# Security Audit Plan - mockupAWS v1.0.0 > **Version:** 1.0.0 > **Author:** @spec-architect > **Date:** 2026-04-07 > **Status:** DRAFT - Ready for Security Team Review > **Classification:** Internal - Confidential --- ## Executive Summary This document outlines the comprehensive security audit plan for mockupAWS v1.0.0 production release. The audit covers OWASP Top 10 review, penetration testing, compliance verification, and vulnerability remediation. ### Audit Scope | Component | Coverage | Priority | |-----------|----------|----------| | Backend API (FastAPI) | Full | P0 | | Frontend (React) | Full | P0 | | Database (PostgreSQL) | Full | P0 | | Infrastructure (Docker/AWS) | Full | P1 | | Third-party Dependencies | Full | P0 | ### Timeline | Phase | Duration | Start Date | End Date | |-------|----------|------------|----------| | Preparation | 3 days | Week 1 Day 1 | Week 1 Day 3 | | Automated Scanning | 5 days | Week 1 Day 4 | Week 2 Day 1 | | Manual Penetration Testing | 10 days | Week 2 Day 2 | Week 3 Day 4 | | Remediation | 7 days | Week 3 Day 5 | Week 4 Day 4 | | Verification | 3 days | Week 4 Day 5 | Week 4 Day 7 | --- ## 1. Security Checklist ### 1.1 OWASP Top 10 Review #### A01:2021 - Broken Access Control | Check Item | Status | Method | Owner | |------------|--------|--------|-------| | Verify JWT token validation on all protected endpoints | ⬜ | Code Review | Security Team | | Check for direct object reference vulnerabilities | ⬜ | Pen Test | Security Team | | Verify CORS configuration is restrictive | ⬜ | Config Review | DevOps | | Test role-based access control (RBAC) enforcement | ⬜ | Pen Test | Security Team | | Verify API key scope enforcement | ⬜ | Unit Test | Backend Dev | | Check for privilege escalation paths | ⬜ | Pen Test | Security Team | | Verify rate limiting per user/API key | ⬜ | Automated Test | QA | **Testing Methodology:** ```bash # JWT Token Manipulation Tests curl -H "Authorization: Bearer INVALID_TOKEN" https://api.mockupaws.com/scenarios curl -H "Authorization: Bearer EXPIRED_TOKEN" https://api.mockupaws.com/scenarios # IDOR Tests curl https://api.mockupaws.com/scenarios/OTHER_USER_SCENARIO_ID # Privilege Escalation curl -X POST https://api.mockupaws.com/admin/users -H "Authorization: Bearer REGULAR_USER_TOKEN" ``` #### A02:2021 - Cryptographic Failures | Check Item | Status | Method | Owner | |------------|--------|--------|-------| | Verify TLS 1.3 minimum for all communications | ⬜ | SSL Labs Scan | DevOps | | Check password hashing (bcrypt cost >= 12) | ✅ | Code Review | Done | | Verify JWT algorithm is HS256 or RS256 (not none) | ✅ | Code Review | Done | | Check API key storage (hashed, not encrypted) | ✅ | Code Review | Done | | Verify secrets are not in source code | ⬜ | GitLeaks Scan | Security Team | | Check for weak cipher suites | ⬜ | SSL Labs Scan | DevOps | | Verify database encryption at rest | ⬜ | AWS Config Review | DevOps | **Current Findings:** - ✅ Password hashing: bcrypt with cost=12 (good) - ✅ JWT Algorithm: HS256 (acceptable, consider RS256 for microservices) - ✅ API Keys: SHA-256 hash stored (good) - ⚠️ JWT Secret: Currently uses default in dev (MUST change in production) #### A03:2021 - Injection | Check Item | Status | Method | Owner | |------------|--------|--------|-------| | SQL Injection - Verify parameterized queries | ✅ | Code Review | Done | | SQL Injection - Test with sqlmap | ⬜ | Automated Tool | Security Team | | NoSQL Injection - Check MongoDB queries | N/A | N/A | N/A | | Command Injection - Check os.system calls | ⬜ | Code Review | Security Team | | LDAP Injection - Not applicable | N/A | N/A | N/A | | XPath Injection - Not applicable | N/A | N/A | N/A | | OS Injection - Verify input sanitization | ⬜ | Code Review | Security Team | **SQL