OWASP Developer Guide

Web Application Checklist

4.2 Web application checklist

Checklists are a valuable resource for development teams. They provide structure for establishing good practices and processes and are also useful during code reviews and design activities.

The checklists that follow are general lists that are categorised to follow the controls listed in the OWASP Top 10 Proactive Controls project. These checklists provide suggestions that certainly should be tailored to an individual project’s requirements and environment; they are not meant to be followed in their entirety.

Probably the best starting point for a checklist is given by the Application Security Verification Standard (ASVS). The ASVS can be used to provide a framework for an initial checklist, according to the security verification level, and this initial ASVS checklist can then be expanded using the following checklist sections.


4.2.1 Checklist: Define Security Requirements
4.2.2 Checklist: Leverage Security Frameworks and Libraries
4.2.3 Checklist: Secure Database Access
4.2.4 Checklist: Encode and Escape Data
4.2.5 Checklist: Validate All Inputs
4.2.6 Checklist: Implement Digital Identity
4.2.7 Checklist: Enforce Access Controls
4.2.8 Checklist: Protect Data Everywhere
4.2.9 Checklist: Implement Security Logging and Monitoring
4.2.10 Checklist: Handle all Errors and Exceptions

The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.