Application Security Kickoff Questionnaire

Complete the Form Below

Application Security Kickoff Questionnaire

The purpose of this form is to gather as much information as possible to provide for a smooth Kickoff Meeting. If you don't know how to answer a question or don't have an answer for it, please add N/A.

Name(Required)

First Last

Company(Required)

Email(Required)

General Information

What is the name and version of the application(s)?

Briefly describe each application's purpose and functionality.

What programming languages and frameworks are used in the application(s)?

Access Control

How is user authentication implemented in the application(s)?

Does the application support multi-factor authentication (MFA)?

Yes

How are user roles and permissions managed within the application(s)?

Is there a process for regular access reviews and deprovisioning of user accounts?

Data Protection

What types of sensitive data does the application(s) process or store?

How is data encrypted at rest and in transit?

Are there data retention and deletion policies in place?

How is data backed up and how often?

Secure Development Practices

Do you follow a secure software development lifecycle (SDLC)?

Yes

How often do developers receive application security training?

Is static application security testing (SAST) performed during development? If so, describe the tools and processes leveraged.

Is dynamic application security testing (DAST) conducted on the application? If so, describe the tools and processes leveraged.

Third-Party Components

How are third-party libraries and components managed and updated?

Is there a process for tracking and addressing vulnerabilities in third-party components?

API Security

How are APIs authenticated and authorized?

Are API requests and responses validated and sanitized?

Is API usage monitored and rate-limited?

Vulnerability Management

How often are internal vulnerability scans performed on the application?

How often are external vulnerability scans performed on the application?

What is the process for addressing and patching identified vulnerabilities?

Is there a bug bounty program or a way for external researchers to report vulnerabilities?

Mobile Security (if applicable)

How is data stored securely on mobile devices?

Is communication between mobile apps and backend services encrypted?

Are there controls to prevent running the app on jailbroken or rooted devices?

Additional Information

Are there any other security measures or practices not covered in this questionnaire that you'd like to highlight?

Application Security Kickoff Questionnaire