Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

CDP Compliance Epic — alle Controls #1

New Issue
Open
opened 2026-04-16 08:16:44 +02:00 by Hartmut · 2 comments
Hartmut commented 2026-04-16 08:16:44 +02:00
Owner
Copy Link
Copy Source

CDP Compliance Epic

Umbrella-Ticket für alle CDP Controls aus samples/CDP/Copy of CDP_Controls_Export_KapaKraken.xls.

  • Owner: h.noerenberg
  • Quelle: Accenture CDP Controls Export
  • Scope: 29 Controls — 20 anwendbar, 9 N/A
  • Compliance-Kontext: docs/acn-security-compliance-status.md — CapaKraken ist laut internem Status zu 73 % OK gegenüber der Accenture Application Security Standard V7.30
  • Jedes anwendbare Sub-Ticket enthält einen CapaKraken-spezifischen Action-Plan mit bestehenden Nachweisen und offenen Todos.

Anwendbare Controls (20)

  • #235948467 Application ID (app/AI)
  • #335948468 Provide Written Notification (app)
  • #535948474 Environment Access (app)
  • #635948473 Implement Patching Process (app/AI)
  • #735948472 Maintain current application inventory (dev)
  • #935948452 Confirm Uniqueness of IDs and Passwords (app/AI)
  • #1035948471 Deliver project specific CDP training (app/AI)
  • #1235948470 Segregation of Duty Access (app)
  • #1335948455 Provide Role Related Access (app)
  • #1435948458 Require Multi-Factor Authentication
  • #1535948454 Maintain System Administrator Log (app)
  • #1735948464 General
  • #1935948466 Enable Logging (app)
  • #2435948469 Designate SPOC for Sharing Information (app/AI)
  • #2535948520 Web Application
  • #2635948517 ReactJs
  • #2735948515 HTML5
  • #2835948519 Utilize a Secure DevOps environment supporting code scanning services
  • #2935948518 Cloud
  • #3035948516 NodeJS

Nicht anwendbar (9) — geschlossen

  • #435948462 Confirm Business Continuity contractual requirements (app/AI)
  • #835948459 Log Chain of Custody (app/AI)
  • #1135948457 Encrypt Transmission of Client Data via Mobile (app/AI)
  • #1635948456 Require Reputable Courier for Third Party Transport (app/AI)
  • #1835948465 Establish Firefighter ID Activation Procedure (app)
  • #2035948463 Mobilize subcontracting entities in CDP plan (app/AI)
  • #2135948453 Firefighter Activity Logging (app)
  • #2235948461 Business Need Approval (app)
  • #2335948460 Firefighter ID Password Change (app)

Web Application Detail-Checklisten (73 Checks)

Ergänzende Accenture CDP-Detailchecks aus samples/CDP/checklists/, thematisch zu den Technologie-Controls gruppiert:

