Security Checklist for NodeJS Development Design Assurance

A simple straightforward checklist to help ensure your Full Stack, NodeJS or micro-service development is considering the key controls likely to be needed to meet your threats.

January 4, 2023

This security checklist helps to ensure your Node.js application or micro-service development is considering the key controls likely to be needed meet your threats. Based on Best Practie, this list of technical and administrative controls are based on NIST & CIS guidance. In all scenarios, you should consider, adapt and then adopt these controls based on your threats and the likely risks to your systems and data. With all regulated, sensitive or compliance needs, it remains critical you follow good practise to endure 'Due Care' in managing and processing client, user or sensitive data.

This quick list is ideal for any Design review or Architecture Assurance to help enhance your position and help meet your obligations.

  1. Utilize authentication and authorization mechanisms such as OAuth 2.0, JWT Tokens and HTTPS Protocols.
  2. Use secure coding practices like input validation, output encoding, session management and error handling.
  3. Enforce strong passwords with a combination of alphanumeric characters, special characters and upper/lower case letters ( IF you HAVE to use passwords)
  4. Implement encryption for sensitive data stored in databases or transmitted over the network. (Data at Rest, Data in Transit, Data In Use)
  5. Monitor for platform, network, storage and application events through monitoring log files for suspicious activities and access attempts. (SIEM)
  6. Regularly update dependencies to their latest versions to patch security vulnerabilities. (Patch Management)
  7. Restrict access to critical resources using proper authorisation rules and roles-based access control (RBAC). (Least Privilege)
  8. Securely store application secrets rather than hard-coding them in the source code or configuration files.(consider Vault, Secure Keyring etc)
  9. Use a web Application Firewall (WAF) to protect against common web attacks such as SQL injections, cross-site scripting (XSS) etc.,
  10. Disable unwanted Services that are not used in order to minimise the attack surface of the application

As part of our Enterprise Development Best Practise set, this checklist provides further support to development teams and application specialists to help enhance your security position, and improve maturity in meeting security needs.

image