Security Testing Checklist

Hit each route in the OpenAPI spec (or router table) with no token, an expired token, and a token signed by the wrong key. Default-allow middleware is the most common cause of broken object-level auth — OWASP API1:2023.

Verify TOTP/WebAuthn enrollment, backup-code generation, and the account-recovery path. Recovery is where MFA usually breaks — a help-desk-resettable email factor undoes the whole control.

Minimum 8 characters, breached-password check (HIBP API or Pwned Passwords), no forced periodic rotation, no composition rules. Argon2id or bcrypt at the storage layer — never SHA-256 or unsalted hashes.

Burp Intruder a list of 1000 invalid credentials against the login endpoint. Confirm rate limiting, CAPTCHA escalation, and account lockout fire as designed. Verify per-IP and per-username throttles both exist — attackers rotate IPs.

Create two test tenants and swap object IDs in URLs and request bodies. Insecure Direct Object Reference (OWASP API1) is the single most common finding in B2B SaaS. Hit GET, PATCH, and DELETE — not just GET.

Walk every role (admin, member, viewer, billing) against every action in the matrix. Test vertical escalation (member → admin) and horizontal escalation (member of org A accessing org B). Common gotcha: admin endpoints gated on the UI but not the API.

Idle timeout, absolute timeout, and forced logout on password change must all invalidate the JWT/session immediately. Stateless JWTs without a revocation list often fail this — a stolen token works until expiry.

Run Qualys SSL Labs against every public hostname; require A or A+. TLS 1.2 minimum, HSTS with preload, no RC4 / 3DES / TLS 1.0. Internal service-to-service traffic should also be mTLS or service-mesh encrypted, not cleartext inside the VPC.

RDS, S3, EBS volumes, and snapshots all encrypted with KMS CMKs (not AWS-managed default keys when SOC 2 / HIPAA scope). Check that backup destinations and replicas inherit encryption — common gap on read replicas.

Grep last 7 days of application logs for email patterns, auth tokens, full credit card digits, SSNs. Verify Datadog/Splunk scrubbers are catching them. Stack traces returned to clients (FastAPI debug=True, Rails dev errors) should be impossible in production.

Annual automatic rotation enabled on all CMKs, key policy restricted to the specific service roles that need decrypt, no wildcard principals. Confirm CloudTrail is logging KMS Decrypt calls — that audit trail is the SOC 2 evidence.

Trigger Semgrep or CodeQL on the release SHA. Triage every High and Critical; document risk-accepts on Medium. Pay attention to taint-flow findings (user input → SQL query, user input → shell exec) — those are the real bugs.

Run the OWASP ZAP active scan against staging. Manually verify CSP headers, SameSite cookies, and CSRF tokens on state-changing endpoints. Parameterized queries everywhere — grep for any string concatenation that touches user input near a SQL call.

Inputs constrained to a known set (enums, regex, schema) instead of stripping bad characters. Pydantic / JSON Schema / Joi at the boundary is the right shape; per-field denylists are not. Test with unicode normalization edge cases (homoglyphs, RTL overrides).

Login success/failure, MFA events, password reset, role change, permission grant, key access, and admin actions all log who/what/when/from-where. SOC 2 CC7.2 evidence. Confirm logs are append-only and shipped off the host (CloudWatch, Splunk).

Trigger known-bad patterns in staging — 100 failed logins, impossible-travel login, privilege escalation, mass data export — and confirm a PagerDuty alert fires within SLA. Half of detection breaks silently when the alert routing changes.

SOC 2 = 12 months minimum, HIPAA = 6 years, PCI = 1 year hot + archival. Verify retention is enforced at the storage tier (S3 lifecycle, log-group retention) — not just an unenforced policy doc.

Snyk, Dependabot, or Trivy against the built container. Triage Critical and High CVEs; remediate or document risk-accept with expiry. Generate the SBOM (CycloneDX) at this step — required for federal contracts under EO 14028.

One Jira ticket per critical with owner, fix version, and remediation deadline. Link the ticket from the release notes so the auditor trail is intact. Block release if any critical lacks a documented mitigation.

Run Checkov or tfsec against the Terraform plan. Common drift: S3 bucket public, security group 0.0.0.0/0 on 22 or 3389, RDS publicly accessible, IAM policy with wildcard Action+Resource. Compare against CIS Benchmark.

Run gitleaks or trufflehog against the full history of the release branch. A rotated secret still in history is still leaked — use git-filter-repo or BFG to scrub. Confirm pre-commit hooks and GitHub secret scanning are enabled to prevent recurrence.

If sign-off is Blocked, book a focused re-test against the failing controls before the next release window. Loop the engineering manager and incident commander into the remediation ticket so the deadline has an owner.