mirror of
https://github.com/azaion/satellite-provider.git
synced 2026-06-27 12:41:13 +00:00
Oleksandr Bezdieniezhnykh
31 lines
1.5 KiB
Markdown
31 lines
1.5 KiB
Markdown
# OWASP Top 10 Review (Cycle 10)
|
||
|
||
**Date**: 2026-06-25
|
||
**Framework**: OWASP Top 10:2021
|
||
**Mode**: Delta review — AZ-1113 over cycle-9 baseline (`owasp_review_cycle9.md`).
|
||
|
||
| Category | Cycle-9 status | Cycle-10 delta |
|
||
|----------|----------------|----------------|
|
||
| A01 — Broken Access Control | PASS | No change |
|
||
| A02 — Cryptographic Failures | PASS | No change |
|
||
| A03 — Injection | PASS | No change |
|
||
| A04 — Insecure Design | PASS | No change |
|
||
| A05 — Security Misconfiguration | PASS | No change |
|
||
| A06 — Vulnerable Components | PASS_WITH_WARNINGS | No new packages; D-AZ795-1 + D2-cy4 carry-overs unchanged |
|
||
| A07 — Auth Failures | PASS | No change |
|
||
| A08 — Data Integrity Failures | PASS | No change |
|
||
| A09 — Logging / Monitoring Failures | PASS_WITH_WARNINGS → **improved** | F-AZ795-1, F-AZ795-2, F-AZ810-1 **resolved**; F-AZ810-2 still open (informational) |
|
||
| A10 — SSRF | N/A | No URL-fetch changes |
|
||
|
||
## A09 detail
|
||
|
||
AZ-1113 closes the REST client-visible exception echo paths identified in cycles 7–8. Server-side logging of full exceptions is preserved (existing patterns). `error-shape.md` v1.0.1 documents the static strings for consumer reference.
|
||
|
||
**Remaining A09 item**: F-AZ810-2 (`DateTime` vs `DateTimeOffset` on `capturedAt`) — time-handling correctness, not information disclosure.
|
||
|
||
## Verdict
|
||
|
||
**PASS** (cycle-10 delta on A09 information-disclosure items).
|
||
|
||
Cumulative: **PASS_WITH_WARNINGS** — F-AZ810-2 + dependency carry-overs only.
|