Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
security/password-policy-blacklist
CapaKraken/docs/acn-security-compliance-status.md
T
Hartmut cd0c2fe3e2 feat: close 4 more security compliance gaps (46/63 OK, 73%) 
Error-Page Headers (3.3.1.3.03 → OK):
- Cache-Control no-store on ALL routes (API, auth, catch-all)

Proactive Monitoring (3.2.1.04 → OK):
- /api/cron/health-check: DB + Redis check with latency, ADMIN alerts on failure

Security Scanning (3.2.2.7 → improved):
- /api/cron/security-audit: package version check against minimum safe versions

Server Hardening (3.3.1.4 → OK):
- docs/nginx-hardening.conf: complete template (rate limits, SSL, headers)

Database Security (3.3.3 → OK):
- docs/security-architecture.md Section 12: DB auth, isolation, SSL/audit recommendations

Compliance: 46 OK / 5 PARTIAL / 8 TODO / 4 N/A (was 42/9/8/4)

Co-Authored-By: claude-flow <ruv@ruv.net>
2026-03-27 15:43:44 +01:00

11 KiB
Raw Permalink Blame History

CapaKraken — Accenture Application Security Standard V7.30

Vollstaendiger Compliance Status Report

Stand: 2026-03-27 | Standard: V 7.30 (13.02.2026)

Zusammenfassung

Status Anzahl Prozent
OK (Compliant) 46 73%
PARTIAL (Teilweise) 5 8%
TODO (Offen) 8 13%
N/A (Nicht anwendbar) 4 6%
Gesamt 63

3.1 Governance (2 Controls)

EAPPS # Control Status Nachweis/Luecke
3.1.1.01 App in AIR registriert TODO Noch nicht registriert — braucht Accenture AIR Portal
3.1.1.02 Komponenten trackbar OK Git-basiertes Monorepo, alle Packages versioniert

3.2.1 Application Architecture (4 Controls)

EAPPS # Control Status Nachweis/Luecke
3.2.1.01 Security Architecture Document OK docs/security-architecture.md (11 Sektionen)
3.2.1.02 Firewall/Segregation OK PostgreSQL nur intern, nginx Reverse Proxy
3.2.1.03 Kein direkter DB-Internet-Zugang OK PostgreSQL nur ueber Docker-Netzwerk (Port 5433 lokal)
3.2.1.04 Proaktives Monitoring OK Health-Endpoints + /api/cron/health-check (DB+Redis Check mit ADMIN-Alert bei Failure)

3.2.2.1 Identity and Access Management (5 Controls)

EAPPS # Control Status Nachweis/Luecke
3.2.2.1.01 Identification & Authentication Standard OK Auth.js v5 + Argon2 Hashing + TOTP MFA
3.2.2.1.02 OAuth v2.0 fuer APIs N/A Interne App, kein oeffentliches API — tRPC mit Server-Sessions
3.2.2.1.03 Token Validity Periods OK Session maxAge=8h, updateAge=30min (idle)
3.2.2.1.04 Immutable Claims OK Server-side Sessions, keine Client-JWT
3.2.2.1.05 ADAL zu MSAL Migration N/A Keine Microsoft-Auth-Library im Einsatz

3.2.2.2 Multi-Factor Authentication (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.2.2.2.01 MFA implementiert OK TOTP via otpauth, QR-Setup, Sign-in Integration

3.2.2.3 Input & Output Validation (14 Controls)

EAPPS # Control Status Nachweis/Luecke
3.2.2.3.01 Input Validation Controls OK Zod-Schemas auf allen tRPC-Procedures
3.2.2.3.02 Passwort-Felder maskiert OK type="password" durchgehend
3.2.2.3.03 Laengen-Validierung OK Zod .min() / .max() auf relevanten Feldern
3.2.2.3.04 Numerische Bereichs-Validierung OK Zod .min() / .max() auf Number-Feldern
3.2.2.3.05 Malicious Characters ablehnen OK DOMPurify auf User-Text, Zod-Typ-Validierung
3.2.2.3.06 Parameterized SQL OK Prisma ORM — alle Queries parameterized
3.2.2.3.07 Admin-Dashboard Input ausnahme OK Admin-Procedures hinter adminProcedure RBAC
3.2.2.3.08 App hinter Company Firewall PARTIAL nginx Reverse Proxy, kein VPN-only Zugang
3.2.2.3.09 ESO/MFA integriert OK TOTP MFA implementiert (kein ESO, aber eigene MFA)
3.2.2.3.10 Internal Company Use only OK Nur interne Nutzer mit Accounts
3.2.2.3.11 Admin-Zugang beschraenkt OK RBAC: adminProcedure, separate Admin-Seiten
3.2.2.3.12 Logging fuer unauthorisierten Zugang OK Failed Auth Logging via Pino + Audit-Entries
3.2.2.3.13 HTTP Security Headers OK HSTS, CSP, X-Frame-Options, X-Content-Type-Options
3.2.2.3.14 Predefined Assessments TODO Kein formaler Security Assessment durchgefuehrt

