OWASP Test Results
Last updated: March 2, 2026
This directory is the source of truth for SkyMoney OWASP validation work.
Purpose
- Track implemented security tests and hardening changes.
- Define exact pre-deploy and post-deploy verification steps.
- Keep release evidence (commands, outputs, timestamps, pass/fail).
Files
A01-Broken-Access-Control.md: Findings, fixes, and verification for OWASP A01.A02-Security-Misconfiguration.md: Findings, fixes, and dedicated verification suite for OWASP A02.A03-Software-Supply-Chain-Failures.md: Dependency and pipeline supply-chain findings/fixes/verification.A04-Cryptographic-Failures.md: Crypto/session token hardening findings/fixes/verification.A05-Injection.md: Injection sink remediation and script input hardening verification.A06-Insecure-Design.md: Abuse-resistance design hardening (cooldowns + tighter route throttling).A07-Identification-and-Authentication-Failures.md: Login lockout and strong-password policy hardening.A08-Software-and-Data-Integrity-Failures.md: Backup/restore checksum integrity controls.A09-Security-Logging-and-Monitoring-Failures.md: Structured security event auditing for auth/account flows.A10-Server-Side-Request-Forgery.md: SSRF hardening and outbound-request surface validation.post-deployment-verification-checklist.md: Production smoke checks after each deploy.evidence-log-template.md: Copy/paste template for recording each verification run.residual-risk-backlog.md: Open non-blocking hardening items tracked release-to-release.../docs/production-db-recovery-runbook.md: Incident response + recovery + admin bootstrap runbook.
Current status
- A01 complete: implemented and tested.
- A02 complete: implemented and tested.
- A03 complete (initial hardening): implemented and tested.
- A04 complete: implemented and tested.
- A05 complete: implemented and tested.
- A06 complete: implemented and tested.
- A07 complete: implemented and tested.
- A08 complete: implemented and tested.
- A09 complete: implemented and tested.
- A10 complete: implemented and tested.