Organizations today rely on various platforms and applications to handle critical business operations and sensitive data due to the ease of deployment, inherent platform security and faster release cycle. Ensuring that these systems are securely configured is crucial to prevent data leakage, unauthorized access, and meet the privacy standards. Configuration reviews complement SAST and DAST by identifying security gaps arising from misconfigured platform or environment settings (mapped with business requirement and rule of least privilege access) - areas that code and dynamic testing might miss. The review assesses administrative settings, access controls, integrations, encryption mechanisms, and session configurations to ensure that security best practices are followed across the environment.
This category focuses on ensuring that users can only access the data and features necessary for their roles. The focus is on role definitions, access hierarchies, and permission sets to verify that users have the least privilege required for their function. It also validates that access controls are granular and are aligned with organization needs.
This category focuses on determining who can view or modify information within the platform. The review ensures that sensitive data is not overexposed due to overly permissive sharing configurations. This helps minimize the risk of unauthorized data exposure in multi-user environments.
This category is to ensure that sensitive information (PII, financial, or customer data) is securely stored to prevent disclosure or tampering. The focus is also on any API keys, third-party connection tokens, and hard-coded credentials management.
This category is to ensure that defined scopes are not wide or unrestricted since that would allow users and/or could allow third-party applications to access more data than required.
This category is mainly for validating the password policies, account lockouts, CAPTCHA implementation, inactivity and invalidation of session identifiers, security response headers etc. in order to protect user accounts from takeover. This aims to protect against brute-force and session stealing attacks.
This category focuses on the authenticity and communication to protect data transmission. It mainly covers SSL/TLS certificates (expiry, trust issues or mis-configuration), use of deprecated protocols and weak ciphers.
The list provided is not limited to but represents core test cases, but the high level methodology varies based on the platform and the application being reviewed. The detailed security review is performed based on the Web Application penetration testing methodology.