Security Audit Checklist Pack
Turn security from an afterthought into a repeatable process. This pack provides structured checklists for the OWASP Top 10, secure code review, penetration testing methodology, and compliance frameworks (SOC 2, GDPR, HIPAA). Each checklist is designed to be worked through item by item — with severity ratings, test procedures, evidence requirements, and remediation guidance. Use them for self-audits, client engagements, or building a security program from scratch.
What's Included
- OWASP Top 10 (2021) Checklist — All 10 categories with specific test cases and remediation steps
- Secure Code Review Guide — Language-agnostic checklist for reviewing PRs with a security lens
- Penetration Testing Methodology — Pre-engagement through reporting, mapped to PTES/OWASP Testing Guide
- SOC 2 Type II Checklist — Trust Service Criteria mapped to evidence and controls
- GDPR Compliance Checklist — Data protection requirements with implementation guidance
- API Security Checklist — Authentication, authorization, rate limiting, input validation
- Infrastructure Security Checklist — Cloud configuration, network segmentation, encryption at rest/transit
- Incident Response Playbook Template — Detection, containment, eradication, recovery, lessons learned
Preview / Sample Content
OWASP Top 10 — Quick Audit Checklist
A01: BROKEN ACCESS CONTROL
[ ] Verify deny-by-default for all endpoints
[ ] Test horizontal privilege escalation (user A accessing user B's data)
[ ] Test vertical privilege escalation (user accessing admin functions)
[ ] Check CORS configuration (no wildcard origins with credentials)
[ ] Verify IDOR protection on all resource endpoints
[ ] Test directory traversal on file upload/download endpoints
[ ] Check JWT validation (signature, expiry, audience, issuer)
A02: CRYPTOGRAPHIC FAILURES
[ ] No sensitive data in URLs or logs
[ ] TLS 1.2+ enforced on all endpoints (no fallback to TLS 1.0/1.1)
[ ] Passwords hashed with bcrypt/scrypt/argon2 (not MD5/SHA1)
[ ] Encryption keys rotated on schedule, not hardcoded
[ ] PII encrypted at rest in database
[ ] Sensitive cookies have Secure, HttpOnly, SameSite flags
A03: INJECTION
[ ] All SQL queries use parameterized statements (no string concatenation)
[ ] NoSQL queries use typed parameters
[ ] OS command execution uses allowlists, not user input
[ ] LDAP queries use proper escaping
[ ] XPath queries use parameterized APIs
[ ] Template rendering uses auto-escaping (Jinja2, Handlebars)
Secure Code Review — PR Security Checklist
AUTHENTICATION
[ ] No credentials in source code or config files
[ ] Password reset tokens are single-use and time-limited
[ ] Multi-factor authentication available for sensitive operations
[ ] Session tokens regenerated after login
[ ] Logout invalidates session server-side
AUTHORIZATION
[ ] Every endpoint checks authorization (not just authentication)
[ ] Business logic enforces ownership checks
[ ] Admin functions require explicit role verification
[ ] API keys scoped to minimum required permissions
INPUT VALIDATION
[ ] All user input validated on server side (client validation is UX only)
[ ] File uploads restricted by type, size, and scanned for malware
[ ] Redirect URLs validated against allowlist
[ ] Content-Type headers enforced on API endpoints
ERROR HANDLING
[ ] Errors return generic messages to users (no stack traces)
[ ] Errors log full details server-side for debugging
[ ] Failed auth attempts are rate-limited and logged
[ ] Custom error pages (no framework defaults revealing tech stack)
API Security — Essential Checks
AUTHENTICATION & TOKENS
[ ] Use short-lived access tokens (15-30 min) + refresh tokens
[ ] Refresh tokens are rotated on use (one-time use)
[ ] Token revocation endpoint exists and works
[ ] API keys transmitted in headers, not query parameters
[ ] OAuth state parameter used to prevent CSRF
RATE LIMITING & ABUSE
[ ] Rate limiting applied per-user AND per-IP
[ ] Expensive operations have stricter limits
[ ] Response includes rate limit headers (X-RateLimit-*)
[ ] Brute force protection on authentication endpoints
[ ] GraphQL query depth and complexity limits enforced
INPUT & OUTPUT
[ ] Request body size limits enforced
[ ] Pagination enforced (no unbounded queries)
[ ] Response filtering — users only see their own data
[ ] Content-Type validation on all requests
[ ] SQL injection tested on all query parameters
Quick Reference Table
| Vulnerability | Severity | Test Method | Quick Fix |
|---|---|---|---|
| SQL Injection | Critical |
' OR 1=1-- in inputs |
Parameterized queries |
| XSS (Reflected) | High |
<script>alert(1)</script> in params |
Output encoding |
| XSS (Stored) | Critical | Script in user-generated content | CSP + encoding |
| CSRF | High | Forged POST from another domain | CSRF tokens + SameSite |
| IDOR | High | Change ID in URL/request | Authorization check |
| SSRF | High | Internal URLs in user input | URL allowlist |
| Open Redirect | Medium | ?redirect=https://evil.com |
Redirect allowlist |
| Exposed Secrets | Critical |
.env, .git/ on public URLs |
.gitignore + scanning |
| Weak TLS | Medium | SSL Labs scan | Enforce TLS 1.2+ |
| Missing Headers | Low | Check response headers | Security header middleware |
Comparison: Compliance Frameworks
| Aspect | SOC 2 Type II | GDPR | HIPAA | ISO 27001 |
|---|---|---|---|---|
| Scope | Service orgs | EU personal data | US health data | Global infosec |
| Mandatory | Client-required | Law (EU) | Law (US) | Voluntary |
| Audit Frequency | Annual | Ongoing | Annual | 3-year cycle |
| Key Requirement | Trust criteria | Data subject rights | PHI safeguards | Risk management |
| Penalty | Lost contracts | Up to 4% revenue | Up to $1.5M/year | N/A (market trust) |
| Time to Achieve | 6-12 months | 3-6 months | 6-12 months | 12-18 months |
| Documentation | Policies + evidence | DPIA + records | Risk assessment | ISMS manual |
Usage Tips
- Start with the OWASP Top 10 checklist for any web application — it covers the most exploited vulnerabilities.
- Use the PR checklist in every code review — print it and check items off as you review.
- Run the API security checklist before any public API launch — it catches issues that scanners miss.
- Map compliance requirements early — the framework comparison table helps you understand overlap between SOC 2, GDPR, and ISO 27001.
- Track checklist completion as evidence — completed checklists with dates serve as audit artifacts.
This is 1 of 11 resources in the Cheatsheet Reference Pro toolkit. Get the complete [Security Audit Checklist Pack] with all files, templates, and documentation for $19.
Or grab the entire Cheatsheet Reference Pro bundle (11 products) for $79 — save 30%.
Top comments (0)