Security Testing Checklist

Pre-release security testing pass run by AppSec or a senior engineer before promoting a build to production. Covers authn/authz, data protection, input validation, logging, and configuration hardening against the OWASP Top 10.

7 sections 25 steps Collects data
1

Authentication

  1. Confirm every endpoint requires a valid session

    • Hit each route in the OpenAPI spec (or router table) with no token, an expired token, and a token signed by the wrong key. Default-allow middleware is the most common cause of broken object-level auth — OWASP API1:2023.

  2. Test MFA enrollment and recovery flows

    • Verify TOTP/WebAuthn enrollment, backup-code generation, and the account-recovery path. Recovery is where MFA usually breaks — a help-desk-resettable email factor undoes the whole control.

  3. Verify password policy against NIST 800-63B

    • Minimum 8 characters, breached-password check (HIBP API or Pwned Passwords), no forced periodic rotation, no composition rules. Argon2id or bcrypt at the storage layer — never SHA-256 or unsalted hashes.

  4. Probe for credential stuffing protections

    • Burp Intruder a list of 1000 invalid credentials against the login endpoint. Confirm rate limiting, CAPTCHA escalation, and account lockout fire as designed. Verify per-IP and per-username throttles both exist — attackers rotate IPs.

2

Authorization

  1. Test for IDOR on every resource endpoint

    • Create two test tenants and swap object IDs in URLs and request bodies. Insecure Direct Object Reference (OWASP API1) is the single most common finding in B2B SaaS. Hit GET, PATCH, and DELETE — not just GET.

  2. Verify RBAC against the role matrix

    • Walk every role (admin, member, viewer, billing) against every action in the matrix. Test vertical escalation (member → admin) and horizontal escalation (member of org A accessing org B). Common gotcha: admin endpoints gated on the UI but not the API.

  3. Confirm session timeout and revocation behavior

    • Idle timeout, absolute timeout, and forced logout on password change must all invalidate the JWT/session immediately. Stateless JWTs without a revocation list often fail this — a stolen token works until expiry.

3

Data Protection

  1. Verify TLS configuration with SSL Labs

    • Run Qualys SSL Labs against every public hostname; require A or A+. TLS 1.2 minimum, HSTS with preload, no RC4 / 3DES / TLS 1.0. Internal service-to-service traffic should also be mTLS or service-mesh encrypted, not cleartext inside the VPC.

  2. Confirm encryption at rest for databases and buckets

    • RDS, S3, EBS volumes, and snapshots all encrypted with KMS CMKs (not AWS-managed default keys when SOC 2 / HIPAA scope). Check that backup destinations and replicas inherit encryption — common gap on read replicas.

  3. Scan logs and error responses for PII leakage

    • Grep last 7 days of application logs for email patterns, auth tokens, full credit card digits, SSNs. Verify Datadog/Splunk scrubbers are catching them. Stack traces returned to clients (FastAPI debug=True, Rails dev errors) should be impossible in production.

  4. Review KMS key rotation and access policy

    • Annual automatic rotation enabled on all CMKs, key policy restricted to the specific service roles that need decrypt, no wildcard principals. Confirm CloudTrail is logging KMS Decrypt calls — that audit trail is the SOC 2 evidence.

4

Input Validation and Injection

  1. Run SAST against the release branch

    • Trigger Semgrep or CodeQL on the release SHA. Triage every High and Critical; document risk-accepts on Medium. Pay attention to taint-flow findings (user input → SQL query, user input → shell exec) — those are the real bugs.

  2. Capture the SAST scan result
    Collects list
  3. Test for XSS, CSRF, and SQLi

    • Run the OWASP ZAP active scan against staging. Manually verify CSP headers, SameSite cookies, and CSRF tokens on state-changing endpoints. Parameterized queries everywhere — grep for any string concatenation that touches user input near a SQL call.

  4. Validate allowlist-based input handling

    • Inputs constrained to a known set (enums, regex, schema) instead of stripping bad characters. Pydantic / JSON Schema / Joi at the boundary is the right shape; per-field denylists are not. Test with unicode normalization edge cases (homoglyphs, RTL overrides).

5

Logging and Monitoring

  1. Audit security event coverage in logs

    • Login success/failure, MFA events, password reset, role change, permission grant, key access, and admin actions all log who/what/when/from-where. SOC 2 CC7.2 evidence. Confirm logs are append-only and shipped off the host (CloudWatch, Splunk).

  2. Validate alerting on suspicious patterns

    • Trigger known-bad patterns in staging — 100 failed logins, impossible-travel login, privilege escalation, mass data export — and confirm a PagerDuty alert fires within SLA. Half of detection breaks silently when the alert routing changes.

  3. Confirm log retention meets compliance scope

    • SOC 2 = 12 months minimum, HIPAA = 6 years, PCI = 1 year hot + archival. Verify retention is enforced at the storage tier (S3 lifecycle, log-group retention) — not just an unenforced policy doc.

6

Configuration and Dependency Hygiene

  1. Run SCA on the release artifact

    • Snyk, Dependabot, or Trivy against the built container. Triage Critical and High CVEs; remediate or document risk-accept with expiry. Generate the SBOM (CycloneDX) at this step — required for federal contracts under EO 14028.

  2. Capture the dependency scan result
    Collects list Collects number Collects file
  3. File tickets for open critical CVEs

    • One Jira ticket per critical with owner, fix version, and remediation deadline. Link the ticket from the release notes so the auditor trail is intact. Block release if any critical lacks a documented mitigation.

  4. Review IaC for hardening drift

    • Run Checkov or tfsec against the Terraform plan. Common drift: S3 bucket public, security group 0.0.0.0/0 on 22 or 3389, RDS publicly accessible, IAM policy with wildcard Action+Resource. Compare against CIS Benchmark.

  5. Scan for committed secrets in git history

    • Run gitleaks or trufflehog against the full history of the release branch. A rotated secret still in history is still leaked — use git-filter-repo or BFG to scrub. Confirm pre-commit hooks and GitHub secret scanning are enabled to prevent recurrence.

7

Sign-Off

  1. Issue the release security sign-off
    Collects list Collects paragraph Collects signature
  2. Schedule a follow-up pen test if blocked

    • If sign-off is Blocked, book a focused re-test against the failing controls before the next release window. Loop the engineering manager and incident commander into the remediation ticket so the deadline has an owner.

Use this template

Copy it to your account, customize the steps, and run it with your team in minutes.

Use this workflow Start free trial
Sections 7
Steps 25
Category Software Development
Price Free to start
Need a different process

Browse hundreds of free templates across every team and industry.

Back to template library

Related templates

More workflows your team can run.

Software Development

Backup and Recovery Checklist

View
Software Development

New Developer Onboarding Checklist

View
Software Development

User Acceptance Testing Checklist

View
Software Development

Backlog Prioritization Checklist

View

Run Security Testing Checklist with your team

Customize the steps, assign roles, set a schedule, and keep a complete record for every run.

Use this workflow Start free trial