In case you need some peace from the client just sent some questions at their direction….
1) Physical Security
a. Who has access?
b. How is access regulated?
2) Password Security
a. Password history?
b. Password complexity?
c. Lockout?
3) Backup Security
a. Redundant?
b. Log files?
4) Users / Access Security
a. Who has access to the system?
b. From where is access granted?
c. Who are the application’s end users?
d. How do the end users interact with the application?
e. What security expectations do the end users have?
f. Which third parties supply data to the application?
g. Which third parties receive data from the applications?
h. Which third parties process the application’s data?
i. What mechanisms are used to share data with third parties besides the application itself?
j. What security requirements do the partners impose?
k. Who has administrative capabilities in the application?
l. What administrative capabilities does the application offer?
m. What security related regulations apply?
n. What auditing and compliance regulations apply?
o. What user privilege levels does the application support?
p. What user identification and authentication requirements have been defined?
q. What session management requirements have been defined?
r. What application performance monitoring requirements have been defined?
s. What application security monitoring requirements have been defined?
t. What application error handling and logging requirements have been defined?
u. How many logical tiers group the application’s components?
v. What access requirements have been defined for URI and Service calls?
w. What user authorization requirements have been defined?
x. How are user identities maintained throughout transaction calls?
5) Network Security
a. What details regarding routing, switching, firewalling, and load balancing have been defined?
b. What network design supports the application?
c. What core network devices support the application?
d. What network performance requirements exist?
e. What private and public network links support the application?
f. Which security devices are in place to enforce access
g. Which networks are attached
h. Which systems are connected on the same network segment
i. Network segregation
j. Admin traffic and data traffic separation
6) Data
a. What data does the application receive, produce, and process?
b. How can the data be classified into categories according to its sensitivity?
c. How might an attacker benefit from capturing or modifying the data?
d. What data backup and retention requirements have been defined for the application?
e. What data entry paths does the application support?
f. What data output paths does the application support?
g. How does data flow across the application’s internal components?
h. What data input validation requirements have been defined?
i. What data does the application store and how?
j. What data is or may need to be encrypted and what key management requirements have been defined?
k. What capabilities exist to detect the leakage of sensitive data?
l. What encryption requirements have been defined for data in transit over WAN and LAN links?
7) Systems
a. What operating systems support the application?
b. What hardware requirements have been defined?
c. What details regarding required OS components and lock down needs have been defined?
d. Infrastructure Monitoring
e. What network and system performance monitoring requirements have been defined?
f. What mechanisms exist to detect malicious code or compromised application components?
g. What network and system security monitoring requirements have been defined?
8 ) Monitoring
a. What application auditing requirements have been defined?
b. What application performance monitoring requirements have been defined?
c. What application security monitoring requirements have been defined?
d. What application error handling and logging requirements have been defined?
e. How are audit and debug logs accessed, stored, and secured?
9) Operations
a. What physical controls restrict access to the application’s components and data?
b. What is the process for granting access to the environment hosting the application?
c. What is the process for identifying and addressing vulnerabilities in the application?
d. What is the process for identifying and addressing vulnerabilities in network and system components?
e. What access to system and network administrators have to the application’s sensitive data?
f. What security incident requirements have been defined?
g. How do administrators access production infrastructure to manage it?
h. What controls exist to protect a compromised in the corporate environment from affecting production?
i. What security governance requirements have been defined?
j. What corporate security program requirements have been defined?
k. What security training do developers and administrators undergo?
l. Which personnel oversees security processes and requirements related to the application?
m. What employee initiation and termination procedures have been defined?
n. What application requirements impose the need to enforce the principle of separation of duties?
o. What controls exist to protect a compromised in the corporate environment from affecting production?
p. What security governance requirements have been defined?
10) Change Management
a. How are changes to the code/application controlled?
b. How are changes to the infrastructure controlled?
c. How is code/applications deployed to production?
d. What mechanisms exist to detect violations of change management practices?
11) Virtualization and Externalization
a. What aspects of the application lend themselves to virtualization?
b. What virtualization requirements have been defined for the application?
c. What aspects of the product may or may not be hosted via the cloud computing model?