Joders/SkyMoney
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d39928a3f7756d63f46b7b9c04cec38cce789f6c
SkyMoney/tests-results-for-OWASP/evidence-log-template.md
Ricearoni1245 d9df9b0fe4
Some checks failed
Security Tests / security-non-db (push) Successful in 18s
Details
Security Tests / security-db (push) Successful in 23s
Details
Deploy / deploy (push) Has been cancelled
Details
fix: adding db recovery practices (bye bye db)
2026-03-02 11:16:52 -06:00

101 lines
2.3 KiB
Markdown
Raw Blame History

# OWASP Verification Evidence Log Template
## Run metadata
- Date:
- Environment: `local` | `staging` | `production`
- App/API version (git SHA):
- Operator:
- Incident/reference ticket (if recovery event):
## Environment flags
- `NODE_ENV`:
- `AUTH_DISABLED`:
- `ALLOW_INSECURE_AUTH_FOR_DEV`:
- `COMPOSE_PROJECT_NAME`:
- `EXPECTED_PROD_DB_HOST`:
- `EXPECTED_PROD_DB_NAME`:
## Commands executed
1.
```bash
# command
```
Output summary:
2.
```bash
# command
```
Output summary:
3.
```bash
# command
```
Output summary:
4.
```bash
# command
```
Output summary:
## Recoverability Evidence
- Current Postgres container:
- Mounted volume(s):
- Candidate old volume(s) inspected:
- Recoverable artifact found: `yes` | `no`
- Artifact location:
- Recovery decision:
## Backup/Restore Drill Evidence
- Latest backup file:
- Latest checksum file:
- Checksum verified: `yes` | `no`
- Restore test DB name:
- Restore succeeded: `yes` | `no`
- Row count checks performed:
## Results
- A01 protected route unauthenticated check: `pass` | `fail`
- A01 spoofed header check: `pass` | `fail`
- A01 admin rollover exposure check: `pass` | `fail`
- A01 automated suite (`auth` + `account-delete` + `admin-rollover`): `pass` | `fail`
- A02 dedicated suite (`security-misconfiguration`): `pass` | `fail`
- A03 dedicated suite (`software-supply-chain-failures`): `pass` | `fail`
- A04 dedicated suites (`cryptographic-failures*`): `pass` | `fail`
- A05 dedicated suite (`injection-safety`): `pass` | `fail`
- A06 dedicated suite (`insecure-design`): `pass` | `fail`
- A07 dedicated suites (`auth.routes` + `identification-auth-failures`): `pass` | `fail`
- A08 dedicated suite (`software-data-integrity-failures`): `pass` | `fail`
- A09 dedicated suite (`security-logging-monitoring-failures`): `pass` | `fail`
- A10 dedicated suite (`server-side-request-forgery`): `pass` | `fail`
- Non-DB security suite (`SECURITY_DB_TESTS=0`): `pass` | `fail`
- DB security suite (`SECURITY_DB_TESTS=1`): `pass` | `fail`
## Findings
- New issues observed:
- Regressions observed:
- Follow-up tickets:
- Data recovery status:
- Admin user bootstrap status:
## Residual Risk Review
- Reviewed `residual-risk-backlog.md`: `yes` | `no`
- Items accepted for this release:
- Items escalated/blocked:
## Sign-off
- Security reviewer:
- Engineering owner:
- Decision: `approved` | `blocked`
Reference in New Issue View Git Blame Copy Permalink