  • #31 — Checkliste General (35 checks) → Parent #25 Web Application
  • #32 — Checkliste Cloud (7 checks) → Parent #29 Cloud
  • #33 — Checkliste HTML5 (19 checks) → Parent #27 HTML5
  • #34 — Checkliste Node.js (4 checks) → Parent #30 NodeJS
  • #35 — Checkliste ReactJs (8 checks) → Parent #26 ReactJs
# CDP Compliance Epic Umbrella-Ticket für alle CDP Controls aus `samples/CDP/Copy of CDP_Controls_Export_KapaKraken.xls`. - **Owner:** h.noerenberg - **Quelle:** Accenture CDP Controls Export - **Scope:** 29 Controls — **20 anwendbar**, **9 N/A** - **Compliance-Kontext:** [`docs/acn-security-compliance-status.md`](../blob/main/docs/acn-security-compliance-status.md) — CapaKraken ist laut internem Status zu **73 % OK** gegenüber der Accenture Application Security Standard V7.30 - Jedes anwendbare Sub-Ticket enthält einen CapaKraken-spezifischen Action-Plan mit bestehenden Nachweisen und offenen Todos. ## Anwendbare Controls (20) - [ ] #2 — `35948467` Application ID (app/AI) - [ ] #3 — `35948468` Provide Written Notification (app) - [ ] #5 — `35948474` Environment Access (app) - [ ] #6 — `35948473` Implement Patching Process (app/AI) - [ ] #7 — `35948472` Maintain current application inventory (dev) - [ ] #9 — `35948452` Confirm Uniqueness of IDs and Passwords (app/AI) - [ ] #10 — `35948471` Deliver project specific CDP training (app/AI) - [ ] #12 — `35948470` Segregation of Duty Access (app) - [ ] #13 — `35948455` Provide Role Related Access (app) - [ ] #14 — `35948458` Require Multi-Factor Authentication - [ ] #15 — `35948454` Maintain System Administrator Log (app) - [ ] #17 — `35948464` General - [ ] #19 — `35948466` Enable Logging (app) - [ ] #24 — `35948469` Designate SPOC for Sharing Information (app/AI) - [ ] #25 — `35948520` Web Application - [ ] #26 — `35948517` ReactJs - [ ] #27 — `35948515` HTML5 - [ ] #28 — `35948519` Utilize a Secure DevOps environment supporting code scanning services - [ ] #29 — `35948518` Cloud - [ ] #30 — `35948516` NodeJS ## Nicht anwendbar (9) — geschlossen - [x] ~~#4~~ — `35948462` Confirm Business Continuity contractual requirements (app/AI) - [x] ~~#8~~ — `35948459` Log Chain of Custody (app/AI) - [x] ~~#11~~ — `35948457` Encrypt Transmission of Client Data via Mobile (app/AI) - [x] ~~#16~~ — `35948456` Require Reputable Courier for Third Party Transport (app/AI) - [x] ~~#18~~ — `35948465` Establish Firefighter ID Activation Procedure (app) - [x] ~~#20~~ — `35948463` Mobilize subcontracting entities in CDP plan (app/AI) - [x] ~~#21~~ — `35948453` Firefighter Activity Logging (app) - [x] ~~#22~~ — `35948461` Business Need Approval (app) - [x] ~~#23~~ — `35948460` Firefighter ID Password Change (app) ## Web Application Detail-Checklisten (73 Checks) Ergänzende Accenture CDP-Detailchecks aus `samples/CDP/checklists/`, thematisch zu den Technologie-Controls gruppiert: - [ ] #31 — Checkliste **General** (35 checks) → Parent #25 Web Application - [ ] #32 — Checkliste **Cloud** (7 checks) → Parent #29 Cloud - [ ] #33 — Checkliste **HTML5** (19 checks) → Parent #27 HTML5 - [ ] #34 — Checkliste **Node.js** (4 checks) → Parent #30 NodeJS - [ ] #35 — Checkliste **ReactJs** (8 checks) → Parent #26 ReactJs
Hartmut added the epiccdpsecurity labels 2026-04-16 08:16:44 +02:00
Hartmut commented 2026-04-16 10:20:07 +02:00
Author
Owner
Copy Link
Copy Source

Progress Update — 2026-04-16

Controls-Status

Anwendbare Controls (20):

# Control Status
#2 Application ID geschlossen
#3 Written Notification 🟡 Action Plan in Kommentar
#5 Environment Access geschlossen
#6 Patching Process 🟡 SLA-Policy als Action Plan
#7 App Inventory (AIR) 🔴 Externe Accenture-Action
#9 Uniqueness IDs/Passwords geschlossen
#10 CDP Training 🟡 Action Plan (Material-Abhängig)
#12 Segregation of Duty geschlossen
#13 Role-Related Access geschlossen
#14 MFA Required geschlossen
#15 System Administrator Log geschlossen
#17 General (Secure Coding) 🟡 Abhängig von #25/#31
#19 Enable Logging geschlossen
#24 SPOC 🟡 Action Plan
#25 Web Application 🟡 7 Partials, 0 Gaps (siehe Kommentar)
#26 ReactJs geschlossen
#27 HTML5 geschlossen
#28 Secure DevOps (SAST/DAST) 🔴 SAST/DAST fehlt
#29 Cloud geschlossen (N/A on-prem)
#30 NodeJS geschlossen

Detail-Checklisten (73 Checks)

  • #31 General (35 Checks) → 2 echte Gaps (Password-Blacklist, Password-Expiry) + 4 Partials.
  • #32 Cloud → N/A (on-prem).
  • #33 HTML5 → 100 % OK.
  • #34 Node.js → 100 % OK.
  • #35 ReactJs → 100 % OK.

