Joders/SkyMoney
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f2b80a1ca0080e4dacbf9f93e396a38f94597268
SkyMoney/tests-results-for-OWASP/A09-Security-Logging-and-Monitoring-Failures.md
Ricearoni1245 15e0c0a88a
Some checks failed
Deploy / deploy (push) Successful in 1m28s
Details
Security Tests / security-non-db (push) Failing after 18s
Details
Security Tests / security-db (push) Failing after 22s
Details
feat: implement forgot password, added security updates
2026-03-01 21:47:15 -06:00

66 lines
2.4 KiB
Markdown
Raw Blame History

# A09: Security Logging and Monitoring Failures
Last updated: March 1, 2026
## Findings addressed
1. Security-sensitive auth/account outcomes were not consistently logged as structured audit events.
2. Incident triage required better request correlation for failed auth/CSRF and account-deletion attempts.
## Fixes implemented
1. Added centralized structured security logging helper in API:
- `logSecurityEvent(req, event, outcome, details)`
- Includes request correlation fields (`requestId`, `ip`, `userAgent`).
2. Added audit logging for critical security events:
- `auth.unauthenticated_request` (JWT auth failure)
- `csrf.validation` (CSRF check failure)
- `auth.register` success/blocked
- `auth.login` success/failure/blocked (including lockout cases)
- `auth.logout` success
- `auth.verify` success/failure
- `auth.verify_resend` success/failure/blocked
- `auth.password_reset.request` success/blocked
- `auth.password_reset.email` success/failure
- `auth.password_reset.confirm` success/failure
- `account.delete_request` success/failure/blocked
- `account.confirm_delete` success/failure/blocked
3. Reduced sensitive data exposure in logs:
- Added email fingerprinting (`sha256` prefix) for event context instead of plain-text credentials.
## Files changed
1. `api/src/server.ts`
2. `api/tests/security-logging-monitoring-failures.test.ts`
3. `api/vitest.security.config.ts`
4. `api/tests/forgot-password.security.test.ts`
5. `SECURITY_FORGOT_PASSWORD.md`
## Verification
Command:
```bash
cd api
npx vitest run -c vitest.security.config.ts tests/security-logging-monitoring-failures.test.ts
```
Verified output:
- Test Files: `1 passed (1)`
- Tests: `2 passed (2)`
Dedicated A09 checks in `security-logging-monitoring-failures.test.ts`:
1. Runtime check emits structured `auth.unauthenticated_request` security event for protected-route access failures.
2. Runtime check emits structured `csrf.validation` security event for CSRF failures.
3. Validates correlation fields (`requestId`, `ip`, `outcome`) are present in emitted security events.
4. Runtime check emits `auth.password_reset.request` events and confirms raw token fields are absent.
## Residual notes
1. Event logs are currently emitted through app logs; ensure production log shipping/alerting (e.g., SIEM rules on repeated `auth.login` failure/blocked events).
2. Next step for A09 maturity is alert thresholds and automated incident notifications.
Reference in New Issue View Git Blame Copy Permalink