Governance, Compliance, and Risk

Blog Interviewing Guide Governance Guide

Auditing Web Servers and Web Applications

Web Servers

Verify that the web server is running on a dedicated logical system not shared with other critical applications.

HOW

Verify that the web server is fully patched and updated with the latest approved code.

HOW

Verify that unnecessary services, modules, objects, and APIs are removed or disabled. Running services and modules should be operating under the least privileged accounts.

HOW

Verify that only appropriate protocols and ports are allowed to access the web server.

HOW

Verify that accounts allowing access to the web server are managed appropriately and use strong passwords.

HOW

Ensure that appropriate controls exist for files, directories, and virtual directories.

HOW

Ensure that unnecessary information such as version and directory listings are not exposed through the web interface.

HOW

Ensure that the web server has appropriate logging enabled and that monitoring processes are in place.

HOW

Ensure that script extensions are mapped appropriately.

HOW

Verify the validity of any server certificates in use.

HOW

Web Applications

Ensure that the web application is protected against injection attacks.

HOW

Review the application for authentication and session management vulnerabilities.

HOW

Verify that sensitive data is identified and protected appropriately. Ensure proper use of encryption technologies to protect sensitive data.

HOW

Review the web server for exposure to XML external entities (XXE) attacks.

HOW

Verify that proper access controls are enforced.

HOW

Review controls surrounding maintaining a secure configuration.

HOW

Review the website for cross-site-scripting vulnerabilities.

HOW

Review protections against exploitation of deserialization sequences.

HOW

Review processes to ensure vulnerabilities are not present in libraries, frameworks, or other components.

HOW

Ensure that adequate logging is present and review processes for examining log data.

HOW

Review the security training provided to application development teams and ensure that development teams understand secure coding practices.

HOW

Verify that all input is validated prior to use by the web server.

HOW

Evaluate the use of proper error handling.

HOW

Review web application redirects and forwards to verify that only valid URLs are accessible.

HOW

Verify that controls are in place to prevent cross-site request forgery (CSRF or XSRF).

HOW

PreviousAuditing Cybersecurity Programs NextAuditing Databases

Last updated 1 year ago