Security Checklist (KRITIS/NIS2)

Version: 2.0
Scope: Crypto, memory safety, availability, information disclosure, secure error handling.

Comprehensive security checklist based on CWE vulnerabilities and attack patterns.

Cryptographic Security

Check	CWE	Description
[ ] Nonce Uniqueness	CWE-323	AES-GCM nonce unique per encryption (CRITICAL!)
[ ] Nonce Tracking	CWE-323	Track used nonces, enforce MAX_NONCES_PER_KEY
[ ] Key Rotation	CWE-323	Rotate key after nonce limit reached
[ ] Cryptographic RNG	CWE-330	OpenSSL/OS CSPRNG for keys/nonces
[ ] Random IDs	CWE-330	No sequential key/session IDs
[ ] Constant-time Comparison	CWE-208	For secrets, MACs, tokens, API keys
[ ] Replay Protection	CWE-294	Nonce/timestamp/sequence tracking
[ ] Channel Encryption	CWE-300	mTLS for external communication

Memory Security

Check	CWE	Description
[ ] Memory Zeroization	CWE-316	Clear secrets after use
[ ] No Secrets in Logs	CWE-532	Never log keys, passwords, tokens
[ ] Secure String Handling	CWE-316	SecureString (C#), secrecy (Rust)
[ ] Key Material Cleared	CWE-316	try-finally ensures cleanup on exception

Input Validation

Check	CWE	Description
[ ] Size Limits	CWE-400	MAX_PAYLOAD_SIZE enforced (default: 64KB)
[ ] Integer Overflow	CWE-190	SafeAdd(), checked_add(), checked arithmetic
[ ] Null Checks	CWE-476	At all API boundaries
[ ] No Unwrap on Input	CWE-248	Proper error handling, no panic on malformed data
[ ] Parameterized Queries	CWE-89	Never string concatenation for SQL
[ ] Character Validation	-	Whitelist for identifiers where appropriate

Error Handling

Check	CWE	Description
[ ] Sanitized Messages	CWE-209	No paths/versions/stack traces to client
[ ] Full Error Logging	-	Log complete error internally before sanitizing
[ ] No Panic in Service	CWE-248	Graceful error recovery, service stays up
[ ] Stack Trace Preserved	-	Re-throw without wrapping

Availability (DoS Protection)

Check	CWE	Description
[ ] Rate Limiting	CWE-400	Token bucket per client/endpoint
[ ] Request Size Limits	CWE-400	Reject oversized payloads early
[ ] Lock Safety	CWE-667	Lock recovery mechanism
[ ] Resource Cleanup	CWE-772	try-finally, using, defer, RAII - always
[ ] Timeout Handling	CWE-400	Timeouts on all external operations

Thread Safety

Check	CWE	Description
[ ] Lock Poisoning Handled	CWE-667	Recovery from poisoned locks
[ ] No Race Conditions	CWE-362	Thread-safe data structures
[ ] Atomic Operations	CWE-362	For counters, flags, shared state
[ ] Deadlock Prevention	CWE-833	Lock ordering, timeouts

Audit & Compliance

Check	Standard	Description
[ ] All Modifications Logged	ISO 27001 A.12.4	Data changes with user, timestamp, old/new value
[ ] Security Events Logged	NIS2 Art. 21	Failed auth, rate limiting, suspicious input
[ ] Log File Rotation	-	Incremental format
[ ] No Sensitive Data in Logs	CWE-532	Audit for accidental exposure

Quick Reference - By Attack Type

Cryptographic Attacks:

[ ] Nonce reuse prevented
[ ] Timing attacks mitigated (constant-time compare)
[ ] Replay attacks blocked
[ ] Key enumeration prevented (random IDs)

Input Attacks:

[ ] Buffer overflow prevented (size limits)
[ ] Integer overflow prevented
[ ] Malformed input handled
[ ] SQL injection prevented

Availability Attacks:

[ ] Resource exhaustion prevented (rate limiting)
[ ] Lock poisoning handled
[ ] Memory exhaustion prevented

Information Disclosure:

[ ] Error messages sanitized
[ ] Secrets zeroized after use
[ ] No sensitive data in logs

<wvds:audit:template critical=„true“> No exec/shell_exec/system calls No eval() calls Output escaping SQL injection prevention CSRF protection </wvds:audit:template>

Version: 2.0 (Split)
Author: Wolfgang van der Stille

Back to Security Checklists | Review Checklists

Inhaltsverzeichnis