Checklist: Architecture and Design Review


Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

patterns & practices Developer Center

Improving Web Application Security: Threats and Countermeasures

J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan

Microsoft Corporation

Published: June 2003

Applies to:

  • Web Applications
  • ASP.NET version 1.1
  • .NET Framework version 1.1

See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.

See the Landing Page for the starting point and a complete overview of Improving Web Application Security: Threats and Countermeasures.

Summary: Architecture and Design Review Checklist covers aspects of the architecture and design stages of the project life cycle, including: input validation, authentication, authorization, configuration management, sensitive data, session management, cryptography, parameter manipulation, exception management, and auditing and logging.


How to Use This Checklist Deployment and Infrastructure Considerations Application Architecture and Design Considerations

How to Use This Checklist

This checklist is a companion to Chapter 4, "Design Guidelines for Secure Web Applications," and Chapter 5, "Architecture and Design Review for Security." Use it to help you perform architecture and design reviews to evaluate the security of your Web applications and to implement the design guidelines in Chapter 4.

This checklist should evolve based on the experience you gain from performing reviews. You might also want to perform custom checks that are based on a specific aspect of your architecture or design to ensure that your deployment environment the design.

Deployment and Infrastructure Considerations

Ff647464.z02bthcm01(en-us,PandP.10).gifThe design identifies, understands, and accommodates the company security policy.
Ff647464.z02bthcm01(en-us,PandP.10).gifRestrictions imposed by infrastructure security (including available services, protocols, and firewall restrictions) are identified.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe design recognizes and accomodates restrictions imposed by hosting environments (including application isolation requirements).
Ff647464.z02bthcm01(en-us,PandP.10).gifThe target environment code-access-security trust level is known.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe design identifies the deployment infrastructure requirements and the deployment configuration of the application.
Ff647464.z02bthcm01(en-us,PandP.10).gifDomain structures, remote application servers, and database servers are identified.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe design identifies clustering requirements.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe design identifies the application configuration maintenance points (such as what needs to be configured and what tools are available for an IDC admin).
Ff647464.z02bthcm01(en-us,PandP.10).gifSecure communication features provided by the platform and the application are known.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe design addresses Web farm considerations (including session state management, machine specific encryption keys, Secure Sockets Layer (SSL), certificate deployment issues, and roaming profiles).
Ff647464.z02bthcm01(en-us,PandP.10).gifThe design identifies the certificate authority (CA) to be used by the site to support SSL.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe design addresses the required scalability and performance criteria.

Application Architecture and Design Considerations

Input Validation

Ff647464.z02bthcm01(en-us,PandP.10).gifAll entry points and trust boundaries are identified by the design.
Ff647464.z02bthcm01(en-us,PandP.10).gifInput validation is applied whenever input is received from outside the current trust boundary.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe design assumes that user input is malicious.
Ff647464.z02bthcm01(en-us,PandP.10).gifCentralized input validation is used where appropriate.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe input validation strategy that the application adopted is modular and consistent.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe validation approach is to constrain, reject, and then sanitize input.
(Looking for known, valid, and safe input is much easier than looking for known malicious or dangerous input.)
Ff647464.z02bthcm01(en-us,PandP.10).gifData is validated for type, length, format, and range.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe design addresses potential canonicalization issues.
Ff647464.z02bthcm01(en-us,PandP.10).gifInput file names and file paths are avoided where possible.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe design addresses potential SQL injection issues.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe design addresses potential cross-site scripting issues.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe design does not rely on client-side validation.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe design applies defense in depth to the input validation strategy by providing input validation across tiers.
Ff647464.z02bthcm01(en-us,PandP.10).gifOutput that contains input is encoded using HtmlEncode and UrltEncode.


Ff647464.z02bthcm01(en-us,PandP.10).gifApplication trust boundaries are identified by the design.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe design identifies the identities that are used to access resources across the trust boundaries.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe design partitions the Web site into public and restricted areas using separate folders.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe design identifies service account requirements.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe design identifies secure storage of credentials that are accepted from users.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe design identifies the mechanisms to protect the credentials over the wire (SSL, IPSec, encryption and so on).
Ff647464.z02bthcm01(en-us,PandP.10).gifAccount management policies are taken into consideration by the design.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe design ensure that minimum error information is returned in the event of authentication failure.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe identity that is used to authenticate with the database is identified by the design.
Ff647464.z02bthcm01(en-us,PandP.10).gifIf SQL authentication is used, credentials are adequately secured over the wire (SSL or IPSec) and in storage (DPAPI).
Ff647464.z02bthcm01(en-us,PandP.10).gifThe design adopts a policy of using least-privileged accounts.
Ff647464.z02bthcm01(en-us,PandP.10).gifPassword digests (with salt) are stored in the user store for verification.
Ff647464.z02bthcm01(en-us,PandP.10).gifStrong passwords are used.
Ff647464.z02bthcm01(en-us,PandP.10).gifAuthentication tickets (cookies) are not transmitted over non-encrypted connections.