Summary

  • Geschlossen: 12 CDP Controls + 4 Detail-Checklisten + 9 N/A-Controls (aus Ursprung).
  • Offen mit Action Plan: 8 Controls (5× Doku/Prozess, 1× externes AIR, 2× Code-Change).
  • Echte Code-Gaps (blockierend):
    1. SAST/DAST in CI (#28)
    2. Password-Blacklist + Expiry (#31)

Nächste Schritte

  1. Prio HIGH: SAST (Semgrep) + DAST (ZAP-Baseline) in CI integrieren — blockiert #28 + #17.
  2. Prio MID: Password-Blacklist via zxcvbn — blockiert #31 + #17.
  3. Prio LOW: Doku-TODOs (#3 Admin-Mail, #6 Patching-Policy, #10 Training, #24 SPOC) — parallel abarbeitbar.
  4. External: AIR-Registration (#7) bei Accenture.
## Progress Update — 2026-04-16 ### Controls-Status **Anwendbare Controls (20):** | # | Control | Status | |---|---------|--------| | ~~#2~~ | Application ID | ✅ geschlossen | | #3 | Written Notification | 🟡 Action Plan in Kommentar | | ~~#5~~ | Environment Access | ✅ geschlossen | | #6 | Patching Process | 🟡 SLA-Policy als Action Plan | | #7 | App Inventory (AIR) | 🔴 Externe Accenture-Action | | ~~#9~~ | Uniqueness IDs/Passwords | ✅ geschlossen | | #10 | CDP Training | 🟡 Action Plan (Material-Abhängig) | | ~~#12~~ | Segregation of Duty | ✅ geschlossen | | ~~#13~~ | Role-Related Access | ✅ geschlossen | | ~~#14~~ | MFA Required | ✅ geschlossen | | ~~#15~~ | System Administrator Log | ✅ geschlossen | | #17 | General (Secure Coding) | 🟡 Abhängig von #25/#31 | | ~~#19~~ | Enable Logging | ✅ geschlossen | | #24 | SPOC | 🟡 Action Plan | | #25 | Web Application | 🟡 7 Partials, 0 Gaps (siehe Kommentar) | | ~~#26~~ | ReactJs | ✅ geschlossen | | ~~#27~~ | HTML5 | ✅ geschlossen | | #28 | Secure DevOps (SAST/DAST) | 🔴 SAST/DAST fehlt | | ~~#29~~ | Cloud | ✅ geschlossen (N/A on-prem) | | ~~#30~~ | NodeJS | ✅ geschlossen | ### Detail-Checklisten (73 Checks) - **#31** General (35 Checks) → **2 echte Gaps** (Password-Blacklist, Password-Expiry) + 4 Partials. - **~~#32~~** Cloud → N/A (on-prem). - **~~#33~~** HTML5 → 100 % OK. - **~~#34~~** Node.js → 100 % OK. - **~~#35~~** ReactJs → 100 % OK. ### Summary - **Geschlossen:** 12 CDP Controls + 4 Detail-Checklisten + 9 N/A-Controls (aus Ursprung). - **Offen mit Action Plan:** 8 Controls (5× Doku/Prozess, 1× externes AIR, 2× Code-Change). - **Echte Code-Gaps (blockierend):** 1. SAST/DAST in CI (#28) 2. Password-Blacklist + Expiry (#31) ### Nächste Schritte 1. **Prio HIGH:** SAST (Semgrep) + DAST (ZAP-Baseline) in CI integrieren — blockiert #28 + #17. 2. **Prio MID:** Password-Blacklist via zxcvbn — blockiert #31 + #17. 3. **Prio LOW:** Doku-TODOs (#3 Admin-Mail, #6 Patching-Policy, #10 Training, #24 SPOC) — parallel abarbeitbar. 4. **External:** AIR-Registration (#7) bei Accenture.
Hartmut commented 2026-04-16 22:05:47 +02:00
Author
Owner
Copy Link
Copy Source

Full-Codebase Security Audit — 2026-04-16

Systematischer Audit des gesamten Source-Codes (nicht nur der CDP-Standard-Controls) hat 60 Findings ergeben, konsolidiert zu 23 actionable Tickets. Alle haben konkrete File-Pfade, Zeilen-Evidenz und copy-paste-baren Fix-Vorschläge.

