re: If you were tasked to conduct a security audit on a server/database-backed web app, where would you start? VIEW POST

FULL DISCUSSION
 

Assuming I just wanted to get a quick one day check of things, and not a thorough security review, this is what I would look at:

There are free SAST and DAST tools available that could be useful to get a baseline done pretty quickly. For example the OWASP ZAP project.

I would think about logging, alerting, and other APM stuff. If they don't know what kind of errors and issues are happening then they probably couldn't detect a hack. If they are logging things, then what are they paying attention to?

Next up would be dependency management and other general coding practices. Is there a code review process, are there quality gates? How are defects resolved? Who makes sure they don't handle personal data incorrectly? Poorly written code is insecure code. Also who evaluates their security currently?

I would look at application boundaries. Particularly where data comes from the front end. the application boundary stuff is partially covered by the SAST and DAST tools. But its probably where most applications have their OWASP Top 10 issues.

Finally I would take a quick look at authentication and authorization. Are the APIs open to the public? How do they handle user logins. Time wise it would take a lot of effort to review this (and I just don't have the skill to do so).

code of conduct - report abuse