azaion/satellite-provider
1
0
Fork 0
mirror of https://github.com/azaion/satellite-provider.git synced 2026-06-26 07:21:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
01d7e7d584a1412218f6d3f0270f9f628b95f298
satellite-provider/_docs/05_security/owasp_review_cycle9.md
T
Oleksandr Bezdieniezhnykh 7ed780b063
ci/woodpecker/push/01-test Pipeline failed
Details
ci/woodpecker/push/02-build-push unknown status
Details
[AZ-1074] [AZ-1075] Cycle 9 closeout: security, tests, metrics 
Resolve F-AZ1074-1/2 (collection caps, generic gRPC internal errors).
Standalone integration compose stack, docs, security audit, perf and retro.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-25 17:32:14 +03:00

23 lines
1.4 KiB
Markdown
Raw Blame History

# OWASP Top 10 Review (Cycle 9)
**Date**: 2026-06-25
**Framework**: OWASP Top 10:2021
**Scope**: Cycle-9 gRPC delta (AZ-1074/AZ-1075)
| Category | Status (cycle-9 delta) | Notes |
|----------|------------------------|-------|
| A01 — Broken Access Control | **PASS** | `[Authorize]` on gRPC service; anonymous calls rejected (integration tests cover JWT baseline) |
| A02 — Cryptographic Failures | **N/A** | TLS via Kestrel dev cert / production ingress — unchanged pattern from AZ-505 |
| A03 — Injection | **PASS** | No new string-built SQL; tile coords validated before expand |
| A04 — Insecure Design | **PASS (post-follow-up)** | F-AZ1074-1 unbounded collections **resolved** — caps aligned with REST |
| A05 — Security Misconfiguration | **PASS** | gRPC message size limits set; test compose no longer publishes DB port to host |
| A06 — Vulnerable Components | **PASS_WITH_WARNINGS** | New Grpc.AspNetCore 2.71.0 clean; D-AZ795-1 + D2-cy4 carry-overs |
| A07 — Auth Failures | **PASS** | Same JWT contract as REST; gRPC metadata `Authorization: Bearer` |
| A08 — Data Integrity Failures | **N/A** | No CI/CD or signing changes |
| A09 — Logging Failures | **PASS_WITH_WARNINGS** | F-AZ1074-2 **resolved**; F-AZ795-1/F-AZ795-2 REST carry-overs still open |
| A10 — SSRF | **N/A** | No URL inputs in gRPC contract |
## Verdict
**PASS_WITH_WARNINGS** cumulative (REST carry-overs). Cycle-9 delta: **PASS** after Step-14 follow-up fixes.
Reference in New Issue View Git Blame Copy Permalink