This site graciously hosted
by our friends at


In this section of our "companion web site" we will feature sample checklists suitable for use in evaluating the security of applications. That will require contributions from our readers. How about it? Can you provide (with appropriate permissions, of course) a checklist or two you have found useful?

As a start, we reprint here, with permission, the "Security-At-a-Glance" (SAG) checklist from chapter 6. Mark developed it while working for a former employer, as a tool for developers. There it was implemented as a Web form. After you answered the "twenty questions", the script would give you a score for the application.

There are four more things we would like you to know about using this script.

1.  The numbers alongside the individual questions represent a crude weighting system. One way to use them would be to add this number to the running total if the answer is "Yes". You might consider that the higher the "score" is, the less unsecure the application is (but see note #4).

2.  If you use the weights this way, then an application that gets all "Yes" answers will score 64. You might therefore consider adding 36 to every total, so that the maximum possible score is 100.

3.  We have substituted dummy numbers, represented as "N", for the figures actually used by the company where the SAG was developed. You'll want to replace them with useful figures suitable to the needs of your own site.

4.  Not only is this a remarkably unscientific and sure-to-be inaccurate way of scoring applications, but also we (and everyone else involved in producing and publishing the script) disclaim any and all responsibility for the results you might get using it. We present it here for educational purposes only. In that spirit, we hope you find it useful.

That being said, click here to view the SAG checklist...

Site Contents Copyright (C) 2002, 2003 Mark G. Graff and Kenneth R. van Wyk. All Rights Reserved.