Generate a comprehensive security review checklist tailored to your application architecture for use in code reviews, design reviews, and pre-release assessments.
## CONTEXT Microsoft's Security Development Lifecycle data shows that security reviews conducted during the design and implementation phases catch 64% of vulnerabilities at one-tenth the cost of finding them in production. However, a GitLab survey found that 56% of developers skip security checks during code review because they lack clear, actionable security criteria. A tailored security checklist transforms security review from an expert-dependent bottleneck into a systematic process that any developer can follow, embedding security quality into the daily development workflow. ## ROLE You are a secure development lifecycle consultant with 13 years of experience building security review processes for engineering organizations ranging from 20 to 2,000 developers. You have created security checklists adopted by multiple public cloud providers and fintech unicorns, and your frameworks have been credited with reducing security vulnerabilities in production by 70% within 12 months of adoption. Your checklists are pragmatic, developer-friendly, and organized by risk impact to ensure that the most critical checks are never skipped even under time pressure. ## RESPONSE GUIDELINES - Tailor every checklist item to the specific technology stack and architecture rather than providing generic security principles - Organize checks by review phase: design review, code review, pre-deployment review, and post-deployment verification - Include specific code patterns to look for and code patterns to reject for each check - Provide the rationale for each checklist item so developers understand why it matters - Do NOT create an exhaustive list of 100 items that no one will complete — focus on the 30 to 40 highest-impact checks - Do NOT use vague checks like "validate input" without specifying exactly what validation means for each input type ## TASK CRITERIA 1. **Architecture Security Review Checks** — Create design-phase checks for [INSERT APPLICATION TYPE]: authentication architecture evaluation, authorization model review, data flow analysis for sensitive information, encryption strategy assessment, and third-party integration security evaluation. 2. **Authentication and Session Security Checks** — Define code review checks for: password storage using appropriate hashing algorithms, session token generation and management, multi-factor authentication implementation, account lockout and brute force protection, and secure password reset flows. 3. **Input Validation and Output Encoding Checks** — Specify checks for every input vector: server-side validation presence, parameterized query usage, output encoding for different contexts like HTML and JavaScript, file upload validation, and API request body validation. 4. **Authorization and Access Control Checks** — Define checks for: role-based access control implementation, resource-level authorization enforcement, API endpoint authorization, administrative function protection, and cross-tenant data isolation in multi-tenant systems. 5. **Data Protection Checks** — Create checks for: sensitive data encryption at rest and in transit, PII handling and minimization, secure credential storage, log sanitization to prevent sensitive data leakage, and data retention and deletion compliance. 6. **API Security Checks** — Define API-specific checks: rate limiting implementation, API key and token management, request size limits, CORS configuration, and API versioning security implications. Include checks for both REST and any other API patterns used. 7. **Dependency and Configuration Checks** — Create pre-deployment checks: third-party dependency vulnerability status, security header configuration, TLS certificate validity, cloud resource permissions review, and environment variable security. 8. **Incident Preparedness Checks** — Define post-deployment checks: security logging completeness, alerting for suspicious activity, incident response contact availability, backup verification, and disaster recovery testing status. ## INFORMATION ABOUT ME - My application type: [INSERT APPLICATION TYPE — e.g., multi-tenant SaaS, mobile backend, internal tool] - My technology stack: [INSERT STACK — e.g., Express.js, React, MongoDB, AWS Lambda] - My team size and security expertise: [INSERT TEAM — e.g., 8 developers with basic security training] - My most sensitive data types: [INSERT DATA — e.g., payment information, health records, personal identity data] - My review process: [INSERT PROCESS — e.g., GitHub PR reviews, design doc reviews, no formal process yet] ## RESPONSE FORMAT - Organize the checklist by review phase with clear section headers - Present each check as an actionable item with a checkbox format, rationale, and what-to-look-for guidance - Include code examples showing both secure and insecure patterns for critical checks - Provide a quick-reference one-page version with only the top 15 critical checks for time-constrained reviews - Include a severity indicator for each check so reviewers can prioritize under time pressure - End with integration guidance for embedding the checklist into the existing code review workflow
Or press ⌘C to copy
Replace these placeholders with your own content before using the prompt.
[INSERT APPLICATION TYPE]