Skip to content

nomie7/team-teddy-standards

BranchesTags
Β 
Β 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

7 Commits
ACCESSIBILITY.md
ACCESSIBILITY.md
Β 
Β 
CLAUDE.md
CLAUDE.md
Β 
Β 
PRIVACY.md
PRIVACY.md
Β 
Β 
SECURITY.md
SECURITY.md
Β 
Β 
TESTS.md
TESTS.md
Β 
Β 

Repository files navigation

Security Standards

Security Validation Requirements

MANDATORY: ALL security checks must pass before any production readiness claims.

Security Gate Status

  • 100% pass rate on all security scans and vulnerability assessments is MANDATORY
  • Security validation results must be verified and documented
  • No production readiness claims without explicit security confirmation

OWASP Top 10 Compliance

A01: Broken Access Control

  • Authentication Testing: All login/logout flows tested with valid/invalid credentials
  • Authorization Testing: Role-based access control (RBAC) verified for all endpoints
  • Session Management: Session timeout, invalidation, and concurrent session handling tested
  • Privilege Escalation: Tests for horizontal and vertical privilege escalation attempts
  • Direct Object References: All resource access validated against user permissions

A02: Cryptographic Failures

  • Data in Transit: All sensitive data encrypted using TLS 1.2+ with proper cipher suites
  • Data at Rest: Sensitive data encrypted in databases and file storage
  • Password Storage: Passwords hashed using bcrypt, scrypt, or Argon2 (minimum 12 rounds)
  • API Keys/Secrets: All secrets stored in secure vaults (Azure Key Vault, AWS Secrets Manager, etc.)
  • Cryptographic Standards: Use industry-standard algorithms (AES-256, RSA-2048+, ECDSA P-256+)

A03: Injection Attacks

  • SQL Injection: Parameterized queries/ORM usage verified, no dynamic SQL construction
  • NoSQL Injection: Input validation for NoSQL databases (MongoDB, etc.)
  • Command Injection: OS command execution with proper input sanitization
  • LDAP/XPath Injection: Directory service query protection
  • Input Validation: Server-side validation for all user inputs with allowlist approach

A04: Insecure Design

  • Security by Design: Security requirements defined in architecture documentation
  • Threat Modeling: STRIDE or similar methodology applied to critical components
  • Security Controls: Defense in depth with multiple security layers
  • Secure Defaults: All configurations secure by default (fail securely)
  • Business Logic Security: Critical business flows protected against manipulation

A05: Security Misconfiguration

  • Default Credentials: No default passwords or accounts in production
  • Error Handling: Generic error messages that don't reveal system information
  • HTTP Headers: Security headers implemented (HSTS, CSP, X-Frame-Options, etc.)
  • Directory Listing: Web server directory browsing disabled
  • Unnecessary Features: Unused services, ports, and features disabled

A06: Vulnerable and Outdated Components

  • Dependency Scanning: Automated vulnerability scanning for all dependencies
  • Version Management: All components updated to latest stable, secure versions
  • License Compliance: Third-party component licenses verified and documented
  • Supply Chain Security: Component integrity verification (checksums, signatures)
  • Inventory Management: Complete inventory of all components and versions

A07: Identification and Authentication Failures

  • Multi-Factor Authentication: MFA implemented for administrative and sensitive accounts
  • Password Policy: Strong password requirements (length, complexity, history)
  • Account Lockout: Brute force protection with progressive delays
  • Session Security: Secure session tokens with proper entropy and rotation
  • Credential Recovery: Secure password reset and account recovery processes

A08: Software and Data Integrity Failures

  • Code Signing: Application binaries digitally signed
  • CI/CD Security: Build pipeline security with signed commits and protected branches
  • Dependency Integrity: Package integrity verification (npm audit, package-lock.json)
  • Update Mechanisms: Secure automatic update processes
  • Backup Integrity: Backup verification and tamper detection

A09: Security Logging and Monitoring Failures

  • Security Events: All authentication, authorization, and security events logged
  • Log Protection: Logs stored securely with integrity protection
  • Monitoring: Real-time security monitoring and alerting
  • Incident Response: Documented incident response procedures
  • Audit Trail: Complete audit trail for all security-relevant actions

A10: Server-Side Request Forgery (SSRF)

  • Input Validation: URL validation and allowlist for external requests
  • Network Segmentation: Internal services isolated from user-controlled requests
  • Response Filtering: Sensitive internal responses filtered from user output
  • DNS Resolution: DNS rebinding protection implemented
  • Internal Access: Internal service access properly authenticated and authorized

SOC 2 Type II Compliance Requirements

Security (Common Criteria)

