managed?
✓ Error handling doesn't leak info?
✓ Logging includes security events?
✓ Dependencies up to date?
Dependency Management
✓ Scan dependencies for vulnerabilities
✓ Keep packages updated regularly
✓ Review new dependency additions
✓ Use lock files for reproducibility
✓ Monitor security advisories
✓ Audit supply chain integrity
✓ Remove unused dependencies
✓ Pin production versions
✓ Keep packages updated regularly
✓ Review new dependency additions
✓ Use lock files for reproducibility
✓ Monitor security advisories
✓ Audit supply chain integrity
✓ Remove unused dependencies
✓ Pin production versions
Pre-Deployment Checks
✓ Run SAST/DAST scans
✓ Review security headers
✓ Verify secrets not in code
✓ Check default credentials changed
✓ Confirm logging enabled
✓ Test authentication flows
✓ Validate encryption in place
✓ Review IAM permissions
✓ Review security headers
✓ Verify secrets not in code
✓ Check default credentials changed
✓ Confirm logging enabled
✓ Test authentication flows
✓ Validate encryption in place
✓ Review IAM permissions
Need customized resources?
These checklists can be tailored to your specific stack, deployment pipeline, and compliance requirements. We can create custom security runbooks, review templates, and implementation guides for your team.
Request Custom Resources