A complete checklist for securing web, mobile, cloud, and enterprise applications across their entire lifecycle.
[ ] Secure‑by‑Design principles embedded from project start
[ ] Security requirements defined for every application
[ ] Threat modelling performed (STRIDE, LINDDUN, or equivalent)
[ ] Developers trained in secure coding annually
[ ] Security sign‑off required before deployment
[ ] Code reviews include security checks
[ ] Security champions identified in each dev team
[ ] MFA required for all admin and privileged accounts
[ ] Strong authentication (OIDC, OAuth2, SAML) implemented
[ ] Passwordless or phishing‑resistant authentication considered
[ ] Role‑based access control (RBAC) enforced
[ ] Access control validated server‑side (never client‑side)
[ ] Session management secure (timeouts, rotation, secure cookies)
[ ] No hard‑coded credentials in code or config
[ ] Input validation performed server‑side
[ ] Output encoding used to prevent XSS
[ ] Parameterised queries used to prevent SQL injection
[ ] File uploads validated and scanned
[ ] Sensitive data masked or tokenised
[ ] Data classification applied to all stored data
[ ] Secrets stored in secure vaults (not environment variables or code)
[ ] API authentication enforced (OAuth2, API keys, JWT)
[ ] Rate limiting and throttling enabled
[ ] Input validation on all API endpoints
[ ] API gateway used for centralised control
[ ] No sensitive data exposed in URLs
[ ] CORS configured securely
[ ] API documentation reviewed for data exposure
[ ] OWASP Top 10 risks addressed
[ ] No use of deprecated or vulnerable libraries
[ ] Dependencies scanned regularly (SCA tools)
[ ] Secrets removed from Git history
[ ] Error messages do not reveal sensitive information
[ ] Logging avoids sensitive data
[ ] Memory‑safe languages used where possible
[ ] TLS 1.2+ enforced for all traffic
[ ] Certificates managed and renewed automatically
[ ] Sensitive data encrypted at rest (AES‑256)
[ ] Strong hashing for passwords (bcrypt, Argon2)
[ ] Keys stored in HSM/KMS
[ ] No plaintext credentials anywhere
[ ] Secure cookie flags set (HttpOnly, Secure, SameSite)
[ ] Containers scanned for vulnerabilities
[ ] Kubernetes/Orchestration hardened
[ ] Infrastructure as Code (IaC) scanned for misconfigurations
[ ] Cloud resources use least‑privilege IAM roles
[ ] WAF enabled for public‑facing applications
[ ] DDoS protection enabled
[ ] Secrets injected securely at runtime
[ ] Centralised logging enabled
[ ] Logs protected from tampering
[ ] Alerts for:
Authentication failures
Privilege escalation
Suspicious API calls
Injection attempts
High‑volume requests
[ ] Application logs integrated with SIEM/SOC
[ ] Runtime Application Self‑Protection (RASP) considered
[ ] Static Application Security Testing (SAST) performed
[ ] Dynamic Application Security Testing (DAST) performed
[ ] Software Composition Analysis (SCA) performed
[ ] Penetration testing conducted annually
[ ] Fuzz testing used for critical components
[ ] Security tests integrated into CI/CD pipeline
[ ] Vulnerabilities triaged and remediated promptly
[ ] CI/CD pipeline secured and access‑controlled
[ ] Code signing used for releases
[ ] Secrets not stored in CI/CD configs
[ ] Production and development environments separated
[ ] Rollback procedures tested
[ ] Deployment logs monitored
[ ] Only approved artefacts deployed
[ ] Vendor risk assessments completed
[ ] Third‑party libraries reviewed and updated
[ ] SBOM (Software Bill of Materials) maintained
[ ] External APIs validated for security
[ ] Contracts include security requirements
[ ] Cloud services meet compliance standards
[ ] Application‑specific incident response plan exists
[ ] Playbooks for:
Injection attacks
Account takeover
API abuse
Data breach
[ ] Alerts integrated with SOC
[ ] Forensic logging enabled
[ ] Lessons learned reviewed after incidents