Joders/SkyMoney
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a430dfadcfca43bbd80c43c2e774c813be5aee1d
SkyMoney/tests-results-for-OWASP/README.md
Ricearoni1245 d9df9b0fe4
Some checks failed
Security Tests / security-non-db (push) Successful in 18s
Details
Security Tests / security-db (push) Successful in 23s
Details
Deploy / deploy (push) Has been cancelled
Details
fix: adding db recovery practices (bye bye db)
2026-03-02 11:16:52 -06:00

42 lines
2.1 KiB
Markdown
Raw Blame History

# OWASP Test Results
Last updated: March 2, 2026
This directory is the source of truth for SkyMoney OWASP validation work.
## Purpose
- Track implemented security tests and hardening changes.
- Define exact pre-deploy and post-deploy verification steps.
- Keep release evidence (commands, outputs, timestamps, pass/fail).
## Files
- `A01-Broken-Access-Control.md`: Findings, fixes, and verification for OWASP A01.
- `A02-Security-Misconfiguration.md`: Findings, fixes, and dedicated verification suite for OWASP A02.
- `A03-Software-Supply-Chain-Failures.md`: Dependency and pipeline supply-chain findings/fixes/verification.
- `A04-Cryptographic-Failures.md`: Crypto/session token hardening findings/fixes/verification.
- `A05-Injection.md`: Injection sink remediation and script input hardening verification.
- `A06-Insecure-Design.md`: Abuse-resistance design hardening (cooldowns + tighter route throttling).
- `A07-Identification-and-Authentication-Failures.md`: Login lockout and strong-password policy hardening.
- `A08-Software-and-Data-Integrity-Failures.md`: Backup/restore checksum integrity controls.
- `A09-Security-Logging-and-Monitoring-Failures.md`: Structured security event auditing for auth/account flows.
- `A10-Server-Side-Request-Forgery.md`: SSRF hardening and outbound-request surface validation.
- `post-deployment-verification-checklist.md`: Production smoke checks after each deploy.
- `evidence-log-template.md`: Copy/paste template for recording each verification run.
- `residual-risk-backlog.md`: Open non-blocking hardening items tracked release-to-release.
- `../docs/production-db-recovery-runbook.md`: Incident response + recovery + admin bootstrap runbook.
## Current status
1. A01 complete: implemented and tested.
2. A02 complete: implemented and tested.
3. A03 complete (initial hardening): implemented and tested.
4. A04 complete: implemented and tested.
5. A05 complete: implemented and tested.
6. A06 complete: implemented and tested.
7. A07 complete: implemented and tested.
8. A08 complete: implemented and tested.
9. A09 complete: implemented and tested.
10. A10 complete: implemented and tested.
Reference in New Issue View Git Blame Copy Permalink