Hey Girls/Guys

today I have to test one of my web-applications I wrote.

As a summary of things I did security wise:

• Every customer has its own database
• Every customer can encrypt his files / database entries with sensitive data via AES (libsodium)
• Every customer-app is running as an isolated process with a specific user to avoid cache bleed etc.
• Every customer-app is locked into a specific folder structure, there is no global /tmp etc
• Every SQL statement is a prepared statement
• All backups are encrypted on file basis
• The system firewall only allows port 80/443 (port 80 is not used but still open)
• ClamAV is running as virus scanner for the uploads
• To login the user has a two - factor authentication + password
• The session-id is in the http-request header
• The https connection only allows TLS 1.2 plus secure cyphers
• The passwords are BCRYPT
• The user only get temporary access to encrypted data via a token within the session that allows a 15 minute period of encrypted data
• The encrypted data is only transferred to the client if the user confirmed the security token otherwise it's a placeholder
• SSH connection is not possible without a VPN
• Every login attempt is logged + IP
• every entrypoint with data is ACL controlled
• the session redux-persist store is AES encrypted

Todo:

• I am thinking of adding appamor to nginx and the fpm.
• I am currently downloading ZAP to try out some general OWASP penetrations

Did I miss something obvious? Do you guys have a standard tool for testing?

Any thoughts are appreciated :)