

Ask HN: Comprehensive security checklist for developers - jorangreef

In the light of the recent Amazon and Apple incident, and considering that HN is full of insightful comments regarding security buried in many discussions:<p>What would be a comprehensive security checklist for developers?<p>i.e. everything from OWASP, Schneier, best of the security web etc.<p>For example, just to get started:<p>1. Use bcrypt.<p>2. Use different non-guessable private email addresses and passwords for critical services.<p>3. Self-host critical email addresses.<p>4. Two-factor authentication.<p>5. Disable iCloud Find My Mac or disable iCloud completely.<p>6. Use FileVault2 or full disk encryption.<p>7. Set your system to log out after inactivity.<p>8. Set your screensaver with password to show after 5 minutes.<p>9. Use a passcode on your iPad.<p>10. Master server should not have access to backup server.<p>We tend to focus on securing the app we develop, without thinking too much about securing the suppliers we use, or reducing surface area, or considering orthogonal vectors.<p>There are many great checklists covering certain aspects of security, but it would be great to have all of this in one place.
======
jpmc
Here is a good start: <http://benchmarks.cisecurity.org/en-us/?route=default>

------
mooism2
Some of these (e.g. "two factor authentication" and "use bcrypt") require buy-
in from management.

------
jorangreef
Would be great if someone could build a 373 security questions app, which
basically goes through a huge security checklist with you, and gives you a
score at the end.

