security-review-checklistslisted

## OWASP Top 10 Checklist | Vulnerability | Check | |---------------|-------| | Injection | Parameterized queries, input validation | | Broken Auth | Session management, MFA where needed | | Sensitive Data | Encryption, no logging PII | | XXE | Disable external entities in XML | | Broken Access | Authorization on all endpoints | | Misconfiguration | Secure defaults, no debug in prod | | XSS | Output encoding, CSP headers | | Insecure Deserialization | Validate before deserialize | | Vulnerable Components | Check dependencies | | Logging | Audit trails, no sensitive data in logs | ## STRIDE Threat Modeling | Threat | Check For | |--------|-----------| | **S**poofing | Authentication weaknesses | | **T**ampering | Data integrity issues | | **R**epudiation | Missing audit logs | | **I**nfo Disclosure | Data exposure risks | | **D**enial of Service | Rate limiting gaps | | **E**levation | Authorization bypasses | ## Authentication Review | Aspect | Requirements | |--------|--------------| | Password policy | Min length, complexity, no common passwords | | Token handling | Secure storage, expiration, refresh | | Session mgmt | Timeout, invalidation, secure cookies | | MFA | Available for sensitive operations | ## Authorization Review | Pattern | Check | |---------|-------| | RBAC | Roles properly defined and enforced | | Resource access | Per-resource authorization | | Least privilege | Minimal permissions granted | | Default deny | Explicit grants required | ## Data Prote