A security audit is not just a penetration test. Here is the complete checklist.
Authentication¶
- ☐ Strong password requirements
- ☐ MFA implemented
- ☐ Session management (timeout, invalidation)
- ☐ Rate limiting on login
- ☐ Secure password reset
Authorization¶
- ☐ Principle of least privilege
- ☐ Role-based access control
- ☐ API endpoint authorization
- ☐ IDOR prevention
Data¶
- ☐ Encryption at rest
- ☐ Encryption in transit (TLS 1.2+)
- ☐ PII classification
- ☐ Backup encryption
- ☐ Log sanitization (no tokens in logs)
Infrastructure¶
- ☐ Firewall rules reviewed
- ☐ SSH keys (not passwords)
- ☐ Secrets in a secrets manager
- ☐ Container scanning
- ☐ Dependency scanning (Snyk, Dependabot)
Compliance¶
- ☐ GDPR consent and data deletion
- ☐ Cookie consent
- ☐ Privacy policy up to date
- ☐ Data retention policy
Frequency¶
Full audit at least once a year. Automated scans (dependency, container) in CI/CD.
securityauditdevsecops