The Secure Application Design Checklist is a list of requirements and suggestions that a product manager, architect, or other development personnel can run through to make sure they've fully covered all security requirements during their SDLC process.
The checklist is based on the list of security requirements outlined in the Security Requirements document.
| Action | Requirement or Recommendation? | Brightcove Reference |
|---|---|---|
| Ensure all API endpoints that serve non-public data utilize BC tokens/Bifrost for authentication and authorization for requests | Requirement | API Best Practices - Access Controls / Cross-Site Request Forgery |
| If RBAC is being implemented, ensure endpoints are only accessible by the roles that require it | Requirement | API Best Practices - Access Controls |
| Authentication tokens must have a static expiration date that's enforced on the backend network | Requirement | API Best Practices - Replay Attacks / AuthZ and AuthN Guidelines - Limited Token Lifetimes |
| Ensure sensitive API actions can't be performed via click-jacking | Requirement | Click-Jacking |
| If redirect URIs are being used with OAuth2 authentication requests, ensure the URIs are validated as pointing to the expected FQDN | Requirement | AuthZ and AuthN Guidelines - Validating OAuth2 Redirect URIs |
| Limit OAuth2 scopes in line with the Principle of Least Privilege | Requirement | AuthZ and AuthN Guidelines - Limit OAuth2 Scope |
Use and validate the state parameter when validating OAuth2 authentication requests |
Requirement | AuthZ and AuthN Guidelines - Validating the OAuth2 State Parameter |
| Action | Requirement or Recommendation? | Brightcove Reference |
|---|---|---|
| If passwords are being used, ensure the password policy complies with NIST 800-63 guidelines | Requirement | AuthZ and AuthN Guidelines - Auth Guidelines |
| Disable/delete user account records after a specified amount of inactivity | Recommendation | Data Retention |
| Support SSO authentication for users (e.g. Okta, Google, Auth0) | Recommendation | N/A |
| Allow local accounts to be configured for use with Multi-Factor Authentication | Required for sensitive applications | AuthZ and AuthN Guidelines - Require MFA |
Ex: an encoding application listening on port 12345 for encoding requests and serving up completed encoding jobs
| Action | Requirement or Recommendation? | Brightcove Reference |
|---|---|---|
| Ensure all incoming network requests for non-public data or sensitive actions are authenticated and authorized before being processed | Requirement | N/A |
| Configure network access such that only the IP addresses/network hosts that need access to it, have access to it, and only for the ports and protocols in use (e.g. configure Security Groups to only allow web traffic from Brightcove IP addresses for internal applications) | Requirement | N/A |
| Action | Requirement or Recommendation? | Brightcove Reference |
|---|---|---|
| Ensure any untrusted input is properly sanitized/encoded upon output | Requirement | XSS Attacks |
| Add checks and restrictions within web APIs to account for untrusted input sent to it | Requirement | API Best Practices - Input Validation |
| Set the Content-Security Policy to the proper values to restrict what resources can be loaded | Requirement | HTTP Headers - CSP |
| Database calls must use paramaterized queries, where applicable | Requirement | SQL Injection |
| Any service that accepts network addresses (FQDNs, IP addresses, hostnames) with the intention of initiating a connection to that address should ensure proper validation is in place to prevent malicious addresses from being used | Requirement | Server-Side Request Forgery |
| Arbitrary file uploads must be properly validated upon upload | Requirement | Arbitrary File Uploads |
| Applications that use untrusted input for site redirection (HTTP 30x) destinations must protect against open-redirects | Requirement | Open Redirect |
| Prevent content-sniffing by browsers | Requirement | HTTP Headers - X-Content-Type-Options |
| Take into account the possibility of HTTP smuggling attacks when forwarding HTTP requests through multiple services | Requirement | HTTP Request Smuggling |
| Implement request integrity | Recommendation | API Best Practices - Request Integrity |
| Action | Requirement or Recommendation? | Brightcove Reference |
|---|---|---|
| Prefer using memory-safe languages when creating services and applications | Requirement | N/A |
| When using memory-unsafe languages, ensure untrusted intput isn't used for declaring buffer size, and that buffer size is appropriate for the incoming data the buffer set to hold | Requirement | N/A |
| Refrain from using object deserialization with untrusted data | Recommendation | N/A |
| Action | Requirement or Recommendation? | Brightcove Reference |
|---|---|---|
| Ensure no plaintext secrets (passwords, API tokens, etc) are included within any code | Requirement | Credential Leaks |