Injection Test Cases:** ```python # Test payloads for sqlmap payloads = [ "' OR '1'='1", "'; DROP TABLE scenarios; --", "' UNION SELECT * FROM users --", "1' AND 1=1 --", "1' AND 1=2 --", ] ``` #### A04:2021 - Insecure Design | Check Item | Status | Method | Owner | |------------|--------|--------|-------| | Verify secure design patterns are documented | ⬜ | Documentation Review | Architect | | Check for business logic flaws | ⬜ | Pen Test | Security Team | | Verify rate limiting on all endpoints | ⬜ | Code Review | Backend Dev | | Check for race conditions | ⬜ | Code Review | Security Team | | Verify proper error handling (no info leakage) | ⬜ | Code Review | Backend Dev | #### A05:2021 - Security Misconfiguration | Check Item | Status | Method | Owner | |------------|--------|--------|-------| | Verify security headers (HSTS, CSP, etc.) | ⬜ | HTTP Headers Scan | DevOps | | Check for default credentials | ⬜ | Automated Scan | Security Team | | Verify debug mode disabled in production | ⬜ | Config Review | DevOps | | Check for exposed .env files | ⬜ | Web Scan | Security Team | | Verify directory listing disabled | ⬜ | Web Scan | Security Team | | Check for unnecessary features enabled | ⬜ | Config Review | DevOps | **Security Headers Checklist:** ```http Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-Frame-Options: DENY X-XSS-Protection: 1; mode=block Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: geolocation=(), microphone=(), camera=() ``` #### A06:2021 - Vulnerable and Outdated Components | Check Item | Status | Method | Owner | |------------|--------|--------|-------| | Scan Python dependencies for CVEs | ⬜ | pip-audit/safety | Security Team | | Scan Node.js dependencies for CVEs | ⬜ | npm audit | Security Team | | Check Docker base images for vulnerabilities | ⬜ | Trivy Scan | DevOps | | Verify dependency pinning in requirements | ⬜ | Code Review | Backend Dev | | Check for end-of-life components | ⬜ | Automated Scan | Security Team | **Dependency Scan Commands:** ```bash # Python dependencies pip-audit --requirement requirements.txt safety check --file requirements.txt # Node.js dependencies cd frontend && npm audit --audit-level=moderate # Docker images trivy image mockupaws/backend:latest trivy image postgres:15-alpine ``` #### A07:2021 - Identification and Authentication Failures | Check Item | Status | Method | Owner | |------------|--------|--------|-------| | Verify password complexity requirements | ⬜ | Code Review | Backend Dev | | Check for brute force protection | ⬜ | Pen Test | Security Team | | Verify session timeout handling | ⬜ | Pen Test | Security Team | | Check for credential stuffing protection | ⬜ | Code Review | Backend Dev | | Verify MFA capability (if required) | ⬜ | Architecture Review | Architect | | Check for weak password storage | ✅ | Code Review | Done | #### A08:2021 - Software and Data Integrity Failures | Check Item | Status | Method | Owner | |------------|--------|--------|-------| | Verify CI/CD pipeline security | ⬜ | Pipeline Review | DevOps | | Check for signed commits requirement | ⬜ | Git Config Review | DevOps | | Verify dependency integrity (checksums) | ⬜ | Build Review | DevOps | | Check for unauthorized code changes | ⬜ | Audit Log Review | Security Team | #### A09:2021 - Security Logging and Monitoring Failures | Check Item | Status | Method | Owner | |------------|--------|--------|-------| | Verify audit logging for sensitive operations | ⬜ | Code Review | Backend Dev | | Check for centralized log aggregation | ⬜ | Infra Review | DevOps | | Verify log integrity (tamper-proof) | ⬜ | Config Review | DevOps | | Check for real-time alerting | ⬜ | Monitoring Review | DevOps | | Verify retention policies | ⬜ | Policy Review | Security Team | **Required