  • Access Controls: Logical and physical access controls documented and implemented
  • System Boundaries: Clear definition of system boundaries and data flow
  • Risk Assessment: Annual risk assessments with documented remediation plans
  • Vendor Management: Third-party vendor security assessments and contracts
  • Incident Management: Security incident response procedures and documentation

Availability

  • System Monitoring: 24/7 system monitoring with automated alerts
  • Backup Procedures: Regular automated backups with tested restoration procedures
  • Disaster Recovery: Documented disaster recovery plan with RTO/RPO targets
  • Capacity Planning: Performance monitoring and capacity management
  • Change Management: Formal change management process for system modifications

Processing Integrity

  • Data Validation: Input validation and data integrity checks
  • Error Handling: Comprehensive error handling and logging
  • System Processing: Accurate and complete transaction processing
  • Data Quality: Data quality controls and validation procedures
  • Batch Processing: Controls for batch job processing and reconciliation

Confidentiality (if applicable)

  • Data Classification: Sensitive data identified and classified
  • Access Controls: Confidential data access restricted to authorized personnel
  • Data Handling: Secure data handling procedures throughout data lifecycle
  • Data Transmission: Encrypted transmission of confidential data
  • Data Disposal: Secure data destruction procedures

Privacy (if applicable)

  • Privacy Notice: Clear privacy policies and data collection notices
  • Consent Management: User consent collection and management procedures
  • Data Minimization: Collection limited to necessary data only
  • Data Retention: Defined data retention periods with automated deletion
  • Data Subject Rights: Procedures for handling data subject requests

Dependency Security Requirements

NPM Package Security

  • Vulnerability Scanning: npm audit must pass with zero high/critical vulnerabilities
  • Package Verification: Verify package integrity using package-lock.json
  • Dependency Updates: Regular dependency updates with security patch priority
  • License Compliance: All NPM packages must have compatible licenses
  • Supply Chain Security: Use npm ci for production deployments

NuGet Package Security

  • Vulnerability Scanning: NuGet vulnerability scanning with zero high/critical issues
  • Package Sources: Only trusted NuGet sources (nuget.org, private feeds)
  • Package Verification: Package signature verification enabled
  • License Compliance: All NuGet packages must have compatible licenses
  • Version Pinning: Exact version pinning for production dependencies

General Dependency Management

  • SBOM Generation: Software Bill of Materials (SBOM) generated for all releases
  • Dependency Review: Manual review required for new dependencies
  • Security Advisories: Subscribe to security advisories for all used technologies
  • Automated Updates: Dependabot or similar for automated security updates
  • Dependency Isolation: Use containers or virtual environments for dependency isolation

Additional Security Best Practices

Secure Development Lifecycle (SDL)

  • Security Training: Regular security training for all developers
  • Code Review: Security-focused code reviews for all changes
  • Static Analysis: SAST tools integrated into CI/CD pipeline
  • Dynamic Analysis: DAST tools for runtime security testing
  • Penetration Testing: Regular external penetration testing

Infrastructure Security

  • Container Security: Container image scanning and runtime security
  • Network Security: Network segmentation and firewall rules
  • Cloud Security: Cloud security posture management (CSPM)
  • Secrets Management: No hardcoded secrets, use secret management systems
  • Certificate Management: Automated certificate lifecycle management

Data Protection

  • Data Encryption: AES-256 encryption for data at rest and in transit
  • Key Management: Hardware Security Modules (HSM) or cloud key management
  • Data Loss Prevention: DLP tools and policies implemented
  • Data Masking: Sensitive data masked in non-production environments
  • Data Retention: Automated data retention and deletion policies

Security Metrics and Thresholds

Vulnerability Management

Severity Resolution Time Tolerance Red Flag
Critical 24 hours 48 hours > 72 hours 🚨
High 7 days 14 days > 30 days ⚠️
Medium 30 days 60 days > 90 days πŸ“‹
Low 90 days 180 days > 1 year πŸ“

Security Testing Coverage

Test Type Target Tolerance Red Flag
SAST Coverage 100% of code 95%+ < 90% 🚨
Dependency Scan 100% of packages 100% < 100% πŸ”₯
OWASP Top 10 100% tested 100% < 100% ⚠️
Security Unit Tests 90%+ coverage 80%+ < 70% πŸ“‹

Compliance Metrics

Requirement Target Tolerance Red Flag
SOC 2 Controls 100% implemented 95%+ < 90% 🚨
Security Incidents 0 unresolved 1-2 open > 3 open πŸ”₯
Audit Findings 0 high/critical 1-2 medium > 2 high ⚠️
Compliance Score 95%+ 90%+ < 85% πŸ“‹

Communication Guidelines

NEVER claim production readiness without:

