CDP 35948464: General #17

New Issue

Open

opened 2026-04-16 08:16:47 +02:00 by Hartmut · 3 comments

Hartmut commented 2026-04-16 08:16:47 +02:00

Owner

Copy Link

Copy Source

CDP Control ID: 35948464
Category: Secure Application Development
Frequency: Onetime
Owner: h.noerenberg
Parent: #1

Requirement & Guidance

Secure Application Development Requirement: Complete the Accenture Delivery Methods (ADM) and CDP requirements for General by implementing the security requirements listed in the Secure Coding Checklist in your solution. Validation of this control is attestation to the implementation of all requirements in the secure coding checklist. https://in.accenture.com/protectingaccenture/client-data-protection/secure-coding-checklists/ Guidance: Visit the Secure Coding Checklist page and download the corresponding checklist. Share the list with all applicable project resources and instruct on the implementation of requirements in the solution. In case you are unable to implement a security requirement discuss with your Account Manager to assist in processing a formal exception with client sign-off. The checklists are to be used for tracking purposes. For more information visit the Secure Application Development website. Solution security is required by Policy 56.

**CDP Control ID:** `35948464` **Category:** Secure Application Development **Frequency:** Onetime **Owner:** h.noerenberg **Parent:** #1 ## Requirement & Guidance Secure Application Development Requirement: Complete the Accenture Delivery Methods (ADM) and CDP requirements for General by implementing the security requirements listed in the Secure Coding Checklist in your solution. Validation of this control is attestation to the implementation of all requirements in the secure coding checklist. https://in.accenture.com/protectingaccenture/client-data-protection/secure-coding-checklists/ Guidance: Visit the Secure Coding Checklist page and download the corresponding checklist. Share the list with all applicable project resources and instruct on the implementation of requirements in the solution. In case you are unable to implement a security requirement discuss with your Account Manager to assist in processing a formal exception with client sign-off. The checklists are to be used for tracking purposes. For more information visit the Secure Application Development website. Solution security is required by Policy 56.

Hartmut added the cdpsecurity labels 2026-04-16 08:16:47 +02:00

Hartmut referenced this issue 2026-04-16 08:16:53 +02:00

CDP Compliance Epic — alle Controls #1

Hartmut commented 2026-04-16 08:32:38 +02:00

Author

Owner

Copy Link

Copy Source

CapaKraken Action Plan — 35948464 Secure Coding Checklist — General

Scope: Alle Items aus der Secure-Coding-General-Checkliste implementieren + attestieren.

Checklisten-Quelle: Secure Coding_General.xlsx (IRM-protected, Excel Online öffnen)

Aktueller Stand (aus docs/acn-security-compliance-status.md — hoher Coverage):

• Input Validation (3.2.2.3.01 OK) — Zod
• Parameterized SQL (3.2.2.3.06 OK) — Prisma
• XSS / Injection (3.3.1.2.01 OK) — DOMPurify
• Security Headers (3.2.2.3.13 OK) — HSTS/CSP/XFO/XCTO
• Error Handling (3.2.2.6.01 OK)
• Session Management (3.2.2.4.01-05 OK) — Auth.js + 3 concurrent max
• Secure File Upload (3.2.2.5.01 OK) — Magic bytes

Todos:

• Checkliste in Excel Online öffnen, pro Item Compliant/Exception markieren
• Gaps (falls vorhanden) als neue GitHub-Issues verlinken
• Evidence: ausgefüllte Checkliste als PDF/Screenshot in samples/CDP/attestations/general.pdf

Dateien: docs/sdlc.md, docs/security-architecture.md

### CapaKraken Action Plan — 35948464 Secure Coding Checklist — General **Scope:** Alle Items aus der Secure-Coding-General-Checkliste implementieren + attestieren. **Checklisten-Quelle:** [Secure Coding_General.xlsx](https://ts.accenture.com/sites/Information_Security2/Protecting%20Accenture/Shared%20Documents/Client%20Data%20Protection%20WordPress%20Site/Resources/Secure%20Coding%20Checklists/Secure%20Coding_General.xlsx) (IRM-protected, Excel Online öffnen) **Aktueller Stand (aus `docs/acn-security-compliance-status.md` — hoher Coverage):** - Input Validation (3.2.2.3.01 OK) — Zod - Parameterized SQL (3.2.2.3.06 OK) — Prisma - XSS / Injection (3.3.1.2.01 OK) — DOMPurify - Security Headers (3.2.2.3.13 OK) — HSTS/CSP/XFO/XCTO - Error Handling (3.2.2.6.01 OK) - Session Management (3.2.2.4.01-05 OK) — Auth.js + 3 concurrent max - Secure File Upload (3.2.2.5.01 OK) — Magic bytes **Todos:** - [ ] Checkliste in Excel Online öffnen, pro Item Compliant/Exception markieren - [ ] Gaps (falls vorhanden) als neue GitHub-Issues verlinken - [ ] Evidence: ausgefüllte Checkliste als PDF/Screenshot in `samples/CDP/attestations/general.pdf` **Dateien:** `docs/sdlc.md`, `docs/security-architecture.md`

Hartmut commented 2026-04-16 10:02:28 +02:00

Author

Owner

Copy Link

Copy Source

CapaKraken Compliance-Status

EAPPS-Mapping: 3.2.2.3.x / Web Application Security Standard
Status: 🟡 PARTIAL / TODO — konkrete Schritte unten

Zusammenfassung

Secure-Coding-Anforderungen sind überwiegend umgesetzt (Zod-Validation, Prisma/parameterized SQL, DOMPurify, CSP-Header). Detailprüfung läuft über die Checkliste in #31 (35 Checks).