Audit Events:** ```python AUDIT_EVENTS = [ "user.login.success", "user.login.failure", "user.logout", "user.password_change", "api_key.created", "api_key.revoked", "scenario.created", "scenario.deleted", "scenario.started", "scenario.stopped", "report.generated", "export.downloaded", ] ``` #### A10:2021 - Server-Side Request Forgery (SSRF) | Check Item | Status | Method | Owner | |------------|--------|--------|-------| | Check for unvalidated URL redirects | ⬜ | Code Review | Security Team | | Verify external API call validation | ⬜ | Code Review | Security Team | | Check for internal resource access | ⬜ | Pen Test | Security Team | --- ### 1.2 Dependency Vulnerability Scan #### Python Dependencies Scan ```bash # Install scanning tools pip install pip-audit safety bandit # Generate full report pip-audit --requirement requirements.txt --format=json --output=reports/python-audit.json # High severity only pip-audit --requirement requirements.txt --severity=high # Safety check with API key for latest CVEs safety check --file requirements.txt --json --output reports/safety-report.json # Static analysis with Bandit bandit -r src/ -f json -o reports/bandit-report.json ``` **Current Dependencies Status:** | Package | Version | CVE Status | Action Required | |---------|---------|------------|-----------------| | fastapi | 0.110.0 | Check | Scan required | | sqlalchemy | 2.0.x | Check | Scan required | | pydantic | 2.7.0 | Check | Scan required | | asyncpg | 0.31.0 | Check | Scan required | | python-jose | 3.3.0 | Check | Scan required | | bcrypt | 4.0.0 | Check | Scan required | #### Node.js Dependencies Scan ```bash cd frontend # Audit with npm npm audit --audit-level=moderate # Generate detailed report npm audit --json > ../reports/npm-audit.json # Fix automatically where possible npm audit fix # Check for outdated packages npm outdated ``` #### Docker Image Scan ```bash # Scan all images trivy image --format json --output reports/trivy-backend.json mockupaws/backend:latest trivy image --format json --output reports/trivy-postgres.json postgres:15-alpine trivy image --format json --output reports/trivy-nginx.json nginx:alpine # Check for secrets in images trivy filesystem --scanners secret src/ ``` --- ### 1.3 Secrets Management Audit #### Current State Analysis | Secret Type | Current Storage | Risk Level | Target Solution | |-------------|-----------------|------------|-----------------| | JWT Secret Key | .env file | HIGH | HashiCorp Vault | | DB Password | .env file | HIGH | AWS Secrets Manager | | API Keys | Database (hashed) | MEDIUM | Keep current | | AWS Credentials | .env file | HIGH | IAM Roles | | Redis Password | .env file | MEDIUM | Kubernetes Secrets | #### Secrets Audit Checklist - [ ] No secrets in Git history (`git log --all --full-history -- .env`) - [ ] No secrets in Docker images (use multi-stage builds) - [ ] Secrets rotated in last 90 days - [ ] Secret access logged - [ ] Least privilege for secret access - [ ] Secrets encrypted at rest - [ ] Secret rotation automation planned #### Secret Scanning ```bash # Install gitleaks docker run --rm -v $(pwd):/code zricethezav/gitleaks detect --source=/code -v # Scan for high-entropy strings truffleHog --regex --entropy=False . # Check specific patterns grep -r "password\|secret\|key\|token" --include="*.py" --include="*.ts" --include="*.tsx" src/ frontend/src/ ``` --- ### 1.4 API Security Review #### Rate Limiting Configuration | Endpoint Category | Current Limit | Recommended | Implementation | |-------------------|---------------|-------------|----------------| | Authentication | 5/min | 5/min | Redis-backed | | API Key Mgmt | 10/min | 10/min | Redis-backed | | General API | 100/min | 100/min | Redis-backed | | Ingest | 1000/min | 1000/min | Redis-backed | | Reports | 10/min | 10/min | Redis-backed | #### Rate Limiting Test Cases ```python # Test rate limiting effectiveness import asyncio import httpx async def test_rate_limit(endpoint: str, requests: int, expected_limit: int): """Verify rate limiting is enforced.""" async with httpx.AsyncClient() as client: tasks = [client.get(endpoint) for _ in range(requests)] responses = await asyncio.gather(*tasks, return_exceptions=True) rate_limited = sum(1 for r in responses if r.status_code == 429) success = sum(1 for r in responses if r.status_code == 200) assert success <= expected_limit, f"Expected max {expected_limit} success, got {success}" assert rate_limited > 0, "Expected some rate limited requests" ``` #### Authentication Security | Check | Method | Expected Result | |-------|--------|-----------------| | JWT without signature fails | Unit Test | 401 Unauthorized | | JWT with wrong secret fails | Unit Test | 401 Unauthorized | | Expired JWT fails | Unit Test | 401 Unauthorized | | Token type confusion fails | Unit Test | 401 Unauthorized | | Refresh token reuse detection | Pen Test | Old tokens invalidated | | API key prefix validation | Unit Test | Fast rejection | | API key rate limit per key | Load Test | Enforced | --- ### 1.5 Data Encryption Requirements #### Encryption in Transit | Protocol | Minimum Version | Configuration | |----------|-----------------|---------------| | TLS | 1.3 | `ssl_protocols TLSv1.3;` | | HTTPS | HSTS | `max-age=31536000; includeSubDomains` | | Database | SSL | `sslmode=require` | | Redis | TLS | `tls-port 6380` | #### Encryption at Rest | Data Store | Encryption Method | Key Management | |------------|-------------------|----------------| | PostgreSQL | AWS RDS TDE | AWS KMS | | S3 Buckets | AES-256 | AWS S3-Managed | | EBS Volumes | AWS EBS Encryption | AWS KMS | | Backups | GPG + AES-256 | Offline HSM | | Application Logs | None required | N/A | --- ## 2. Penetration Testing Plan ### 2.1 Scope Definition #### In-Scope | Component | URL/IP | Testing Allowed | |-----------|--------|-----------------| | Production API | https://api.mockupaws.com | No (use staging) | | Staging API | https://staging-api.mockupaws.com | Yes | | Frontend App | https://app.mockupaws.com | Yes (staging) | | Admin Panel | https://admin.mockupaws.com | Yes (staging) | | Database | Internal | No (use test instance) | #### Out-of-Scope - Physical security - Social engineering - DoS/DDoS attacks - Third-party infrastructure (AWS, Cloudflare) - Employee personal devices ### 2.2 Test Cases #### SQL Injection Tests ```python # Test ID: SQL-001 # Objective: Test for SQL injection in scenario endpoints # Method: Union-based injection test_payloads = [ "' OR '1'='1", "'; DROP TABLE scenarios; --", "' UNION SELECT username,password FROM users --", "1 AND 1=1", "1 AND 1=2", "1' ORDER BY 1--", "1' ORDER BY 100--", "-1' UNION SELECT null,null,null,null--", ] # Endpoints to test endpoints = [ "/api/v1/scenarios/{id}", "/api/v1/scenarios?status={payload}", "/api/v1/scenarios?region={payload}", "/api/v1/ingest", ] ``` #### XSS (Cross-Site Scripting) Tests ```python # Test ID: XSS-001 to XSS-003 # Types: Reflected, Stored, DOM-based xss_payloads = [ # Basic script injection "", # Image onerror "", # SVG injection "", # Event handler "\" onfocus=alert('XSS') autofocus=\"", # JavaScript protocol "javascript:alert('XSS')", # Template injection "{{7*7}}", "${7*7}", # HTML5 vectors "", "", # Polyglot "';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//\";", ] # Test locations # 1. Scenario name (stored) # 2. Log message preview (stored) # 3. Error messages (reflected) # 4. Search parameters (reflected) ``` #### CSRF (Cross-Site Request Forgery) Tests ```python # Test ID: CSRF-001 # Objective: Verify CSRF