Does the application use only well-established encryption algorithms, avoiding weak encryption methods and encoding techniques?
Does the application use DES when 3DES would work as a compatible replacement?
If using RC2 encryption, does the application use 128-bit keys whenever possible?
Does the application derive the key from the IV or the IV from the key rather than using a strong random-number generator?
Does the application avoid hard-coded values for the IV?
Does the application use hashing algorithms where appropriate to ensure data integrity?
Does the application store hashes rather than actual passwords in the database?
Does the application store hashes in a secure location?
Does the application use keyed hashing algorithms whenever possible?
Does the application add salt to all hashes?
Does the application only use the RNGCryptoServiceProvider to generate strong random numbers, avoiding System.Random?
Does the system require further entropy than what the CryptoAPI provides?
Does the application clear out all variables used with cryptographic operations, including those for plaintext, ciphertext, keys, salts, IVs, and random numbers?
Does the application explicitly call the Clear() method for all cryptographic objects?
Does the application explicitly call the Dispose() method for all cryptographic objects?
Does the application explicitly zero out any variables that do not provide a Clear() method?
Does the application avoid storing hard-coded secrets?
Does the application use a combination of secure methods, such as the file system, the registry, a database, and using DPAPI to store secrets?
Does the application use obscurity sparingly but where appropriate as an additional layer of protection?
Does the application always use SSL for protecting sensitive HTTP traffic?
Does the application use SSL for all included page elements, including images, style sheets, and client-side scripts?