# OWASP Residual Risk Backlog

Last updated: March 2, 2026

Use this file to track non-blocking hardening items that remain after automated controls pass.

## Open items

| ID | OWASP | Residual risk | Status |
|---|---|---|---|
| RR-001 | A01 | Add explicit authorization integration tests for all future admin-only routes (deny-by-default coverage expansion). | Open |
| RR-002 | A02 | Add runtime CSP and full security-header verification from deployed edge stack (not only config checks). | Open |
| RR-003 | A03 | Add stronger supply-chain provenance controls (digest pinning, SLSA attestations, artifact signing). | Open |
| RR-004 | A04 | Add key rotation runbook validation and automated stale-key detection checks. | Open |
| RR-005 | A05 | Add static taint analysis or Semgrep policy bundle in CI for command/SQL injection sinks. | Open |
| RR-006 | A06 | Add abuse-case tests for account recovery and verification flows under distributed-IP pressure. | Open |
| RR-007 | A07 | Add MFA/WebAuthn roadmap tests once MFA is implemented; currently password+lockout only. | Open |
| RR-008 | A08 | Add signed backup manifests and restore provenance verification for operational artifacts. | Open |
| RR-009 | A09 | Add alerting pipeline assertions (SIEM/webhook delivery) in pre-prod smoke tests. | Open |
| RR-010 | A10 | Add egress firewall enforcement tests to complement application-layer SSRF guards. | Open |

## Close criteria

1. A concrete control is implemented and validated by an automated test or policy gate.
2. Evidence is attached in `evidence-log-template.md`.
3. Owning team marks item as Closed with date and link to implementation PR.