protection on state-changing operations # Test approach: # 1. Create malicious HTML page malicious_form = """
""" # 2. Trick authenticated user into visiting page # 3. Check if scenario was created without proper token # Expected: Request should fail without valid CSRF token ``` #### Authentication Bypass Tests ```python # Test ID: AUTH-001 to AUTH-010 auth_tests = [ { "id": "AUTH-001", "name": "JWT Algorithm Confusion", "method": "Change alg to 'none' in JWT header", "expected": "401 Unauthorized" }, { "id": "AUTH-002", "name": "JWT Key Confusion (RS256 to HS256)", "method": "Sign token with public key as HMAC secret", "expected": "401 Unauthorized" }, { "id": "AUTH-003", "name": "Token Expiration Bypass", "method": "Send expired token", "expected": "401 Unauthorized" }, { "id": "AUTH-004", "name": "API Key Enumeration", "method": "Brute force API key prefixes", "expected": "Rate limited, consistent timing" }, { "id": "AUTH-005", "name": "Session Fixation", "method": "Attempt to reuse old session token", "expected": "401 Unauthorized" }, { "id": "AUTH-006", "name": "Password Brute Force", "method": "Attempt common passwords", "expected": "Account lockout after N attempts" }, { "id": "AUTH-007", "name": "OAuth State Parameter", "method": "Missing/invalid state parameter", "expected": "400 Bad Request" }, { "id": "AUTH-008", "name": "Privilege Escalation", "method": "Modify JWT payload to add admin role", "expected": "401 Unauthorized (signature invalid)" }, { "id": "AUTH-009", "name": "Token Replay", "method": "Replay captured token from different IP", "expected": "Behavior depends on policy" }, { "id": "AUTH-010", "name": "Weak Password Policy", "method": "Register with weak passwords", "expected": "Password rejected if < 8 chars or no complexity" }, ] ``` #### Business Logic Tests ```python # Test ID: LOGIC-001 to LOGIC-005 logic_tests = [ { "id": "LOGIC-001", "name": "Scenario State Manipulation", "test": "Try to transition from draft to archived directly", "expected": "Validation error" }, { "id": "LOGIC-002", "name": "Cost Calculation Manipulation", "test": "Inject negative values in metrics", "expected": "Validation error or absolute value" }, { "id": "LOGIC-003", "name": "Race Condition - Double Spending", "test": "Simultaneous scenario starts", "expected": "Only one succeeds" }, { "id": "LOGIC-004", "name": "Report Generation Abuse", "test": "Request multiple reports simultaneously", "expected": "Rate limited" }, { "id": "LOGIC-005", "name": "Data Export Authorization", "test": "Export other user's scenario data", "expected": "403 Forbidden" }, ] ``` ### 2.3 Recommended Tools #### Automated Scanning Tools | Tool | Purpose | Usage | |------|---------|-------| | **OWASP ZAP** | Web vulnerability scanner | `zap-full-scan.py -t https://staging.mockupaws.com` | | **Burp Suite Pro** | Web proxy and scanner | Manual testing + automated crawl | | **sqlmap** | SQL injection detection | `sqlmap -u "https://api.mockupaws.com/scenarios?id=1"` | | **Nikto** | Web server scanner | `nikto -h https://staging.mockupaws.com` | | **Nuclei** | Fast vulnerability scanner | `nuclei -u https://staging.mockupaws.com` | #### Static Analysis Tools | Tool | Language | Usage | |------|----------|-------| | **Bandit** | Python | `bandit -r src/` | | **Semgrep** | Multi | `semgrep --config=auto src/` | | **ESLint Security** | JavaScript | `eslint --ext .ts,.tsx src/` | | **SonarQube** | Multi | Full codebase analysis | | **Trivy** | Docker/Infra | `trivy fs --scanners vuln,secret,config .