Joders/SkyMoney
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: root commit of OWSAP security testing/tightening
All checks were successful
Deploy / deploy (push) Successful in 1m42s
Details
Security Tests / security-non-db (push) Successful in 20s
Details
Security Tests / security-db (push) Successful in 22s
Details

Browse Source
This commit is contained in:
Ricearoni1245
2026-03-01 20:46:47 -06:00
parent 1645896e54
commit 079b8b9492
25 changed files with 1131 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
tests-results-for-OWASP/README.md Normal file
View File

@@ -0,0 +1,40 @@
# OWASP Test Results
Last updated: March 2, 2026
This directory is the source of truth for SkyMoney OWASP validation work.
## Purpose
- Track implemented security tests and hardening changes.
- Define exact pre-deploy and post-deploy verification steps.
- Keep release evidence (commands, outputs, timestamps, pass/fail).
## Files
- `A01-Broken-Access-Control.md`: Findings, fixes, and verification for OWASP A01.
- `A02-Security-Misconfiguration.md`: Findings, fixes, and dedicated verification suite for OWASP A02.
- `A03-Software-Supply-Chain-Failures.md`: Dependency and pipeline supply-chain findings/fixes/verification.
- `A04-Cryptographic-Failures.md`: Crypto/session token hardening findings/fixes/verification.
- `A05-Injection.md`: Injection sink remediation and script input hardening verification.
- `A06-Insecure-Design.md`: Abuse-resistance design hardening (cooldowns + tighter route throttling).
- `A07-Identification-and-Authentication-Failures.md`: Login lockout and strong-password policy hardening.
- `A08-Software-and-Data-Integrity-Failures.md`: Backup/restore checksum integrity controls.
- `A09-Security-Logging-and-Monitoring-Failures.md`: Structured security event auditing for auth/account flows.
- `A10-Server-Side-Request-Forgery.md`: SSRF hardening and outbound-request surface validation.
- `post-deployment-verification-checklist.md`: Production smoke checks after each deploy.
- `evidence-log-template.md`: Copy/paste template for recording each verification run.
- `residual-risk-backlog.md`: Open non-blocking hardening items tracked release-to-release.
## Current status
1. A01 complete: implemented and tested.
2. A02 complete: implemented and tested.
3. A03 complete (initial hardening): implemented and tested.
4. A04 complete: implemented and tested.
5. A05 complete: implemented and tested.
6. A06 complete: implemented and tested.
7. A07 complete: implemented and tested.
8. A08 complete: implemented and tested.
9. A09 complete: implemented and tested.
10. A10 complete: implemented and tested.