Joders/SkyMoney
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
15e0c0a88a3e9733a1fd7d3b00ee1ce1c4cf62a0
SkyMoney/tests-results-for-OWASP/A09-Security-Logging-and-Monitoring-Failures.md
Ricearoni1245 15e0c0a88a
Some checks failed
Deploy / deploy (push) Successful in 1m28s
Details
Security Tests / security-non-db (push) Failing after 18s
Details
Security Tests / security-db (push) Failing after 22s
Details
feat: implement forgot password, added security updates
2026-03-01 21:47:15 -06:00

2.4 KiB
Raw Blame History

A09: Security Logging and Monitoring Failures

Last updated: March 1, 2026

Findings addressed

  1. Security-sensitive auth/account outcomes were not consistently logged as structured audit events.
  2. Incident triage required better request correlation for failed auth/CSRF and account-deletion attempts.

Fixes implemented

  1. Added centralized structured security logging helper in API:
  • logSecurityEvent(req, event, outcome, details)
  • Includes request correlation fields (requestId, ip, userAgent).
  1. Added audit logging for critical security events:
  • auth.unauthenticated_request (JWT auth failure)
  • csrf.validation (CSRF check failure)
  • auth.register success/blocked
  • auth.login success/failure/blocked (including lockout cases)
  • auth.logout success
  • auth.verify success/failure
  • auth.verify_resend success/failure/blocked
  • auth.password_reset.request success/blocked
  • auth.password_reset.email success/failure
  • auth.password_reset.confirm success/failure
  • account.delete_request success/failure/blocked
  • account.confirm_delete success/failure/blocked
  1. Reduced sensitive data exposure in logs:
  • Added email fingerprinting (sha256 prefix) for event context instead of plain-text credentials.

Files changed

  1. api/src/server.ts
  2. api/tests/security-logging-monitoring-failures.test.ts
  3. api/vitest.security.config.ts
  4. api/tests/forgot-password.security.test.ts
  5. SECURITY_FORGOT_PASSWORD.md

Verification

Command:

cd api
npx vitest run -c vitest.security.config.ts tests/security-logging-monitoring-failures.test.ts

Verified output:

  • Test Files: 1 passed (1)
  • Tests: 2 passed (2)

Dedicated A09 checks in security-logging-monitoring-failures.test.ts:

  1. Runtime check emits structured auth.unauthenticated_request security event for protected-route access failures.
  2. Runtime check emits structured csrf.validation security event for CSRF failures.
  3. Validates correlation fields (requestId, ip, outcome) are present in emitted security events.
  4. Runtime check emits auth.password_reset.request events and confirms raw token fields are absent.

Residual notes

  1. Event logs are currently emitted through app logs; ensure production log shipping/alerting (e.g., SIEM rules on repeated auth.login failure/blocked events).
  2. Next step for A09 maturity is alert thresholds and automated incident notifications.
Reference in New Issue View Git Blame Copy Permalink