` | #### Manual Testing Tools | Tool | Purpose | |------|---------| | **Postman** | API testing and fuzzing | | **JWT.io** | JWT token analysis | | **CyberChef** | Data encoding/decoding | | **Wireshark** | Network traffic analysis | | **Browser DevTools** | Frontend security testing | --- ## 3. Compliance Review ### 3.1 GDPR Compliance Checklist #### Lawful Basis and Transparency | Requirement | Status | Evidence | |-------------|--------|----------| | Privacy Policy Published | ⬜ | Document required | | Terms of Service Published | ⬜ | Document required | | Cookie Consent Implemented | ⬜ | Frontend required | | Data Processing Agreement | ⬜ | For sub-processors | #### Data Subject Rights | Right | Implementation | Status | |-------|----------------|--------| | **Right to Access** | `/api/v1/user/data-export` endpoint | ⬜ | | **Right to Rectification** | User profile update API | ⬜ | | **Right to Erasure** | Account deletion with cascade | ⬜ | | **Right to Restrict Processing** | Soft delete option | ⬜ | | **Right to Data Portability** | JSON/CSV export | ⬜ | | **Right to Object** | Marketing opt-out | ⬜ | | **Right to be Informed** | Data collection notices | ⬜ | #### Data Retention and Minimization ```python # GDPR Data Retention Policy gdpr_retention_policies = { "user_personal_data": { "retention_period": "7 years after account closure", "legal_basis": "Legal obligation (tax records)", "anonymization_after": "7 years" }, "scenario_logs": { "retention_period": "1 year", "legal_basis": "Legitimate interest", "can_contain_pii": True, "auto_purge": True }, "audit_logs": { "retention_period": "7 years", "legal_basis": "Legal obligation (security)", "immutable": True }, "api_access_logs": { "retention_period": "90 days", "legal_basis": "Legitimate interest", "anonymize_ips": True } } ``` #### GDPR Technical Checklist - [ ] Pseudonymization of user data where possible - [ ] Encryption of personal data at rest and in transit - [ ] Breach notification procedure (72 hours) - [ ] Privacy by design implementation - [ ] Data Protection Impact Assessment (DPIA) - [ ] Records of processing activities - [ ] DPO appointment (if required) ### 3.2 SOC 2 Readiness Assessment #### SOC 2 Trust Services Criteria | Criteria | Control Objective | Current State | Gap | |----------|-------------------|---------------|-----| | **Security** | Protect system from unauthorized access | Partial | Medium | | **Availability** | System available for operation | Partial | Low | | **Processing Integrity** | Complete, valid, accurate, timely processing | Partial | Medium | | **Confidentiality** | Protect confidential information | Partial | Medium | | **Privacy** | Collect, use, retain, disclose personal info | Partial | High | #### Security Controls Mapping ``` SOC 2 CC6.1 - Logical Access Security ├── User authentication (JWT + API Keys) ✅ ├── Password policies ⬜ ├── Access review procedures ⬜ └── Least privilege enforcement ⬜ SOC 2 CC6.2 - Access Removal ├── Automated de-provisioning ⬜ ├── Access revocation on termination ⬜ └── Regular access reviews ⬜ SOC 2 CC6.3 - Access Approvals ├── Access request workflow ⬜ ├── Manager approval required ⬜ └── Documentation of access grants ⬜ SOC 2 CC6.6 - Encryption ├── Encryption in transit (TLS 1.3) ✅ ├── Encryption at rest ⬜ └── Key management ⬜ SOC 2 CC7.2 - System Monitoring ├── Audit logging ⬜ ├── Log monitoring ⬜ ├── Alerting on anomalies ⬜ └── Log retention ⬜ ``` #### SOC 2 Readiness Roadmap | Phase | Timeline | Activities | |-------|----------|------------| | **Phase 1: Documentation** | Weeks 1-4 | Policy creation, control documentation | | **Phase 2: Implementation** | Weeks 5-12 | Control implementation, tool deployment | | **Phase 3: Evidence Collection** | Weeks 13-16 | 3 months of evidence collection | | **Phase 4: Audit** | Week 17 | External auditor engagement | --- ## 4. Remediation Plan ### 4.1 Severity Classification | Severity | CVSS Score | Response Time | SLA | |----------|------------|---------------|-----| | **Critical** | 