  • Explicit confirmation that ALL security scans are passing
  • Evidence of vulnerability assessment results
  • Verification of OWASP Top 10 compliance
  • Confirmation of SOC 2 control implementation
  • Documentation of security testing coverage

Instead of saying "secure" or "production ready," use specific language:

  • "Security scans passing but requires [specific security review] before production"
  • "OWASP compliant but needs [penetration testing/security audit] validation"
  • "Dependency vulnerabilities resolved but requires [manual security review]"
  • "Security controls implemented but needs [compliance verification] before production"
  • "Meets security baseline but requires [SOC 2 audit/security assessment] for production"

Implementation Checklist

Pre-Production Security Requirements

  • All security scans passing with zero high/critical vulnerabilities
  • Security validation results documented and verified
  • No security findings blocking production deployment
  • Security testing coverage confirmed

OWASP Top 10 Validation

  • A01 - Broken Access Control: Authentication/authorization testing completed
  • A02 - Cryptographic Failures: Encryption standards implemented and verified
  • A03 - Injection: Input validation and parameterized queries verified
  • A04 - Insecure Design: Security by design principles implemented
  • A05 - Security Misconfiguration: Secure defaults and configurations verified
  • A06 - Vulnerable Components: Dependency scanning completed with zero high/critical issues
  • A07 - Authentication Failures: MFA and secure authentication implemented
  • A08 - Software Integrity: Code signing and CI/CD security verified
  • A09 - Logging/Monitoring: Security logging and monitoring implemented
  • A10 - SSRF: Server-side request forgery protections implemented

SOC 2 Control Implementation

  • Security Controls: Access controls and system boundaries documented
  • Availability Controls: Monitoring, backup, and disaster recovery implemented
  • Processing Integrity: Data validation and error handling verified
  • Confidentiality Controls: Data classification and access restrictions implemented (if applicable)
  • Privacy Controls: Privacy policies and consent management implemented (if applicable)
  • Annual risk assessment completed with documented remediation
  • Vendor security assessments completed
  • Incident response procedures documented and tested

Dependency Security Verification

  • NPM Packages: npm audit passing with zero high/critical vulnerabilities
  • NuGet Packages: NuGet vulnerability scanning completed with zero high/critical issues
  • Package integrity verification (checksums, signatures) completed
  • All dependencies updated to latest stable, secure versions
  • License compliance verified for all packages
  • SBOM (Software Bill of Materials) generated
  • Dependency review completed for new packages
  • Automated security updates configured (Dependabot/similar)

Infrastructure Security

  • Container security scanning completed (if applicable)
  • Network security and firewall rules configured
  • Cloud security posture management implemented (if applicable)
  • Certificate management automated
  • Secrets management system implemented (no hardcoded secrets)
  • Environment isolation verified

Security Testing Completion

  • SAST (Static Analysis): 100% code coverage with zero high/critical findings
  • DAST (Dynamic Analysis): Runtime security testing completed
  • Penetration Testing: External penetration testing completed (if required)
  • Security Code Review: Manual security-focused code review completed
  • Security unit tests implemented with 90%+ coverage

Data Protection Verification

  • Data encryption implemented (AES-256 for data at rest and in transit)
  • Key management system implemented (HSM/cloud key management)
  • Data loss prevention tools configured
  • Data masking implemented in non-production environments
  • Automated data retention and deletion policies implemented

Compliance and Documentation

  • Security documentation complete and current
  • Compliance requirements mapped and verified
  • Security training completed for all team members
  • Incident response plan documented and tested
  • Security metrics meet defined thresholds
  • No red flag security indicators present

Vulnerability Management

  • Critical vulnerabilities: Resolved within 24-48 hours
  • High vulnerabilities: Resolved within 7-14 days
  • Medium vulnerabilities: Resolved within 30-60 days
  • Low vulnerabilities: Resolved within 90-180 days
  • Vulnerability resolution timeline documented

Communication and Sign-off

  • Security results documented with evidence
  • Security limitations or caveats clearly stated
  • Specific language used (no premature "secure" claims)
  • Security gaps identified and remediation plan documented
  • Security review sign-off obtained from security team/officer

Key Security Principles

  • Security is integrated throughout the development lifecycle, not added at the end
  • All security controls must be tested and verified, not just implemented
  • Security findings must be resolved before production deployment
  • Compliance requirements are minimum standards, not maximum security
  • Security monitoring and incident response are ongoing operational requirements
  • Regular security assessments and updates are mandatory, not optional
  • Defense in depth requires multiple layers of security controls
  • Security by design ensures secure defaults and fail-safe mechanisms

About

Comprehensive development standards for accessibility, security, privacy, testing, and Claude Code SuperClaude framework. Production-ready validation requirements and implementation checklists.

Security policy

Security policy
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors