1.6 KiB
1.6 KiB
OWASP Residual Risk Backlog
Last updated: March 2, 2026
Use this file to track non-blocking hardening items that remain after automated controls pass.
Open items
| ID | OWASP | Residual risk | Status |
|---|---|---|---|
| RR-001 | A01 | Add explicit authorization integration tests for all future admin-only routes (deny-by-default coverage expansion). | Open |
| RR-002 | A02 | Add runtime CSP and full security-header verification from deployed edge stack (not only config checks). | Open |
| RR-003 | A03 | Add stronger supply-chain provenance controls (digest pinning, SLSA attestations, artifact signing). | Open |
| RR-004 | A04 | Add key rotation runbook validation and automated stale-key detection checks. | Open |
| RR-005 | A05 | Add static taint analysis or Semgrep policy bundle in CI for command/SQL injection sinks. | Open |
| RR-006 | A06 | Add abuse-case tests for account recovery and verification flows under distributed-IP pressure. | Open |
| RR-007 | A07 | Add MFA/WebAuthn roadmap tests once MFA is implemented; currently password+lockout only. | Open |
| RR-008 | A08 | Add signed backup manifests and restore provenance verification for operational artifacts. | Open |
| RR-009 | A09 | Add alerting pipeline assertions (SIEM/webhook delivery) in pre-prod smoke tests. | Open |
| RR-010 | A10 | Add egress firewall enforcement tests to complement application-layer SSRF guards. | Open |
Close criteria
- A concrete control is implemented and validated by an automated test or policy gate.
- Evidence is attached in
evidence-log-template.md. - Owning team marks item as Closed with date and link to implementation PR.