9.0-10.0 | 24 hours | Fix within 1 week | | **High** | 7.0-8.9 | 48 hours | Fix within 2 weeks | | **Medium** | 4.0-6.9 | 1 week | Fix within 1 month | | **Low** | 0.1-3.9 | 2 weeks | Fix within 3 months | | **Informational** | 0.0 | N/A | Document | ### 4.2 Remediation Template ```markdown ## Vulnerability Report Template ### VULN-XXX: [Title] **Severity:** [Critical/High/Medium/Low] **Category:** [OWASP Category] **Component:** [Backend/Frontend/Infrastructure] **Discovered:** [Date] **Reporter:** [Name] #### Description [Detailed description of the vulnerability] #### Impact [What could happen if exploited] #### Steps to Reproduce 1. Step one 2. Step two 3. Step three #### Evidence [Code snippets, screenshots, request/response] #### Recommended Fix [Specific remediation guidance] #### Verification [How to verify the fix is effective] #### Status - [ ] Confirmed - [ ] Fix in Progress - [ ] Fix Deployed - [ ] Verified ``` --- ## 5. Audit Schedule ### Week 1: Preparation | Day | Activity | Owner | |-----|----------|-------| | 1 | Kickoff meeting, scope finalization | Security Lead | | 2 | Environment setup, tool installation | Security Team | | 3 | Documentation review, test cases prep | Security Team | | 4 | Start automated scanning | Security Team | | 5 | Automated scan analysis | Security Team | ### Week 2-3: Manual Testing | Activity | Duration | Owner | |----------|----------|-------| | SQL Injection Testing | 2 days | Pen Tester | | XSS Testing | 2 days | Pen Tester | | Authentication Testing | 2 days | Pen Tester | | Business Logic Testing | 2 days | Pen Tester | | API Security Testing | 2 days | Pen Tester | | Infrastructure Testing | 2 days | Pen Tester | ### Week 4: Remediation & Verification | Day | Activity | Owner | |-----|----------|-------| | 1 | Final report delivery | Security Team | | 2-5 | Critical/High remediation | Dev Team | | 6 | Remediation verification | Security Team | | 7 | Sign-off | Security Lead | --- ## Appendix A: Security Testing Tools Setup ### OWASP ZAP Configuration ```bash # Install OWASP ZAP docker pull owasp/zap2docker-stable # Full scan docker run -v $(pwd):/zap/wrk/:rw \ owasp/zap2docker-stable zap-full-scan.py \ -t https://staging-api.mockupaws.com \ -g gen.conf \ -r zap-report.html # API scan (for OpenAPI) docker run -v $(pwd):/zap/wrk/:rw \ owasp/zap2docker-stable zap-api-scan.py \ -t https://staging-api.mockupaws.com/openapi.json \ -f openapi \ -r zap-api-report.html ``` ### Burp Suite Configuration ``` 1. Set up upstream proxy for certificate pinning bypass 2. Import OpenAPI specification 3. Configure scan scope: - Include: https://staging-api.mockupaws.com/* - Exclude: https://staging-api.mockupaws.com/health 4. Set authentication: - Token location: Header - Header name: Authorization - Token prefix: Bearer 5. Run crawl and audit ``` ### CI/CD Security Integration ```yaml # .github/workflows/security-scan.yml name: Security Scan on: push: branches: [main, develop] pull_request: branches: [main] schedule: - cron: '0 0 * * 0' # Weekly jobs: dependency-check: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Python Dependency Audit run: | pip install pip-audit pip-audit --requirement requirements.txt - name: Node.js Dependency Audit run: | cd frontend npm audit --audit-level=moderate - name: Secret Scan uses: trufflesecurity/trufflehog@main with: path: ./ base: main head: HEAD sast: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Bandit Scan run: | pip install bandit bandit -r src/ -f json -o bandit-report.json - name: Semgrep Scan uses: returntocorp/semgrep-action@v1 with: config: >- p/security-audit p/owasp-top-ten p/cwe-top-25 ``` --- *Document Version: 1.0.0-Draft* *Last Updated: 2026-04-07* *Classification: Internal - Confidential* *Owner: @spec-architect*