A practical checklist for authentication, sessions, access control, injection, business logic, and configuration testing of web applications.
Checks aligned to the OWASP API Security Top 10 (2023): object- and function-level authorization, authentication, resource consumption, SSRF, and inventory management.
Checks aligned to the OWASP MASVS / Mobile Top 10: insecure storage, transport security, secrets, platform interaction, and reverse-engineering resilience.
Thick client assessment: local data storage, inter-process communication, traffic interception, DLL/binary protections, and privilege handling.
Manual and assisted source code review: dangerous sinks, injection patterns, authn/authz flaws, secrets, and insecure dependencies across major languages.
Cloud assessment checks: identity and access management, exposed storage, instance metadata SSRF, logging, and common misconfigurations across providers.
Embedding security into the software lifecycle: SAST/DAST/SCA gates, secrets management, supply-chain controls, and policy-as-code.
Network and infrastructure assessment: host discovery, service enumeration, exposed management interfaces, and transport hardening.
Wireless assessment: encryption and authentication (WPA2/WPA3), rogue/evil-twin access points, PMKID/handshake attacks, and client isolation.
Firewall and perimeter testing: ruleset review, egress filtering, segmentation validation, and evasion of filtering controls.
Active Directory assessment: enumeration, Kerberos attacks (Kerberoasting, AS-REP), ACL abuse, delegation, lateral movement, and privilege escalation to domain dominance.
Infrastructure security assessment: host and OS hardening, patch posture, exposed services, build review, and configuration baselines.
Security assessment of Model Context Protocol servers and tools: tool-poisoning, prompt injection via tool output, authz scoping, and unsafe capability exposure.
LLM application assessment aligned to the OWASP LLM Top 10: prompt injection, insecure output handling, data leakage, excessive agency, and model DoS.
Structured threat modeling: asset and trust-boundary mapping, STRIDE/attack-tree analysis, abuse cases, and mitigation tracking.
Configuration and hardening review against CIS-style baselines: services, permissions, logging, secrets handling, and default-credential exposure.
Container and Kubernetes assessment: image hygiene, privileged containers and escapes, RBAC, network policies, secrets, and admission control.
CI/CD pipeline assessment: poisoned pipeline execution, secret exfiltration, runner compromise, dependency confusion, and artifact integrity.
IoT assessment: firmware extraction and analysis, hardware/UART/JTAG interfaces, insecure protocols, and cloud/companion-app integration.
Blockchain and smart-contract assessment: reentrancy, access control, oracle and arithmetic flaws, signature replay, and Web3 front-end risks.
Phishing and social-engineering assessment: pretext and infrastructure setup, payload and landing-page design, evasion, and reporting metrics.
Open-source intelligence: domain and infrastructure footprinting, employee and credential exposure, code and document leakage, and exposed assets.
Digital forensics and incident response: sound evidence acquisition, disk/memory/network analysis, timeline reconstruction, and chain of custody.