Aktuelle Evidenz

• Zod-Schemas auf allen tRPC-Procedures — packages/api/src/router
• Prisma parameterized SQL — packages/db/prisma
• Security Headers + CSP — apps/web/next.config.ts
• Compliance-Doc: EAPPS 3.2.2.3.01–14 überwiegend OK (14 Controls, davon 1 TODO, 1 PARTIAL)

Offene Aufgaben

• Detail-Checkliste #31 abarbeiten (35 Security-Checks aus samples/CDP/checklists/general.xlsx).
• Security-Assessment/Pentest durchführen (EAPPS 3.2.2.3.14 = TODO, Priorität HOCH).

---

Ticket bleibt offen bis alle Aufgaben abgehakt sind.

## CapaKraken Compliance-Status **EAPPS-Mapping:** `3.2.2.3.x / Web Application Security Standard` **Status:** 🟡 **PARTIAL / TODO** — konkrete Schritte unten ### Zusammenfassung Secure-Coding-Anforderungen sind überwiegend umgesetzt (Zod-Validation, Prisma/parameterized SQL, DOMPurify, CSP-Header). Detailprüfung läuft über die Checkliste in **#31** (35 Checks). ### Aktuelle Evidenz - Zod-Schemas auf allen tRPC-Procedures — [`packages/api/src/router`](../blob/main/packages/api/src/router) - Prisma parameterized SQL — [`packages/db/prisma`](../blob/main/packages/db/prisma) - Security Headers + CSP — [`apps/web/next.config.ts`](../blob/main/apps/web/next.config.ts) - Compliance-Doc: EAPPS 3.2.2.3.01–14 überwiegend **OK** (14 Controls, davon 1 TODO, 1 PARTIAL) ### Offene Aufgaben - [ ] Detail-Checkliste #31 abarbeiten (35 Security-Checks aus `samples/CDP/checklists/general.xlsx`). - [ ] Security-Assessment/Pentest durchführen (EAPPS 3.2.2.3.14 = **TODO**, Priorität HOCH). --- *Ticket bleibt offen bis alle Aufgaben abgehakt sind.*

Hartmut commented 2026-04-16 10:20:06 +02:00

Author

Owner

Copy Link

Copy Source

Status

Parent-Control für Detail-Checklisten — delegiert an Sub-Tickets:

Detail-Checkliste	Sub-Ticket	Status
General (35 Web-App-Checks)	#31	OFFEN — 2 echte Gaps (Password-Blacklist + Expiry), 4 Partials
Cloud	#32	✅ Geschlossen (N/A, on-prem)
HTML5	#33	✅ Geschlossen (100 % OK)
Node.js	#34	✅ Geschlossen (100 % OK)
ReactJs	#35	✅ Geschlossen (100 % OK)
Web Application (36 Sub-Questions)	#25	OFFEN — 0 Gaps, 7 Partials (Process-Doku)

Validation-Attestation

Dieses Ticket kann geschlossen werden, sobald:

1. #31 auf alle ✅/⚪/dokumentierte Partials reduziert ist
2. #25 auf alle ✅/⚪/dokumentierte Partials reduziert ist

Aktueller Gesamt-Durchsatz: 4 von 6 Detail-Checklisten vollständig abgearbeitet. Restliche 2 sind auf schmale, klar identifizierte Gaps fokussiert.

## Status **Parent-Control für Detail-Checklisten** — delegiert an Sub-Tickets: | Detail-Checkliste | Sub-Ticket | Status | |-------------------|------------|--------| | General (35 Web-App-Checks) | #31 | **OFFEN** — 2 echte Gaps (Password-Blacklist + Expiry), 4 Partials | | Cloud | ~~#32~~ | ✅ Geschlossen (N/A, on-prem) | | HTML5 | ~~#33~~ | ✅ Geschlossen (100 % OK) | | Node.js | ~~#34~~ | ✅ Geschlossen (100 % OK) | | ReactJs | ~~#35~~ | ✅ Geschlossen (100 % OK) | | Web Application (36 Sub-Questions) | #25 | **OFFEN** — 0 Gaps, 7 Partials (Process-Doku) | ### Validation-Attestation Dieses Ticket kann geschlossen werden, sobald: 1. #31 auf alle ✅/⚪/dokumentierte Partials reduziert ist 2. #25 auf alle ✅/⚪/dokumentierte Partials reduziert ist **Aktueller Gesamt-Durchsatz:** 4 von 6 Detail-Checklisten vollständig abgearbeitet. Restliche 2 sind auf **schmale, klar identifizierte Gaps** fokussiert.

Hartmut referenced this issue 2026-04-16 10:20:07 +02:00

CDP Compliance Epic — alle Controls #1

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

security/password-policy-blacklist

security/audit-2026-04-17

pre-rename-backup

Labels

Clear labels

cdp

CDP (Client Data Protection) compliance

epic

Parent/umbrella ticket

not-applicable

Control does not apply to CapaKraken scope

security

Security / compliance work

No Label cdp security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Hartmut

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Hartmut/CapaKraken#17