A Security Checklist for Senior Engineers and Tech Leads

Tue, 02 Sep 2025 13:16:47 +0200

Couple of years ago, I told an interviewer I didn’t want to work on security problems because I found them boring. My mind has changed since then.

Security requirements are genuine engineering constraints. They drive development of sophisticated solutions, and it is interesting to work with them. The hard part, though, is knowing an exact list of critical security issues and approaches to them.

That’s why I asked ChatGPT for such list – on a level a solid principal engineer should know. The response was quite reasonable, so I spent some time refining the list, and here is the result! I keep it as a reference for myself, and I hope you’ll find it useful, too.

Core Web App Security

API Security: REST/GraphQL hardening, input validation, over/under-fetching prevention, API keys, HMAC, request signing, certificate pinning, replay prevention.
Authentication & Identity: password storage (bcrypt/argon2), MFA, OAuth2/OIDC, SAML, JWT best practices.
Authorization: RBAC, ABAC, least privilege, privilege escalation prevention.
CSRF Protection: tokens, SameSite cookies, double-submit cookie pattern.
Data Protection: encryption at rest (AES-256+), in transit (TLS 1.2+), key management.
Error Handling & Logging: no sensitive data leaks, structured logging, correlation IDs.
File Uploads: validation, MIME checks, virus scanning, sandboxing.
Injection Attacks: SQLi, NoSQLi, LDAP, OS command injection, template injection.
Input Validation: sanitization, strict schema validation, whitelisting.
Output Encoding: escaping for HTML, JS, CSS, URLs to prevent XSS.
Rate Limiting & DoS Protection: throttling, circuit breakers, caching.
Secrets Management: key rotation policies, vaults (e. g., HashiCorp Vault, AWS Secrets Manager).
Session Management: secure cookies, SameSite, HttpOnly, session fixation, token expiry/rotation.

Browser & Front-End Security

Clickjacking Protection: X-Frame-Options, frame-ancestors.
CSP (Content Security Policy): nonces, strict-dynamic, avoiding unsafe-inline.
HTTP caching headers: Cache-Control, Vary, Pragma for sensitive data.
Subresource Integrity (SRI) for 3rd-party scripts.
Trusted Types to mitigate DOM-based XSS.
Web Storage Security: storing sensitive data outside of localStorage or sessionStorage.

Infrastructure & Deployment

CI/CD Security: supply chain attacks, dependency scanning (SCA), signed builds.
Container Security: minimal images, runtime restrictions, scanning (Trivy, Clair).
DNS Security: DNSSEC, avoiding cache poisoning.
HTTPS Everywhere: HSTS, secure TLS configs, certificate rotation.
IaC Security: secure Terraform and CloudFormation, policy-as-code (OPA).
Reverse Proxies & WAFs: e. g., Cloudflare, AWS WAF.
Secret and Key Management: choosing correct algorithms (AES-GCM, RSA vs ECC, SHA-2/3), key rotation policies, HSMs/KMS use.
Secrets in CI/CD: no hardcoded creds, encrypted variables.

Operational & Organizational

Compliance & Privacy: GDPR, HIPAA, SOC2, PCI-DSS basics.
Dependency Management: SCA, patching, SBOMs.
External Attack Surface Discovery: domains, APIs, old endpoints.
Insider Threats: principle of least privilege, auditing.
Monitoring & Incident Response: SIEM, anomaly detection, alerting.
Secure SDLC: threat modeling, STRIDE, abuse cases, security reviews.
Security Testing: static analysis (SAST), dynamic analysis (DAST), penetration testing.
Zero Trust Principles: network segmentation, identity-aware access.

Advanced / Modern Web Concerns