Security Checklist (KRITIS/NIS2)

Version: 2.0
Scope: Crypto, Memory Safety, Availability, Information Disclosure, Secure Error Handling.

Umfassende Sicherheits-Checklist basierend auf CWE-Schwachstellen und Angriffsmustern.

Cryptographic Security

Check	CWE	Description
[ ] Nonce Uniqueness	CWE-323	AES-GCM Nonce pro Verschlüsselung einzigartig (KRITISCH!)
[ ] Nonce Tracking	CWE-323	Verwendete Nonces tracken, MAX_NONCES_PER_KEY erzwingen
[ ] Key Rotation	CWE-323	Key nach Nonce-Limit rotieren
[ ] Cryptographic RNG	CWE-330	OpenSSL/OS CSPRNG für Keys/Nonces
[ ] Random IDs	CWE-330	Keine sequentiellen Key/Session IDs
[ ] Constant-time Comparison	CWE-208	Für Secrets, MACs, Tokens, API Keys
[ ] Replay Protection	CWE-294	Nonce/Timestamp/Sequence Tracking
[ ] Channel Encryption	CWE-300	mTLS für externe Kommunikation

Memory Security

Check	CWE	Description
[ ] Memory Zeroization	CWE-316	Secrets nach Verwendung löschen
[ ] No Secrets in Logs	CWE-532	Niemals Keys, Passwords, Tokens loggen
[ ] Secure String Handling	CWE-316	SecureString (C#), secrecy (Rust)
[ ] Key Material Cleared	CWE-316	try-finally sichert Cleanup bei Exception

Input Validation

Check	CWE	Description
[ ] Size Limits	CWE-400	MAX_PAYLOAD_SIZE erzwungen (Default: 64KB)
[ ] Integer Overflow	CWE-190	SafeAdd(), checked_add(), checked arithmetic
[ ] Null Checks	CWE-476	An allen API-Grenzen
[ ] No Unwrap on Input	CWE-248	Korrektes Error Handling, kein Panic bei malformed Data
[ ] Parameterized Queries	CWE-89	Niemals String-Konkatenation für SQL
[ ] Character Validation	-	Whitelist für Identifiers wo passend

Error Handling

Check	CWE	Description
[ ] Sanitized Messages	CWE-209	Keine Pfade/Versionen/Stack Traces an Client
[ ] Full Error Logging	-	Kompletten Fehler intern loggen vor Sanitizing
[ ] No Panic in Service	CWE-248	Graceful Error Recovery, Service bleibt up
[ ] Stack Trace Preserved	-	Re-throw ohne Wrapping

Availability (DoS Protection)

Check	CWE	Description
[ ] Rate Limiting	CWE-400	Token Bucket pro Client/Endpoint
[ ] Request Size Limits	CWE-400	Oversized Payloads früh ablehnen
[ ] Lock Safety	CWE-667	Lock Recovery Mechanismus
[ ] Resource Cleanup	CWE-772	try-finally, using, defer, RAII - immer
[ ] Timeout Handling	CWE-400	Timeouts auf alle externen Operationen

Thread Safety

Check	CWE	Description
[ ] Lock Poisoning Handled	CWE-667	Recovery von poisoned Locks
[ ] No Race Conditions	CWE-362	Thread-safe Datenstrukturen
[ ] Atomic Operations	CWE-362	Für Counters, Flags, Shared State
[ ] Deadlock Prevention	CWE-833	Lock Ordering, Timeouts

Audit & Compliance

Check	Standard	Description
[ ] All Modifications Logged	ISO 27001 A.12.4	Datenänderungen mit User, Timestamp, Old/New Value
[ ] Security Events Logged	NIS2 Art. 21	Failed Auth, Rate Limiting, Suspicious Input
[ ] Log File Rotation	-	Inkrementelles Format
[ ] No Sensitive Data in Logs	CWE-532	Audit für accidental Exposure

Quick Reference - By Attack Type

Cryptographic Attacks:

[ ] Nonce Reuse verhindert
[ ] Timing Attacks mitigiert (constant-time compare)
[ ] Replay Attacks blockiert
[ ] Key Enumeration verhindert (random IDs)

Input Attacks:

[ ] Buffer Overflow verhindert (size limits)
[ ] Integer Overflow verhindert
[ ] Malformed Input behandelt
[ ] SQL Injection verhindert

Availability Attacks:

[ ] Resource Exhaustion verhindert (rate limiting)
[ ] Lock Poisoning behandelt
[ ] Memory Exhaustion verhindert

Information Disclosure:

[ ] Error Messages sanitized
[ ] Secrets nach Verwendung zeroized
[ ] Keine sensitiven Daten in Logs

<wvds:audit:template critical=„true“> Keine exec/shell_exec/system Aufrufe Keine eval() Aufrufe Output Escaping SQL Injection Prevention CSRF Protection </wvds:audit:template>

Version: 2.0 (Split)
Autor: Wolfgang van der Stille

Zurück zu Sicherheit Checklists | Review Checklists

Inhaltsverzeichnis