1. Is confidentiality/user privacy protected?
2. Does the site prompt for user name and password?
3. Are there Digital Certificates, both at server and client?
4. Have you verified where encryption begins and ends?
5. Are concurrent log-on permitted?
6. Does the application include time-outs due to inactivity?
7. Is bookmarking disabled on secure pages?
8. Does the key/lock display on status bar for insecure/secure
pages?
9. Is Right Click, View, Source disabled?
10. Are you prevented from doing direct searches by editing
content in the URL?
11. If using Digital Certificates, test the browser Cache by
enrolling for the Certificate and completing all of the required security
information. After completing the application and installation of the
certificate, try using the <-- BackSpace key to see if that security
information is still residing in Cache. If it is, then any user could walk up
to the PC and access highly sensitive Digital Certificate security information.
12. Is there an alternative way to access secure pages for
browsers under version 3.0, since SSL is not compatible with those browsers?
13. Do your users know when they are entering or leaving
secure portions of your site?
14. Does your server lock out an individual who has tried to
access your site multiple times with invalid login/password information?
15. Test both valid and invalid login names and passwords.
Are they case sensitive? Is there a limit to how many tries that are allowed?
Can it be bypassed by typing the URL to a page inside directly in the browser?
16. What happens when time out is exceeded? Are users still
able to navigate through the site?
17. Relevant information is written to the log files and
that the information is traceable.
18. In SSL verify that the encryption is done correctly and
check the integrity of the information.
19. Scripting on the server is not possible to plan or edit
scripts without authorisation.
20. Have you tested the impact of Secure Proxy Server?
21. Test should be done to ensure that the Load Balancing
Server is taking the session information of Server A and pooling it to Server B
when A goes down.
22. Have you verified the use of 128-bit Encryption?