mirror of
https://github.com/azaion/satellite-provider.git
synced 2026-06-27 07:21:14 +00:00
Oleksandr Bezdieniezhnykh
1.5 KiB
1.5 KiB
OWASP Top 10 Review (Cycle 10)
Date: 2026-06-25
Framework: OWASP Top 10:2021
Mode: Delta review — AZ-1113 over cycle-9 baseline (owasp_review_cycle9.md).
| Category | Cycle-9 status | Cycle-10 delta |
|---|---|---|
| A01 — Broken Access Control | PASS | No change |
| A02 — Cryptographic Failures | PASS | No change |
| A03 — Injection | PASS | No change |
| A04 — Insecure Design | PASS | No change |
| A05 — Security Misconfiguration | PASS | No change |
| A06 — Vulnerable Components | PASS_WITH_WARNINGS | No new packages; D-AZ795-1 + D2-cy4 carry-overs unchanged |
| A07 — Auth Failures | PASS | No change |
| A08 — Data Integrity Failures | PASS | No change |
| A09 — Logging / Monitoring Failures | PASS_WITH_WARNINGS → improved | F-AZ795-1, F-AZ795-2, F-AZ810-1 resolved; F-AZ810-2 still open (informational) |
| A10 — SSRF | N/A | No URL-fetch changes |
A09 detail
AZ-1113 closes the REST client-visible exception echo paths identified in cycles 7–8. Server-side logging of full exceptions is preserved (existing patterns). error-shape.md v1.0.1 documents the static strings for consumer reference.
Remaining A09 item: F-AZ810-2 (DateTime vs DateTimeOffset on capturedAt) — time-handling correctness, not information disclosure.
Verdict
PASS (cycle-10 delta on A09 information-disclosure items).
Cumulative: PASS_WITH_WARNINGS — F-AZ810-2 + dependency carry-overs only.