Methode

3 parallele Audit-Agents mit strikten Scopes:

  • A (Auth/Session/RBAC/Secrets): 20 Findings
  • B (Input-Validation/Upload/API): 25 Findings
  • C (AI/Logging/Headers/Deps): 15 Findings

Jedes Finding mit realistischem Exploit-Path; theoretische Probleme wurden gefiltert.

Neue Tickets

🔴 CRITICAL (2)

  • #36 — Unbounded password inputs enable Argon2 DoS
  • #37 — Rate-limiter only keys by email — IP-based brute-force and targeted lockout possible

🟠 HIGH (13)

  • #38 — Assistant chat message content unbounded — AI cost/memory DoS
  • #39 — Prompt-injection guard trivially bypassable (regex-only, no Unicode normalization)
  • #40 — Login timing attack enables user-email enumeration
  • #41 — Session/Cookie hardening — Secure flag, concurrent-session enforcement, JTI exposure
  • #42 — E2E_TEST_MODE bypass must fail-fast in production
  • #43 — MFA TOTP replay-race + missing backup codes
  • #44 — API middleware default-allows /api/* — new routes inherit public access
  • #45 — CSP wildcards (*.openai.com, *.azure.com), unsafe-inline styles, SVG routes skip CSP
  • #46 — Pino logger has no redact paths — passwords/tokens logged cleartext
  • #47 — Read-only proxy bypass via tRPC callers + missing $transaction/$queryRaw blocks
  • #48 — Resource.dynamicFields JSONB merge accepts attacker-controlled keys + unbounded metadata
  • #49 — SSRF guard misses IPv6 private ranges + webhook dispatcher lacks DNS-rebind protection
  • #50 — Docker + Compose — hardcoded dev password, env-var secrets, placeholder secrets baked in prod image

🟡 MEDIUM (8)

  • #51 — Systematic Zod .max() audit — 202 unbounded z.string() sites
  • #52 — Blueprint validator uses native RegExp — admin-set pattern enables ReDoS
  • #53 — AI-tool error messages leak Prisma schema details to LLM
  • #54 — Dispo workbook path unvalidated + image upload polyglot risk
  • #55 — Audit log fire-and-forget drops entries on DB load + no prompt-input audit
  • #56 — Password-policy client/server divergence + weak secret-entropy check
  • #57 — RBAC permissions cache 60 s — revocation propagates slowly across instances
  • #58 — Dependency CVEs — upgrade dompurify, vite/esbuild, brace-expansion

Nicht-Duplikate — diese Findings waren noch NICHT durch existierende Tickets gecovert

Existierende Tickets #25/#26/#27/#29/#30/#31 + Checklisten decken die Accenture-CDP-Standard-Kontrollen ab.
Die 23 neuen Tickets behandeln konkrete Code-Level-Probleme, die beim Standard-Checklisten-Audit typischerweise durch das Raster fallen (z. B. Timing-Attacks, Prompt-Injection-Bypass, Docker-Secret-Handling, SSRF-IPv6).

Compliance-Prognose

Nach Abarbeitung der neuen Tickets erwartet:

  • Accenture V7.30: 73% → ~92%
  • Die 4 Partials in Q18.x (#25 Change-Management) bleiben als organisatorische TODOs.

Empfohlene Reihenfolge

  1. Woche 1 (CRITICAL): #36 (Password-Max), #37 (Rate-Limit IP)
  2. Woche 2-3 (HIGH): #38–#50
  3. Woche 4 (MEDIUM): #51–#58
  4. Parallel (#58, #51): Pre-CI-Lint-Regeln aktivieren, damit neue unbounded Zod/Deps nicht einsickern.

