Skip to content

Instantly share code, notes, and snippets.

@hanief

hanief/SecurityChecklist.md

Forked from al3rez/SecurityChecklist.md
Created March 27, 2025 00:23
Show Gist options
  • Save hanief/d166170bf7aebb57c5baa33223d8018f to your computer and use it in GitHub Desktop.
Save hanief/d166170bf7aebb57c5baa33223d8018f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
SecurityChecklist.md

Security Checklist

Configuration Security

  • Store secrets in environment variables or dedicated secret management systems
  • Never commit secrets to version control
  • Implement secret rotation policies
  • Use different credentials for different environments
  • Encrypt sensitive configuration values

Authentication & Authorization

  • Implement proper authentication mechanisms
  • Use OAuth 2.0 or OpenID Connect where appropriate
  • Implement role-based access control (RBAC)
  • Follow the principle of least privilege
  • Implement multi-factor authentication (MFA) for sensitive operations

Data Protection

  • Encrypt data at rest
  • Encrypt data in transit (TLS/HTTPS)
  • Implement proper key management
  • Sanitize and validate all inputs
  • Implement output encoding to prevent XSS attacks
  • Apply proper database security controls

API Security

  • Implement rate limiting
  • Set appropriate timeouts
  • Use API keys/tokens with proper scopes
  • Validate and sanitize all API inputs
  • Implement proper error handling that doesn't leak sensitive information

Infrastructure Security

  • Use container security scanning
  • Implement network segmentation
  • Apply security hardening to containers and hosts
  • Use Web Application Firewalls (WAF) where appropriate
  • Implement proper egress filtering

Logging & Monitoring

  • Implement security event logging
  • Use centralized log collection and analysis
  • Configure alerts for suspicious activities
  • Implement audit trails for sensitive operations
  • Ensure logs don't contain sensitive information

Dependency Management

  • Regularly scan dependencies for vulnerabilities
  • Implement a process for updating vulnerable dependencies
  • Use dependency lockfiles for deterministic builds
  • Vet third-party libraries before inclusion
  • Minimize dependency footprint

Resilience & Availability

  • Implement proper error handling
  • Design for graceful degradation
  • Protect against DoS attacks
  • Implement circuit breakers for external services
  • Have a tested disaster recovery plan

SDLC Security

  • Perform regular security testing (SAST, DAST, IAST)
  • Implement secure code review processes
  • Conduct regular penetration testing
  • Maintain a vulnerability management program
  • Implement proper CI/CD security controls

Compliance & Governance

  • Document security controls
  • Implement proper data retention policies
  • Ensure compliance with relevant regulations (GDPR, HIPAA, etc.)
  • Conduct regular security awareness training
  • Establish incident response procedures
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment