2019-01-02 07:55

Due diligence checklist

Recently I was part of a technical due diligence. I tried to remember the questions which were asked during this 7-hour 😅 meeting. Perhaps this list is useful for your next due diligence.

Security Policies

  • Does your company and/or its main (software) supplier have an ISO 27001 certification?
  • Has software been developed with OWASP top 20 in mind?
  • Has an external security team performed a pentest?
  • If pentests are performed, did you use a white-box test?
  • Is a responsible disclosure (aka coordinated vulnerability disclosure) process in place?
  • Have you ever paid bug bounties e.g. via HackerOne or Zerocopter for this or other apps you have developed?
  • Who is acting as the security officer?
  • Who has access to API keys, ssh keys, credentials of cloud services such as AWS?
  • Are access keys and tokens rotated? Manually or automatically?
  • Are keys rotated when personnel leaves the company? Describe the off-boarding process.
  • Are devices containing sensitive information about software systems, databases, source code etc secured using 2fa? If so describe the 2fa methods in use.
  • Is physical security (e.g. burglar alarm) in place at the offices where devices are kept overnight?
  • How and where are keys, tokens, passwords etc stored?
  • Are passwords or other secrets exchanged between employees? If so, how?
  • Are security tests used in the (automated) software testing process? If so, which?
  • Are you using fuzzing testing?
  • In which places is the code stored?
  • Describe the security measures behind your internal office networking infrastructure.
  • Describe the security measures behind staging, acceptance, and production servers.
  • Are disk drives of development machines and servers encrypted?
  • What is your policy towards portable drives and flash drives?
  • What is your policy with regards to passwords, pincodes, or biometric access of laptops, desktops, and mobile devices?
  • Which 3rd party services have access to code, databases, and/or log files (including e.g. exception tracking services)?
  • Which 3rd party services have access to code (including e.g. Continuous Integration services)?
  • Do you maintain an incident log related to security incidents?
  • Do you have a process of development team-wide learning from incidents? Please describe.
  • Is a process in place to deal with SSL certificates?
  • Do you use certificate pinning e.g. between mobile app and API?
  • Describe the authentication process between mobile app and API.
  • Have you ensured no sensitive data (e.g. API tokens) is leaking to (mobile) device logs?
  • Have you ensured no sensitive data (e.g. passwords) is leaking to web server logs?
  • Are you leaking sensitive info (password, IBAN, etc) to exception tracking services?
  • Is the app protected against brute forcing sign ins? Describe your throttling measures.
  • Is staff trained in detecting social engineering?
  • How is data encrypted (database, config) and using which algorithm(s)?
  • Are you using an intrusion detection software solution for servers?
  • Where and how are database backups stored? Are they encrypted? How is archival and deleting handled?
  • Who has access to the contents of the live databases?
  • Are you downloading copies of live data to staging or development machines?
  • Do you anonymize data before exporting / transmitting to business intelligence tools?

Intellectual Property

  • Who is the owner of the software? Is a contract in place?
  • Have all people who have access to the codebase signed IP agreements?
  • Describe who has access to the code? Do all developers have access to all parts of the code base? Or is it segregated?
  • Are any parts of the software based on licenses from 3rd parties?
  • Are any parts of the software based on open source code? If so, using which licenses.
  • Have you filed or obtained patents?
  • Who owns the domain names? Who has access to the domains? Is automatic yearly extension and payment in place?

Development Process

  • Which programming languages do you use?
  • Which frameworks do you use?
  • Other noteworthy tools being used?
  • Submit an architecture diagram (as an appendix) of the app, its API, web and mobile clients.
  • Which project management methodology do you use?
  • Do you use Pull Requests (PRs)?
  • Do you perform code reviews?
  • Who merges PRs?
  • How is your backlog maintained?
  • How do you deal with technical debt?
  • How does your testing strategy look like?
  • Do you use Continuous Integration?
  • Do you use Continuous Deployment?
  • Who creates/writes work items i.e. project backlog items or stories?
  • How are these stories structured?
  • How do you bring together feature design, UI design, back-end development, and testing?
  • Do you maintain release notes?
  • How often do you ship? Do you ship backend, front-end, and API separately or always in conjunction?
  • Describe the architecture of the web-facing tech stack (high level).
  • Describe the architecture of the iOS and Android tech stacks (high level).
  • Is your API versioned?
  • Describe the architecture of the API.
  • Can API tokens be revoked?
  • Are you performing hot fixes on servers (bypassing PRs)?
  • What is the coverage of tests?
  • Do you know the ratio between code and test code?
  • What is the amount of lines of code of app, API, and mobile apps (state separately).
  • Describe your documentation process.
  • Do you work with a test data generator containing a fictitious but representative data set in order to perform local testing of app and API?
  • Is the code base based on code from previous projects?
  • Are parts of the code base created by people who are no longer with the company?
  • Who decides about the architecture?
  • Do you use pair programming?

Infrastructure

  • Where are the apps hosted? Describe the hosting services in general.
  • How are you monitoring uptime?
  • How are you measuring performance bottlenecks?
  • Have you load-tested web apps and APIs?
  • Are you monitoring server exceptions? How are you acting upon them?
  • Are you catching client-side exceptions? If so, please describe.
  • What is the escalation procedure in case of outages?
  • Do you employ auto-scaling?
  • Describe the scaling process of app and API.
  • Describe the scaling process of the databases.
  • How much time is needed to bring up a fully functioning copy of the app, API, databases, configuration, and DNS settings in case of a catastrophic event at the hosting center? (earthquake, flooding, meteorite).
  • Describe your backup and restore procedures.
  • Describe the Registrar, Name Server, and DNS setup.
  • Describe the mail server setup.
  • Describe you Dev Ops setup.
  • Do you have a DBA?
  • What is the level of parity between development machines, staging, and production environments?
  • Please list all 3rd party services being used (e.g. services such as Mailgun, Bugsnag, or NewRelic).
  • Describe your deploy process including tooling.
  • Are roll backs of code supported by your deploy process?
  • Describe your database schema migration process.

§ Permalink

ξ Comments? Kudos? Find me on Twitter

.