LIBRARY
SonarQube, whitesource, DAST
LOGGING
SonarQube, Abuse Testing, DAST
Security Review
Manual
Static code Analysis
SonarQube
RCF 3507 ICAP JSCAPE MFT SERVER 10.2
Apache as malware scanning proxy
Reading a file, file name/path should not comes from user input,
If it is comes from user input should be validated with whitelisted resource.
Dast, SonarQube
Eh should fail securly, rendering unless error is encountered
DAST, Manual ,Abuse Testing
Store file in database
Sanitize file to prevent header injection
Require injection
Scan upload uaing ICAP
Check for file hearder name
Check for filesize and have limit
Replace special character of filename
DAST, MANUAL TEST, ABUSE TEST
Content type header for the response being sent
HTML response always respond wkth text/html
html, JavaScript, css,images..
DAST
App should reposnd to valid use cases of Http methods
GET,POST,OPTIONS,HEAD
NO use of external entries No use of recursion NO Use of xpath No use of DTDs Whitelisting and sanitizations of input