SANS SWAT Checklist

Error handling & logging

  • Display generic error messages.

  • No unhandled exceptions.

  • Suppress framework-generated errors.

  • Log all authentication activities.

  • Log all privilege changes.

  • Log administrative activities.

  • Log access to sensitive data.

  • Do not log inappropriate data.

  • Store logs securely.

Data protection

  • Use SSL everywhere.

  • Disable HTTP access for all SSL-enabled resources.

  • Use the strict-Transport-security header.

  • Store user passwords using a strong, iterative, salted hash.

  • Securely exchange encryption keys.

  • Disable weak SSL ciphers on servers.

  • Use valid SSL certificates from a reputable CA.

  • Disable data caching using cache control headers and autocomplete.

  • Limit the use and storage of sensitive data.

Configuration and operations

  • Establish a rigorous change management process.

  • Define security requirements.

  • Conduct a design review.

  • Perform code reviews.

  • Perform security testing.

  • Harden the infrastructure.

  • Define an incident handling plan.

  • Educate the team on security.

Authentication

  • Don't hardcode credentials.

  • Develop a strong password reset system Implement a strong password policy.

  • Implement account lockout against brute force attacks.

  • Don't disclose too much information in error messages.

  • Store database credentials securely.

  • Applications and Middleware should run with minimal privileges.

Session management

  • Ensure that session identifiers are sufficiently random.

  • Regenerate session tokens.

  • Implement an idle session timeout.

  • Implement an absolute session timeout.

  • Destroy sessions at any sign of tampering.

  • Invalidate the session after logout.

  • Place a logout button on every page.

  • Use secure cookie attributes (i.e. httponly and secure flags).

  • Set the cookie domain and path correctly.

  • Set the cookie expiration time.

Input & output handling

  • Conduct contextual output encoding.

  • Prefer “whitelists over blacklists”.

  • Use parameterized SQL queries.

  • Use tokens to prevent forged requests.

  • Set the encoding for your application.

  • Validate uploaded files.

  • Use the nosniff header for uploaded content.

  • Validate the source of input.

  • Use the X-frame-options header.

  • Use content security Policy (csP) or X-Xss-Protection headers.

Access control

  • Apply access control checks consistently.

  • Apply the principle of least privilege.

  • Don’t use direct object references for access control checks.

  • Don’t use unvalidated forwards or redirects.

Last updated