Joders/SkyMoney
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
079b8b94929c4b01b1d9874e6bf9ed8a3957fea4
SkyMoney/tests-results-for-OWASP/A09-Security-Logging-and-Monitoring-Failures.md
Ricearoni1245 079b8b9492
All checks were successful
Deploy / deploy (push) Successful in 1m42s
Details
Security Tests / security-non-db (push) Successful in 20s
Details
Security Tests / security-db (push) Successful in 22s
Details
chore: root commit of OWSAP security testing/tightening
2026-03-01 20:46:47 -06:00

2.1 KiB
Raw Blame History

A09: Security Logging and Monitoring Failures

Last updated: March 1, 2026

Findings addressed

  1. Security-sensitive auth/account outcomes were not consistently logged as structured audit events.
  2. Incident triage required better request correlation for failed auth/CSRF and account-deletion attempts.

Fixes implemented

  1. Added centralized structured security logging helper in API:
  • logSecurityEvent(req, event, outcome, details)
  • Includes request correlation fields (requestId, ip, userAgent).
  1. Added audit logging for critical security events:
  • auth.unauthenticated_request (JWT auth failure)
  • csrf.validation (CSRF check failure)
  • auth.register success/blocked
  • auth.login success/failure/blocked (including lockout cases)
  • auth.logout success
  • auth.verify success/failure
  • auth.verify_resend success/failure/blocked
  • account.delete_request success/failure/blocked
  • account.confirm_delete success/failure/blocked
  1. Reduced sensitive data exposure in logs:
  • Added email fingerprinting (sha256 prefix) for event context instead of plain-text credentials.

Files changed

  1. api/src/server.ts
  2. api/tests/security-logging-monitoring-failures.test.ts
  3. api/vitest.security.config.ts

Verification

Command:

cd api
npx vitest run -c vitest.security.config.ts tests/security-logging-monitoring-failures.test.ts

Verified output:

  • Test Files: 1 passed (1)
  • Tests: 2 passed (2)

Dedicated A09 checks in security-logging-monitoring-failures.test.ts:

  1. Runtime check emits structured auth.unauthenticated_request security event for protected-route access failures.
  2. Runtime check emits structured csrf.validation security event for CSRF failures.
  3. Validates correlation fields (requestId, ip, outcome) are present in emitted security events.

Residual notes

  1. Event logs are currently emitted through app logs; ensure production log shipping/alerting (e.g., SIEM rules on repeated auth.login failure/blocked events).
  2. Next step for A09 maturity is alert thresholds and automated incident notifications.
Reference in New Issue View Git Blame Copy Permalink