# Outlook AddIn App Security Audit ### Requirments 1. Outlook AddIn Manifest XML file 2. Application Credentials for login ### Audit Items 1. Ensure the Add-in does not store credentials insecurely. 2. Check if the Add-in uses the least privilege principle, asking only for necessary permissions. 3. Check if data in transit is encrypted using standards like TLS. 4. Ensure sensitive data is not logged. 5. Check for vulnerability against injection attacks like SQL injection, XML injection, etc. 6. Check if the Add-in handles unexpected inputs gracefully without causing security issues. 7. Ensure secure API design and avoid exposing sensitive endpoints. 8. Review JavaScript code for insecure practices or exposed sensitive logic. 9. Check if third-party libraries and packages are up-to-date. 10. Ensure there are no known vulnerabilities in the dependencies. 11. Ensure that the Add-in's manifest file does not contain insecure endpoints or overly broad permissions. 12. Check if the Add-in collects unnecessary user data or if it shares data with third parties ### Tools * https://www.npmjs.com/package/office-addin-manifest >Office Add-in Validator: This tool is designed to validate the manifest of an add-in against a set of rules and return a report of any issues. While its primary focus is on the functionality and structure of the manifest, following best practices here can also be seen as a security measure.