Phase1: Add project proposal, security plan, README and changelog

munazza-a11 · munazza-a11 · commit eec93d815e88 · 2025-10-24T19:29:59.000+05:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1,6 @@
+# CHANGELOG
+
+## Unreleased
+
+* Phase1: Add project proposal and security plan (by Munazza Ahmed Sumaiya Bukhari Zainab Altaf)
+
diff --git a/README.md b/README.md
@@ -1,3 +1,15 @@
+# SecureNotes (fork of full-stack-fastapi-postgresql)
+
+Phase 1 deliverables for SecureNotes (REST API security project).
+
+## Phase 1 contents
+
+* `docs/PROJECT_PROPOSAL.md`
+* `docs/SECURITY_PLAN.md`
+* `docs/system_overview.drawio` / `.png` / `.pdf`
+* `README.md`, `CHANGELOG.md`
+
+This repo is a fork of the `tiangolo/full-stack-fastapi-postgresql` starter.
 # Full Stack FastAPI Template
 
 <a href="https://github.com/fastapi/full-stack-fastapi-template/actions?query=workflow%3ATest" target="_blank"><img src="https://github.com/fastapi/full-stack-fastapi-template/workflows/Test/badge.svg" alt="Test"></a>
diff --git a/docs/PROJECT_PROPOSAL.md b/docs/PROJECT_PROPOSAL.md
@@ -0,0 +1,39 @@
+# Project Proposal — SecureNotes (FastAPI)
+
+**Course:** Secure Software Development
+**Project Theme:** REST API Security (FastAPI) — fork of tiangolo/full-stack-fastapi-postgresql
+**Repository (fork):** [https://github.com/YourGitHubUser/secure-notes](https://github.com/YourGitHubUser/secure-notes)
+
+**Implementer (Phase 1):** [Your Full Name]
+
+## Objective
+
+Build a secure REST API to accept, encrypt, store and return user notes. Use Secure SDLC, OWASP guidance, and DevSecOps: threat modeling, code and dependency scanning, container scanning, and DAST.
+
+## Scope (Phase 1)
+
+* Fork the template and set up repo branch `phase1-setup`.
+* Define security objectives and produce a Security Plan (this doc + SECURITY_PLAN.md).
+* Produce Level-0 DFD (docs/system_overview.*).
+* Setup initial README and changelog.
+
+## Deliverables (Phase 1)
+
+* docs/PROJECT_PROPOSAL.md
+* docs/SECURITY_PLAN.md
+* docs/system_overview.png and .pdf
+* README.md and CHANGELOG.md
+* Branch: phase1-setup and PR to main
+
+## Team & responsibilities
+
+* [Your Full Name] — Phase 1: planning, repo setup, DFD, documentation.
+* (Teammates will implement later phases: threat modeling, code, tests).
+
+## Timeline
+
+* Phase 1: (today) Planning & Setup
+* Phase 2: Threat Model & Risk Assessment
+* Phase 3: Implementation (backend security controls)
+* Phase 4: CI/CD & automated security scans
+* Phase 5: Final report & demo
diff --git a/docs/SECURITY_PLAN.md b/docs/SECURITY_PLAN.md
@@ -0,0 +1,61 @@
+# Security Plan — SecureNotes (Phase 1)
+
+**Author:** [Your Full Name]
+**Repo:** [https://github.com/YourGitHubUser/secure-notes](https://github.com/YourGitHubUser/secure-notes)
+**Date:** YYYY-MM-DD
+
+## 1. Summary
+
+This plan defines security objectives, assets, roles, high-level controls, and next steps for Phase 1 of SecureNotes (FastAPI).
+
+## 2. Security Objectives (CIA + Privacy)
+
+* **Confidentiality**: Encrypt note bodies at rest using AES-GCM with a 256-bit application master key.
+* **Integrity**: Use JWT with HMAC (HS256) and short token lifetimes; authenticated encryption for stored data.
+* **Availability**: Basic rate limiting plan and graceful error handling (to be implemented).
+* **Privacy**: Minimize PII; store username and password hash only; redact sensitive logs.
+
+## 3. System Assets
+
+| Asset                      |   Classification | Comments                               |
+| -------------------------- | ---------------: | -------------------------------------- |
+| Note content               |        Sensitive | Must be encrypted at rest              |
+| User credentials           | Highly sensitive | Store hashed (bcrypt) only             |
+| MASTER_KEY / JWT_SECRET    |           Secret | Store in GitHub Secrets/secret manager |
+| Database backups           |        Sensitive | Encrypt & restrict access              |
+| CI tokens & registry creds |           Secret | Least privilege in CI                  |
+
+## 4. Users & Roles
+
+* **User**: create/read own notes.
+* **Admin** (future): manage users and system.
+* **Developer/CI**: builds and tests; must not leak secrets.
+
+## 5. Data Flows (high level)
+
+* User → HTTPS → FastAPI endpoints (register, login, /notes)
+* FastAPI → encrypt note → DB (store ciphertext)
+* CI (GitHub Actions) → build/test/scan → images/reports
+
+A Level-0 DFD diagram is included: `docs/system_overview.png` / `.pdf`.
+
+## 6. Initial Controls to implement (Phase 2/3 plan)
+
+1. Password hashing (bcrypt via passlib).
+2. JWT auth (short lived access tokens).
+3. AES-GCM encryption for note bodies (app master key from secrets).
+4. Pydantic input validation for all endpoints.
+5. Security headers middleware (CSP, HSTS, X-Frame-Options).
+6. CI: CodeQL, Snyk (SCA), Trivy (container), OWASP ZAP (DAST).
+
+## 7. Key risks & mitigations
+
+* **Leak of master key** → use GitHub Secrets & rotation plan.
+* **Dependency vulnerabilities** → Snyk scans and upgrades.
+* **Misconfigured CI secrets** → restrict access & do not echo secrets in logs.
+
+## 8. Phase-1 acceptance criteria
+
+* Repo forked and branch `phase1-setup` created.
+* Security Plan and DFD added to `docs/`.
+* PR created (and merged).