| Any credentials needed for the application should be independently generated for the application, where applicable | Requirement | N/A |
| Secrets that needed to be statically stored for application deployment must use secure storage methods in accordance with Brightcove cryptogaphic standards | Requirement | Credential Leaks |
| For web applications, make sure the Referrer-Policy header is set to prevent unnecessary data leakage | Requirement | HTTP Headers - Referrer-Policy |
| Action | Requirement or Recommendation? | Brightcove Reference |
|---|---|---|
| Confirm application confirms to Brightcove Cryptography Standards | Requirement | BC Internal - SSDLC - Cryptography Standards |
| Action | Requirement or Recommendation? | Brightcove Reference |
|---|---|---|
| Ensure TLS is used for all network communications, both internal and external | Requirement | BC Internal - Guide to TLS - Should I Use TLS? |
| When configuring TLS, ensure secure ciphers are used | Requirement | BC Internal - Guide to TLS - Protocol and Ciphers |
| Use HTTP Strict-Transport Security (HSTS) for all HTTP requests | Requirement | HTTP Headers - HTTP Strict Transport Security |
When generating a TLS certificate for a service, make sure to include ALL FQDNs that point to that service as Common Name values |
Requirement | HTTP Headers - HTTP Strict Transport Security |
| Make sure HTTP redirects (HTTP 30x) do not redirect users through HTTP (i.e. non-TLS, non-encrypted) endpoints before directing them to a TLS endpoint | Requirement | N/A |
| Action | Requirement or Recommendation? | Brightcove Reference |
|---|---|---|
| Ensure passwords are hashed, not encrypted | Requirement | BC Internal - SSDLC - Cryptography - Storing Passwords |
| Passwords must be salted when stored, before being hashed | Requirement | BC Internal - SSDLC - Cryptography - Salting Passwords |
| Make sure a Brightcove-approved password hashing algorithm is used for storing passwords | Requirement | BC Internal - SSDLC - Cryptography - Storing Passwords - Algorithms |
| Make sure a Brightcove-approved CSPRNG is used for generating password salts | Requirement | BC Internal - SSDLC - Cryptography - Storing Passwords - Salting Procedures |
| Action | Requirement or Recommendation? | Brightcove Reference |
|---|---|---|
| Confirm all data is encrypted-at-rest at the disk level when stored persistently | Requirement | BC Internal - SSDLC - Cryptography - Encryption-at-Rest |
| Confirm confidential data (e.g. a customer's API token to a third-party service) is actively encrypted before being stored within a database | Requirement | BC Internal - SSDLC - Cryptography - Encryption-at-Rest |
| Action | Requirement or Recommendation? | Brightcove Reference |
|---|---|---|
| Confirm all code has been peer-reviewed before deployment | Requirement | [AWS Well-Architected Framework - Security Pillar - SEC11-BP04 Conduct code reviews |
| Ensure all artifacts are cryptographically signed with a valid certificate | Recommendation | BC Internal - SSDLC - Cryptography - Digital Signatures |
| Action | Requirement or Recommendation? | Brightcove Reference |
|---|---|---|
| Ensure Brightcove Cloud Security Standards are met when creating or updating any cloud infrastructure | Requirement | BC Internal - Cloud Security Standards |
| Cloud resources must be configured following the Principle of Least Privilege | Requirement | BC Internal - Guide to Security in AWS |
| Utilize a dedicated AWS account for a net-new service, i.e. don't mix resources from multiple resources into a single account | Requirement | AWS Well-Architected Framework - Security Pillar - SEC01-BP01 Separate workloads using accounts |
| Infrastructure-as-Code must be used for management of resources | Requirement | AWS Well-Architected Framework - Security Pillar - SEC01-BP06 Automate deployment of standard security controls |
| Infrastructure-as-Code must be deployed using CI/CD, preferably Jenkins/Spinnaker | Requirement | AWS Well-Architected Framework - Security Pillar - SEC06-BP04 Validate software integrity |
| Ensure a high-level architectural diagram is created for the service and available to the SecEng and Ops teams | Requirement | AWS Well-Architected Framework - Security Pillar - SEC01-BP07 Identify threats and prioritize mitigations using a threat model |
| Action | Requirement or Recommendation? | Brightcove Reference |
|---|---|---|
| Resources must be properly segmented at the network level, e.g. the web server and the API for your service should likely not be in the same VPC/subnet | Requirement | AWS Well-Architected Framework - Security Pillar - SEC05-BP01 Create network layers |
| Only allow the minimal amount of network access required when creating security groups | Requirement | AWS Well-Architected Framework - Security Pillar - SEC05-BP02 Control traffic flow within your network layers |
| Public access is only granted to services, networks, and ports that require public access by design | Requirement | AWS Well-Architected Framework - Security Pillar - SEC05-BP02 Control traffic flow within your network layers |
