Slide 20
Slide 20 text
SOFTWARE: THE MINIMUM
• If your code accesses another service (e.g.,
database, queue, application)…
q Does it only have least-privilege access to the
services it needs?
q Does it authenticate to the service with a unique
set of credentials?
• If your code processes data...
q Does it mask or omit personally identifiable
information?
q Does it encrypt the data (using keys and TLS)?
q Can you track transactions or failed logins with
logs or metrics?
• If you are using 3rd party dependencies…
q Are you verifying their checksums and signatures?
q Have you scanned them for potential security
issues (e.g., making unauthorized external calls)?
q Are the dependencies updated and pinned to a
version?
q Is your code secured by authentication?
q Did you do static application security testing
(SAST) on your code?
q Did you do dynamic application security
testing (DAST) on your code?
20