Audit-Artefakte

  • Quelle: Full-Codebase Security Audit 2026-04-16
  • 60 Raw-Findings intern dokumentiert (können auf Anfrage in die Tickets gespiegelt werden)
  • Keine Source-Code-Änderungen im Rahmen dieses Audits — nur Ticket-Anlage.
## Full-Codebase Security Audit — 2026-04-16 Systematischer Audit des gesamten Source-Codes (nicht nur der CDP-Standard-Controls) hat **60 Findings** ergeben, konsolidiert zu **23 actionable Tickets**. Alle haben konkrete File-Pfade, Zeilen-Evidenz und copy-paste-baren Fix-Vorschläge. ### Methode 3 parallele Audit-Agents mit strikten Scopes: - **A (Auth/Session/RBAC/Secrets):** 20 Findings - **B (Input-Validation/Upload/API):** 25 Findings - **C (AI/Logging/Headers/Deps):** 15 Findings Jedes Finding mit realistischem Exploit-Path; theoretische Probleme wurden gefiltert. ### Neue Tickets #### 🔴 CRITICAL (2) - #36 — Unbounded password inputs enable Argon2 DoS - #37 — Rate-limiter only keys by email — IP-based brute-force and targeted lockout possible #### 🟠 HIGH (13) - #38 — Assistant chat message content unbounded — AI cost/memory DoS - #39 — Prompt-injection guard trivially bypassable (regex-only, no Unicode normalization) - #40 — Login timing attack enables user-email enumeration - #41 — Session/Cookie hardening — Secure flag, concurrent-session enforcement, JTI exposure - #42 — E2E_TEST_MODE bypass must fail-fast in production - #43 — MFA TOTP replay-race + missing backup codes - #44 — API middleware default-allows `/api/*` — new routes inherit public access - #45 — CSP wildcards (`*.openai.com`, `*.azure.com`), `unsafe-inline` styles, SVG routes skip CSP - #46 — Pino logger has no redact paths — passwords/tokens logged cleartext - #47 — Read-only proxy bypass via tRPC callers + missing $transaction/$queryRaw blocks - #48 — Resource.dynamicFields JSONB merge accepts attacker-controlled keys + unbounded metadata - #49 — SSRF guard misses IPv6 private ranges + webhook dispatcher lacks DNS-rebind protection - #50 — Docker + Compose — hardcoded dev password, env-var secrets, placeholder secrets baked in prod image #### 🟡 MEDIUM (8) - #51 — Systematic Zod `.max()` audit — 202 unbounded `z.string()` sites - #52 — Blueprint validator uses native RegExp — admin-set pattern enables ReDoS - #53 — AI-tool error messages leak Prisma schema details to LLM - #54 — Dispo workbook path unvalidated + image upload polyglot risk - #55 — Audit log fire-and-forget drops entries on DB load + no prompt-input audit - #56 — Password-policy client/server divergence + weak secret-entropy check - #57 — RBAC permissions cache 60 s — revocation propagates slowly across instances - #58 — Dependency CVEs — upgrade dompurify, vite/esbuild, brace-expansion ### Nicht-Duplikate — diese Findings waren noch NICHT durch existierende Tickets gecovert Existierende Tickets #25/#26/#27/#29/#30/#31 + Checklisten decken die Accenture-CDP-Standard-Kontrollen ab. Die 23 neuen Tickets behandeln konkrete Code-Level-Probleme, die beim Standard-Checklisten-Audit typischerweise durch das Raster fallen (z. B. Timing-Attacks, Prompt-Injection-Bypass, Docker-Secret-Handling, SSRF-IPv6). ### Compliance-Prognose Nach Abarbeitung der neuen Tickets erwartet: - **Accenture V7.30: 73% → ~92%** - Die 4 Partials in Q18.x (#25 Change-Management) bleiben als organisatorische TODOs. ### Empfohlene Reihenfolge 1. **Woche 1 (CRITICAL):** #36 (Password-Max), #37 (Rate-Limit IP) 2. **Woche 2-3 (HIGH):** #38–#50 3. **Woche 4 (MEDIUM):** #51–#58 4. **Parallel (#58, #51):** Pre-CI-Lint-Regeln aktivieren, damit neue unbounded Zod/Deps nicht einsickern. ### Audit-Artefakte - Quelle: Full-Codebase Security Audit 2026-04-16 - 60 Raw-Findings intern dokumentiert (können auf Anfrage in die Tickets gespiegelt werden) - Keine Source-Code-Änderungen im Rahmen dieses Audits — nur Ticket-Anlage.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
cdp
CDP (Client Data Protection) compliance
 epic
Parent/umbrella ticket
 not-applicable
Control does not apply to CapaKraken scope
 security
Security / compliance work
No Label cdp epic security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Hartmut
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Hartmut/CapaKraken#1
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?