Security & Performance
Security Audit Checklist
Security Audit Checklist
Security audits are systematic evaluations of your application's security posture. A comprehensive security audit helps identify vulnerabilities before attackers can exploit them. In this lesson, we'll learn how to conduct thorough security audits using industry-standard tools and methodologies.
Understanding Security Audits
A security audit is a formal assessment of an application's security controls, practices, and configurations. Unlike penetration testing (which actively exploits vulnerabilities), audits focus on identifying potential weaknesses through comprehensive analysis.
Audit vs. Penetration Testing: An audit documents what could go wrong; penetration testing demonstrates what will go wrong. Both are essential for comprehensive security assessment.
Pre-Audit Preparation
Before conducting a security audit, gather comprehensive information about your application:
<!-- Application Inventory Checklist -->
1. Technology Stack:
- Web server (Apache, Nginx)
- Application framework (Laravel, Express, Django)
- Database system (MySQL, PostgreSQL, MongoDB)
- Third-party services and APIs
2. Authentication Methods:
- Session-based authentication
- Token-based authentication (JWT)
- OAuth providers
- Multi-factor authentication
3. Data Storage:
- User data locations
- Sensitive data types
- Encryption methods
- Backup procedures
4. Network Architecture:
- Server locations
- Firewall rules
- Load balancers
- CDN configuration
1. Technology Stack:
- Web server (Apache, Nginx)
- Application framework (Laravel, Express, Django)
- Database system (MySQL, PostgreSQL, MongoDB)
- Third-party services and APIs
2. Authentication Methods:
- Session-based authentication
- Token-based authentication (JWT)
- OAuth providers
- Multi-factor authentication
3. Data Storage:
- User data locations
- Sensitive data types
- Encryption methods
- Backup procedures
4. Network Architecture:
- Server locations
- Firewall rules
- Load balancers
- CDN configuration
OWASP Security Testing Guide
The OWASP Testing Guide provides a comprehensive framework for security testing. Focus on these critical areas:
<!-- OWASP Testing Categories -->
1. Information Gathering:
- Identify web server, frameworks, and versions
- Discover hidden files and directories
- Map application architecture
2. Configuration and Deployment:
- Test SSL/TLS configuration
- Review HTTP security headers
- Check for default credentials
3. Identity Management:
- Test user registration process
- Verify account provisioning
- Check password policy enforcement
4. Authentication Testing:
- Test for weak credentials
- Verify session management
- Check for authentication bypass
5. Authorization Testing:
- Test for privilege escalation
- Verify access controls
- Check for insecure direct object references
6. Session Management:
- Test for session fixation
- Verify session timeout
- Check for exposed session tokens
7. Input Validation:
- Test for XSS vulnerabilities
- Check for SQL injection
- Verify file upload restrictions
8. Error Handling:
- Test for information disclosure
- Verify error messages
- Check stack trace exposure
9. Cryptography:
- Verify encryption implementation
- Test for weak algorithms
- Check key management practices
10. Business Logic:
- Test for race conditions
- Verify transaction integrity
- Check for logic flaws
1. Information Gathering:
- Identify web server, frameworks, and versions
- Discover hidden files and directories
- Map application architecture
2. Configuration and Deployment:
- Test SSL/TLS configuration
- Review HTTP security headers
- Check for default credentials
3. Identity Management:
- Test user registration process
- Verify account provisioning
- Check password policy enforcement
4. Authentication Testing:
- Test for weak credentials
- Verify session management
- Check for authentication bypass
5. Authorization Testing:
- Test for privilege escalation
- Verify access controls
- Check for insecure direct object references
6. Session Management:
- Test for session fixation
- Verify session timeout
- Check for exposed session tokens
7. Input Validation:
- Test for XSS vulnerabilities
- Check for SQL injection
- Verify file upload restrictions
8. Error Handling:
- Test for information disclosure
- Verify error messages
- Check stack trace exposure
9. Cryptography:
- Verify encryption implementation
- Test for weak algorithms
- Check key management practices
10. Business Logic:
- Test for race conditions
- Verify transaction integrity
- Check for logic flaws
Security Audit Tools
Professional security audits rely on specialized tools to identify vulnerabilities efficiently:
<!-- Essential Security Audit Tools -->
1. OWASP ZAP (Zed Attack Proxy):
- Free, open-source web application security scanner
- Automated and manual testing capabilities
- Active and passive scanning modes
Basic Usage:
# Launch ZAP
zap.sh -cmd -quickurl http://example.com
# Generate report
zap.sh -cmd -quickurl http://example.com -quickout report.html
2. Burp Suite Community Edition:
- Intercepting proxy for manual testing
- Spider for mapping application structure
- Repeater for modifying and resending requests
3. Nikto:
- Web server scanner
- Identifies outdated software and misconfigurations
nikto -h http://example.com -output nikto-report.html
4. SQLMap:
- Automated SQL injection detection and exploitation
sqlmap -u "http://example.com/page?id=1" --batch --banner
5. Nmap:
- Network discovery and security auditing
nmap -sV -sC -oA scan-results example.com
6. SSL Labs (ssllabs.com/ssltest/):
- Online SSL/TLS configuration analyzer
- Provides detailed security grade
7. Security Headers (securityheaders.com):
- Analyzes HTTP security headers
- Provides recommendations
8. Observatory by Mozilla:
- Comprehensive security and privacy analysis
- Best practices verification
1. OWASP ZAP (Zed Attack Proxy):
- Free, open-source web application security scanner
- Automated and manual testing capabilities
- Active and passive scanning modes
Basic Usage:
# Launch ZAP
zap.sh -cmd -quickurl http://example.com
# Generate report
zap.sh -cmd -quickurl http://example.com -quickout report.html
2. Burp Suite Community Edition:
- Intercepting proxy for manual testing
- Spider for mapping application structure
- Repeater for modifying and resending requests
3. Nikto:
- Web server scanner
- Identifies outdated software and misconfigurations
nikto -h http://example.com -output nikto-report.html
4. SQLMap:
- Automated SQL injection detection and exploitation
sqlmap -u "http://example.com/page?id=1" --batch --banner
5. Nmap:
- Network discovery and security auditing
nmap -sV -sC -oA scan-results example.com
6. SSL Labs (ssllabs.com/ssltest/):
- Online SSL/TLS configuration analyzer
- Provides detailed security grade
7. Security Headers (securityheaders.com):
- Analyzes HTTP security headers
- Provides recommendations
8. Observatory by Mozilla:
- Comprehensive security and privacy analysis
- Best practices verification
Legal Warning: Only perform security testing on applications you own or have explicit written permission to test. Unauthorized security testing is illegal in most jurisdictions.
Using OWASP ZAP
OWASP ZAP is one of the most popular free security testing tools. Here's how to conduct a basic automated scan:
<!-- OWASP ZAP Automated Scan -->
1. Install OWASP ZAP:
# Download from https://www.zaproxy.org/
# Available for Windows, macOS, and Linux
2. Configure Your Browser:
# Set browser proxy to localhost:8080
# ZAP will intercept all traffic
3. Spider the Application:
# Right-click target URL in ZAP
# Select "Attack" > "Spider"
# ZAP will crawl all discoverable pages
4. Active Scan:
# After spidering completes
# Right-click target URL
# Select "Attack" > "Active Scan"
# ZAP will test for vulnerabilities
5. Review Alerts:
# Click "Alerts" tab
# Review findings by severity:
# - High (critical vulnerabilities)
# - Medium (significant issues)
# - Low (minor concerns)
# - Informational (no immediate risk)
6. Generate Report:
# Report > Generate HTML Report
# Include all findings and recommendations
Example ZAP Command Line:
zap.sh -cmd \
-quickurl http://testapp.local \
-quickprogress \
-quickout ~/zap-report.html
1. Install OWASP ZAP:
# Download from https://www.zaproxy.org/
# Available for Windows, macOS, and Linux
2. Configure Your Browser:
# Set browser proxy to localhost:8080
# ZAP will intercept all traffic
3. Spider the Application:
# Right-click target URL in ZAP
# Select "Attack" > "Spider"
# ZAP will crawl all discoverable pages
4. Active Scan:
# After spidering completes
# Right-click target URL
# Select "Attack" > "Active Scan"
# ZAP will test for vulnerabilities
5. Review Alerts:
# Click "Alerts" tab
# Review findings by severity:
# - High (critical vulnerabilities)
# - Medium (significant issues)
# - Low (minor concerns)
# - Informational (no immediate risk)
6. Generate Report:
# Report > Generate HTML Report
# Include all findings and recommendations
Example ZAP Command Line:
zap.sh -cmd \
-quickurl http://testapp.local \
-quickprogress \
-quickout ~/zap-report.html
Comprehensive Security Audit Checklist
Use this checklist to ensure thorough coverage of all security domains:
<!-- Complete Security Audit Checklist -->
□ AUTHENTICATION & AUTHORIZATION
□ Password complexity requirements enforced
□ Account lockout after failed attempts
□ Multi-factor authentication available
□ Session timeout configured appropriately
□ Secure password reset mechanism
□ Role-based access control implemented
□ Privilege escalation prevented
□ INPUT VALIDATION
□ All user input validated server-side
□ XSS protection on all outputs
□ SQL injection prevention (parameterized queries)
□ File upload validation and restrictions
□ CSRF tokens on all state-changing operations
□ Content-Type validation
□ DATA PROTECTION
□ Sensitive data encrypted at rest
□ TLS/SSL properly configured (A+ rating)
□ Strong encryption algorithms used
□ Secure key management practices
□ PII handling complies with regulations
□ Database credentials secured
□ SESSION MANAGEMENT
□ Secure session ID generation
□ HttpOnly and Secure flags set
□ Session fixation prevented
□ Proper session invalidation on logout
□ SameSite cookie attribute configured
□ ERROR HANDLING
□ Generic error messages shown to users
□ Detailed errors logged securely
□ Stack traces not exposed
□ Debug mode disabled in production
□ SECURITY HEADERS
□ Content-Security-Policy configured
□ X-Frame-Options set to DENY/SAMEORIGIN
□ X-Content-Type-Options: nosniff
□ Strict-Transport-Security configured
□ Referrer-Policy set appropriately
□ Permissions-Policy configured
□ INFRASTRUCTURE
□ Server software up to date
□ Unnecessary services disabled
□ Firewall properly configured
□ Regular security patches applied
□ Backup and recovery procedures tested
□ Monitoring and logging enabled
□ API SECURITY
□ API authentication required
□ Rate limiting implemented
□ Input validation on all endpoints
□ Proper HTTP methods enforced
□ API versioning implemented
□ THIRD-PARTY COMPONENTS
□ Dependency vulnerability scanning
□ Regular updates applied
□ Only necessary dependencies included
□ CDN resources use SRI hashes
□ BUSINESS LOGIC
□ Race conditions prevented
□ Transaction integrity verified
□ Price manipulation prevented
□ Quantity limits enforced
□ Logic flaws tested and addressed
□ AUTHENTICATION & AUTHORIZATION
□ Password complexity requirements enforced
□ Account lockout after failed attempts
□ Multi-factor authentication available
□ Session timeout configured appropriately
□ Secure password reset mechanism
□ Role-based access control implemented
□ Privilege escalation prevented
□ INPUT VALIDATION
□ All user input validated server-side
□ XSS protection on all outputs
□ SQL injection prevention (parameterized queries)
□ File upload validation and restrictions
□ CSRF tokens on all state-changing operations
□ Content-Type validation
□ DATA PROTECTION
□ Sensitive data encrypted at rest
□ TLS/SSL properly configured (A+ rating)
□ Strong encryption algorithms used
□ Secure key management practices
□ PII handling complies with regulations
□ Database credentials secured
□ SESSION MANAGEMENT
□ Secure session ID generation
□ HttpOnly and Secure flags set
□ Session fixation prevented
□ Proper session invalidation on logout
□ SameSite cookie attribute configured
□ ERROR HANDLING
□ Generic error messages shown to users
□ Detailed errors logged securely
□ Stack traces not exposed
□ Debug mode disabled in production
□ SECURITY HEADERS
□ Content-Security-Policy configured
□ X-Frame-Options set to DENY/SAMEORIGIN
□ X-Content-Type-Options: nosniff
□ Strict-Transport-Security configured
□ Referrer-Policy set appropriately
□ Permissions-Policy configured
□ INFRASTRUCTURE
□ Server software up to date
□ Unnecessary services disabled
□ Firewall properly configured
□ Regular security patches applied
□ Backup and recovery procedures tested
□ Monitoring and logging enabled
□ API SECURITY
□ API authentication required
□ Rate limiting implemented
□ Input validation on all endpoints
□ Proper HTTP methods enforced
□ API versioning implemented
□ THIRD-PARTY COMPONENTS
□ Dependency vulnerability scanning
□ Regular updates applied
□ Only necessary dependencies included
□ CDN resources use SRI hashes
□ BUSINESS LOGIC
□ Race conditions prevented
□ Transaction integrity verified
□ Price manipulation prevented
□ Quantity limits enforced
□ Logic flaws tested and addressed
Vulnerability Assessment and Scoring
Use the Common Vulnerability Scoring System (CVSS) to prioritize remediation efforts:
<!-- CVSS v3.1 Severity Ratings -->
CRITICAL (9.0-10.0):
- Remote code execution
- SQL injection with admin access
- Authentication bypass
→ Fix immediately (within 24 hours)
HIGH (7.0-8.9):
- Stored XSS
- Privilege escalation
- Insecure direct object references
→ Fix within 1 week
MEDIUM (4.0-6.9):
- Reflected XSS
- CSRF on non-critical functions
- Information disclosure
→ Fix within 1 month
LOW (0.1-3.9):
- Missing security headers
- Verbose error messages
- Cookie without Secure flag
→ Fix in next release
INFORMATIONAL (0.0):
- Software version disclosure
- Directory listing enabled
→ Fix when convenient
CRITICAL (9.0-10.0):
- Remote code execution
- SQL injection with admin access
- Authentication bypass
→ Fix immediately (within 24 hours)
HIGH (7.0-8.9):
- Stored XSS
- Privilege escalation
- Insecure direct object references
→ Fix within 1 week
MEDIUM (4.0-6.9):
- Reflected XSS
- CSRF on non-critical functions
- Information disclosure
→ Fix within 1 month
LOW (0.1-3.9):
- Missing security headers
- Verbose error messages
- Cookie without Secure flag
→ Fix in next release
INFORMATIONAL (0.0):
- Software version disclosure
- Directory listing enabled
→ Fix when convenient
Risk-Based Prioritization: Consider both the CVSS score and your specific business context. A medium-severity vulnerability in a critical system may require immediate attention.
Remediation Tracking
Document and track all identified vulnerabilities through remediation:
<!-- Vulnerability Tracking Template -->
Vulnerability ID: VULN-2026-001
Title: SQL Injection in User Search
Severity: CRITICAL (CVSS 9.8)
Discovered: 2026-02-15
Status: In Progress
Description:
The user search functionality does not properly sanitize
input, allowing SQL injection attacks.
Location:
File: app/Controllers/UserController.php
Line: 145
Endpoint: /api/users/search
Proof of Concept:
POST /api/users/search
{"query": "admin' OR '1'='1"}
Impact:
- Unauthorized database access
- Data exfiltration
- Potential data modification
Remediation:
- Replace string concatenation with parameterized queries
- Implement input validation
- Add rate limiting
Assigned To: John Doe
Target Date: 2026-02-16
Verified Fixed: Pending
Retested: Pending
Vulnerability ID: VULN-2026-001
Title: SQL Injection in User Search
Severity: CRITICAL (CVSS 9.8)
Discovered: 2026-02-15
Status: In Progress
Description:
The user search functionality does not properly sanitize
input, allowing SQL injection attacks.
Location:
File: app/Controllers/UserController.php
Line: 145
Endpoint: /api/users/search
Proof of Concept:
POST /api/users/search
{"query": "admin' OR '1'='1"}
Impact:
- Unauthorized database access
- Data exfiltration
- Potential data modification
Remediation:
- Replace string concatenation with parameterized queries
- Implement input validation
- Add rate limiting
Assigned To: John Doe
Target Date: 2026-02-16
Verified Fixed: Pending
Retested: Pending
Post-Audit Actions
After completing the security audit, follow these steps:
<!-- Post-Audit Process -->
1. Generate Executive Summary:
- Total vulnerabilities found
- Severity breakdown
- High-priority risks
- Recommended immediate actions
2. Create Detailed Technical Report:
- Methodology used
- Tools employed
- Complete findings list
- Remediation recommendations
- Retesting procedures
3. Prioritize Remediation:
- Critical: Immediate action
- High: 1 week
- Medium: 1 month
- Low: Next release
4. Assign Ownership:
- Designate responsible parties
- Set clear deadlines
- Schedule follow-up reviews
5. Implement Fixes:
- Follow secure coding practices
- Test thoroughly
- Document changes
6. Verify Remediation:
- Retest each vulnerability
- Verify fix effectiveness
- Ensure no regression
7. Update Security Posture:
- Revise security policies
- Update training materials
- Improve development practices
8. Schedule Next Audit:
- Quarterly for high-risk applications
- Annually for standard applications
- After major changes
1. Generate Executive Summary:
- Total vulnerabilities found
- Severity breakdown
- High-priority risks
- Recommended immediate actions
2. Create Detailed Technical Report:
- Methodology used
- Tools employed
- Complete findings list
- Remediation recommendations
- Retesting procedures
3. Prioritize Remediation:
- Critical: Immediate action
- High: 1 week
- Medium: 1 month
- Low: Next release
4. Assign Ownership:
- Designate responsible parties
- Set clear deadlines
- Schedule follow-up reviews
5. Implement Fixes:
- Follow secure coding practices
- Test thoroughly
- Document changes
6. Verify Remediation:
- Retest each vulnerability
- Verify fix effectiveness
- Ensure no regression
7. Update Security Posture:
- Revise security policies
- Update training materials
- Improve development practices
8. Schedule Next Audit:
- Quarterly for high-risk applications
- Annually for standard applications
- After major changes
Practical Exercise: Conduct a security audit on a test application:
1. Set up OWASP ZAP
2. Spider a test application (use OWASP WebGoat or Juice Shop)
3. Run an active scan
4. Review and categorize findings by severity
5. Document the top 5 vulnerabilities
6. Create remediation recommendations
7. Generate a professional audit report
1. Set up OWASP ZAP
2. Spider a test application (use OWASP WebGoat or Juice Shop)
3. Run an active scan
4. Review and categorize findings by severity
5. Document the top 5 vulnerabilities
6. Create remediation recommendations
7. Generate a professional audit report
Continuous Security Monitoring
Security audits are not one-time events. Implement continuous monitoring:
<!-- Continuous Security Practices -->
1. Automated Vulnerability Scanning:
# Schedule weekly scans
cron: 0 2 * * 0 /usr/local/bin/zap-scan.sh
2. Dependency Monitoring:
# Check for vulnerable dependencies
npm audit
composer audit
3. Log Monitoring:
# Monitor for suspicious activity
- Failed login attempts
- Unusual traffic patterns
- Error spikes
4. Security Metrics:
- Time to detect vulnerabilities
- Time to remediate
- Vulnerability recurrence rate
- Security debt accumulation
5. Regular Reviews:
- Weekly: Automated scan results
- Monthly: Security metrics review
- Quarterly: Manual penetration testing
- Annually: Comprehensive audit
1. Automated Vulnerability Scanning:
# Schedule weekly scans
cron: 0 2 * * 0 /usr/local/bin/zap-scan.sh
2. Dependency Monitoring:
# Check for vulnerable dependencies
npm audit
composer audit
3. Log Monitoring:
# Monitor for suspicious activity
- Failed login attempts
- Unusual traffic patterns
- Error spikes
4. Security Metrics:
- Time to detect vulnerabilities
- Time to remediate
- Vulnerability recurrence rate
- Security debt accumulation
5. Regular Reviews:
- Weekly: Automated scan results
- Monthly: Security metrics review
- Quarterly: Manual penetration testing
- Annually: Comprehensive audit
Security audits are essential for maintaining a strong security posture. By following a systematic approach, using professional tools, and prioritizing remediation based on risk, you can significantly reduce your application's attack surface and protect user data from malicious actors.