Ff647464.z02bthcm01(en-us,PandP.10).gifThe role design offers sufficient separation of privileges (the design considers authorization granularity).
Ff647464.z02bthcm01(en-us,PandP.10).gifMultiple gatekeepers are used for defense in depth.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe application's login is restricted in the database to access-specific stored procedures.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe application's login does not have permissions to access tables directly.
Ff647464.z02bthcm01(en-us,PandP.10).gifAccess to system level resources is restricted.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe design identifies code access security requirements. Privileged resources and privileged operations are identified.
Ff647464.z02bthcm01(en-us,PandP.10).gifAll identities that are used by the application are identified and the resources accessed by each identity are known.

Configuration Management

Ff647464.z02bthcm01(en-us,PandP.10).gifAdministration interfaces are secured (strong authentication and authorization is used).
Ff647464.z02bthcm01(en-us,PandP.10).gifRemote administration channels are secured.
Ff647464.z02bthcm01(en-us,PandP.10).gifConfiguration stores are secured.
Ff647464.z02bthcm01(en-us,PandP.10).gifConfiguration secrets are not held in plain text in configuration files.
Ff647464.z02bthcm01(en-us,PandP.10).gifAdministrator privileges are separated based on roles (for example, site content developer or system administrator).
Ff647464.z02bthcm01(en-us,PandP.10).gifLeast-privileged process accounts and service accounts are used.

Sensitive Data

Ff647464.z02bthcm01(en-us,PandP.10).gifSecrets are not stored unless necessary. (Alternate methods have been explored at design time.)
Ff647464.z02bthcm01(en-us,PandP.10).gifSecrets are not stored in code.
Ff647464.z02bthcm01(en-us,PandP.10).gifDatabase connections, passwords, keys, or other secrets are not stored in plain text.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe design identifies the methodology to store secrets securely. (Appropriate algorithms and key sizes are used for encryption. It is preferable that DPAPI is used to store configuration data to avoid key management.)
Ff647464.z02bthcm01(en-us,PandP.10).gifSensitive data is not logged in clear text by the application.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe design identifies protection mechanisms for sensitive data that is sent over the network.
Ff647464.z02bthcm01(en-us,PandP.10).gifSensitive data is not stored in persistent cookies.
Ff647464.z02bthcm01(en-us,PandP.10).gifSensitive data is not transmitted with the GET protocol.

Session Management

Ff647464.z02bthcm01(en-us,PandP.10).gifSSL is used to protect authentication cookies.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe contents of authentication cookies are encrypted.
Ff647464.z02bthcm01(en-us,PandP.10).gifSession lifetime is limited.
Ff647464.z02bthcm01(en-us,PandP.10).gifSession state is protected from unauthorized access.
Ff647464.z02bthcm01(en-us,PandP.10).gifSession identifiers are not passed in query strings.


Ff647464.z02bthcm01(en-us,PandP.10).gifPlatform-level cryptography is used and it has no custom implementations.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe design identifies the correct cryptographic algorithm (and key size) for the application's data encryption requirements.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe methodology to secure the encryption keys is identified.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe design identifies the key recycle policy for the application.
Ff647464.z02bthcm01(en-us,PandP.10).gifEncryption keys are secured.
Ff647464.z02bthcm01(en-us,PandP.10).gifDPAPI is used where possible to avoid key management issues.
Ff647464.z02bthcm01(en-us,PandP.10).gifKeys are periodically recycled.

Parameter Manipulation

Ff647464.z02bthcm01(en-us,PandP.10).gifAll input parameters are validated (including form fields, query strings, cookies, and HTTP headers).
Ff647464.z02bthcm01(en-us,PandP.10).gifCookies with sensitive data are encrypted.
Ff647464.z02bthcm01(en-us,PandP.10).gifSensitive data is not passed in query strings or form fields.
Ff647464.z02bthcm01(en-us,PandP.10).gifHTTP header information is not relied on to make security decisions.
Ff647464.z02bthcm01(en-us,PandP.10).gifView state is protected using MACs.

Exception Management

Ff647464.z02bthcm01(en-us,PandP.10).gifThe design outlines a standardized approach to structured exception handling across the application.
Ff647464.z02bthcm01(en-us,PandP.10).gifApplication exception handling minimizes the information disclosure in case of an exception.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe design identifies generic error messages that are returned to the client.
Ff647464.z02bthcm01(en-us,PandP.10).gifApplication errors are logged to the error log.
Ff647464.z02bthcm01(en-us,PandP.10).gifPrivate data (for example, passwords) is not logged.

Auditing and Logging

Ff647464.z02bthcm01(en-us,PandP.10).gifThe design identifies the level of auditing and logging necessary for the application and identifies the key parameters to be logged and audited.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe design considers how to flow caller identity across multiple tiers (at the operating system or application level) for auditing.
Ff647464.z02bthcm01(en-us,PandP.10).gifThe design identifies the storage, security, and analysis of the application log files.

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.