chore: root commit of OWSAP security testing/tightening

tests-results-for-OWASP/A08-Software-and-Data-Integrity-Failures.md

@@ -0,0 +1,49 @@
+# A08: Software and Data Integrity Failures
+
+Last updated: March 1, 2026
+
+## Findings addressed
+
+1. Backup/restore workflow did not verify backup artifact integrity before restoring.
+2. Restores could proceed with tampered/corrupted dump files, risking silent data corruption.
+
+## Fixes implemented
+
+1. Added checksum artifact generation during backups:
+- `scripts/backup.sh` now generates a SHA-256 checksum file next to each dump (`.sha256`).
+
+2. Added checksum verification before restore:
+- `scripts/restore.sh` now requires `${BACKUP_FILE}.sha256`.
+- Validates checksum format (64 hex chars).
+- Computes runtime SHA-256 of backup file and blocks restore on mismatch.
+
+## Files changed
+
+1. `scripts/backup.sh`
+2. `scripts/restore.sh`
+3. `api/tests/software-data-integrity-failures.test.ts`
+4. `api/vitest.security.config.ts`
+
+## Verification
+
+Command:
+
+```bash
+cd api
+npx vitest run -c vitest.security.config.ts tests/software-data-integrity-failures.test.ts
+```
+
+Verified output:
+
+- Test Files: `1 passed (1)`
+- Tests: `2 passed (2)`
+
+Dedicated A08 checks in `software-data-integrity-failures.test.ts`:
+
+1. Executes `scripts/backup.sh` with stubbed `pg_dump` and verifies dump + `.sha256` artifact generation.
+2. Executes `scripts/restore.sh` with tampered checksum and verifies restore is blocked before DB commands are invoked.
+
+## Residual notes
+
+1. This secures backup artifact integrity in operational scripts.
+2. For CI/CD artifact integrity hardening, next step is attestation/signature verification for deployed build artifacts.