| Action | Requirement or Recommendation? | Brightcove Reference |
|---|---|---|
| Make sure to only use official, up-to-date official images | Requirement | BC Internal - Docker Security Guide |
Run applications as service account users as opposed to the default root user |
Requirement | BC Internal - Docker Security Guide |
Only use EXPOSE with ports that are in use and need to be exposed outside of the container |
Requirement | BC Internal - Docker Security Guide |
| Do not include any secrets or sensitive data within a container | Requirement | BC Internal - Docker Security Guide |
| Any static secrets in use by the container during runtime must be encrypted when used within the Kubernetes manifest in accordance with Brightcove cryptographic standards | Requirement | BC Internal - SSDLC - Container Security |
| Review the Brightcove Docker Security Guide to ensure your container image is as secure as possible | Recommendation | BC Internal - Docker Security Guide |
| Action | Requirement or Recommendation? | Brightcove Reference |
|---|---|---|
| Run the container as non-root | Required | BC Internal - Kubernetes Security Guide |
| Disallow container privilege escalation | Required | BC Internal - Kubernetes Security Guide |
| Do not run the container in privileged mode | Required | BC Internal - Kubernetes Security Guide |
| Implement a Seccomp policy | Recommendation | BC Internal - Kubernetes Security Guide |
| Implement kernel security defenses | Recommendation | BC Internal - Kubernetes Security Guide |
| Review the Brightcove Kubernetes Security Guide to ensure your container image is deployed as securely as possible | Recommendation | BC Internal - Kubernetes Security Guide |
| Action | Requirement or Recommendation? | Brightcove Reference |
|---|---|---|
| Configure log forwarding to a remote log server, SaaS service, or SIEM | Requirement | BC Internal - SSDLC - Logging |
| For public applications, logs must be traceable to an IP and user/customer | Requirement | N/A |
| Ensure that confidential data values are excluded or scrubbed before being written to logs | Requirement | N/A |
| Ensure logs are retained for at least 30 days | Requirement | N/A |
| Include the ability for verbose logging to log any untrusted data and associated remote identifiers (e.g. user ID) | Recommendation | N/A |
| Action | Requirement or Recommendation? | Brightcove Reference |
|---|---|---|
| Ensure all PII-related data points that are collected and persistently stored include a method for automated or on-demand removal | Requirement | Data Retention |
| Make sure to set a static expiration date for all data points of a given set | Requirement | Data Retention |
| Expiration dates set for data points must be set only as long as the data's usable lifespan to the business | Requirement | Data Retention |
| Action | Requirement or Recommendation? | Brightcove Reference |
|---|---|---|
| Configure source code to be scanned by SAST platform | Requirement | BC Internal - Tools - SAST |
| Integrate source code with dependency management application | Requirement | BC Internal - Tools - Dependency Management |
| Action | Requirement or Recommendation? | Brightcove Reference |
|---|---|---|
| Ensure application containers are being scanned by vulnerability management platform | Requirement | BC Internal - Tools - Vulnerability Scanning/Management |
| Confirm application containers are patched for all critical and high vulnerabilities that have a fix available, before being deployed to production environments | Requirement | BC Internal - SSDLC - Patching Guide |
| Ensure that patching standards are followed and a plan is in place to patch the application and its infrastructure on a regular basis | Requirement | BC Internal - SSDLC - Patching Standard |
| Action | Requirement or Recommendation? | Brightcove Reference |
|---|---|---|
| Ensure source code organizations and repos are only accessible by users who truly require access | Required | N/A |
| Refrain from checking in any secret or confidential data to source code repos | Requirement | BC Internal - SSDLC - Securing Development Environments |
Don't create repos in personal organizations. If this is needed, ensure that it is set to private visibility upon creation |
Requirement | Github Docs - Repo Visibility |
| Require at least two reviews for PRs to be merged | Recommendation | Github Docs - PR Review Requirements |
| Implement branch protections on production and main branches | Recommendation | Github Docs - Protected Branches |
| Action | Requirement or Recommendation? | Brightcove Reference |
|---|---|---|
| Only use CI/CD platforms approved for use by Brightcove | Required | N/A |
| Refrain from using hard-code secrets for deployments | Required | BC Internal - SSDLC - Using Application Secrets Securely |
| Have a plan in place to regularly reassess the CI/CD pipeline's security | Required | AWS Well-Architected Framework - Security Pillar - SEC11-BP07 Regularly assess security properties of the pipelines |