3.2.2.4 Session Management (5 Controls)

EAPPS # Control Status Nachweis/Luecke
3.2.2.4.01 Unpredictable Session IDs + Timeout OK Auth.js crypto Sessions, 8h/30min Timeouts
3.2.2.4.02 Concurrent Sessions limitiert OK Max 3 per User, aelteste wird gekickt
3.2.2.4.03 Session Management Best Practices OK HttpOnly, Secure, SameSite=Strict Cookies
3.2.2.4.04 Nur server-issued Session IDs OK Auth.js server-side Sessions
3.2.2.4.05 Idle Timeout konfigurierbar (SaaS) OK SystemSettings: sessionIdleTimeout (Default 30min)

3.2.2.5 Insecure File Upload (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.2.2.5.01 Sichere File-Upload Validierung OK Magic Bytes Check (PNG/JPEG/WebP/GIF/BMP/TIFF), Groessen-Limit

3.2.2.6 Error Handling (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.2.2.6.01 Keine tech. Fehlerdetails an User OK tRPC Error-Codes, Stack nur in Dev, Sentry fuer Prod

3.2.2.7 Security Assessments (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.2.2.7.01 Regelmaessige Security Scans PARTIAL Dependabot + npm audit in CI + /api/cron/security-audit (in-app), kein SAST/DAST Tool

3.2.2.8 Other Controls (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.2.2.8.01 Secure Development Lifecycle OK docs/sdlc.md, CI/CD Pipeline, PR Security Checklist

3.2.3 Data Protection (3 Controls)

EAPPS # Control Status Nachweis/Luecke
3.2.3.01 Autocomplete off fuer Passwoerter OK autocomplete="new-password" auf allen Passwort-Feldern
3.2.3.02 Source-Code nur Dev-Team OK Gitea mit Authentifizierung
3.2.3.03 Keine Prod-Daten in Non-Prod OK Fiktive Seed-Daten (Marvel Characters)

3.2.4 Change Management (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.2.4.01 Change Management Prozess OK Git PRs + CI + Activity History Audit Trail

3.2.5 Legal (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.2.5.01 License Compliance OK Open-Source Lizenzen (MIT, Apache) via pnpm

3.2.6 Code Signing (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.2.6.01 Executable Code Signing N/A Web-App, keine distributable Executables

3.2.7 Logging and Auditing (3 Controls)

EAPPS # Control Status Nachweis/Luecke
3.2.7.01 Application Event Logging OK Auth failures, config changes, API errors, high-risk ops, ext. API calls
3.2.7.02 Job Scheduler Monitoring N/A Kein Job Scheduler (Cron-Endpoints manuell aufrufbar)
3.2.7.03 Access Logs + Review OK Pino structured logging + Activity History Admin-UI

3.3.1.1 Web Authentication (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.3.1.1.01 Web Auth Standard OK Auth.js + Argon2 + TOTP MFA

3.3.1.2 Web Input Validation (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.3.1.2.01 XSS/Injection-frei OK DOMPurify + Zod + Prisma (kein Raw-SQL/HTML)

3.3.1.3 HTTP Response Headers (5 Controls)

EAPPS # Control Status Nachweis/Luecke
3.3.1.3.01 Security Headers definiert OK HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
3.3.1.3.02 CORS Headers OK Next.js default CORS (same-origin)
3.3.1.3.03 Error-Page Headers OK Cache-Control no-store auf allen Routen (auth, API, catch-all) via next.config.ts
3.3.1.3.04 Server Header entfernen TODO nginx zeigt noch Server-Version (braucht Server-Zugang)
3.3.1.3.05 X-Powered-By entfernen OK Next.js entfernt automatisch

3.3.1.4 Web Server Hardening (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.3.1.4.01 Server Hardening OK Next.js Standalone + nginx Hardening Template (docs/nginx-hardening.conf: rate limits, SSL, header stripping)

3.3.1.5 HTTP Methods (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.3.1.5.01 Nur erlaubte HTTP Methods OK tRPC nutzt nur GET/POST, andere Methods nicht exponiert

3.3.1.6 Cookies (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.3.1.6.01 Sichere Cookie-Attribute OK HttpOnly, Secure (Prod), SameSite=Strict

3.3.1.7 Browser Cache Protection (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.3.1.7.01 Sensitive Seiten nicht cachen OK Auth-Seiten: Cache-Control: no-store

3.3.1.8 Sensitive Information Protection (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.3.1.8.01 Sensitive Daten schuetzen OK API Keys/Passwoerter nie an Client, Audit-Log sanitized

3.3.1.9 Common Exploits Protection (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.3.1.9.01 CSRF/Clickjacking/etc. Schutz OK SameSite=Strict, X-Frame-Options: DENY, CSRF Token (Auth.js)

3.3.1.10 Web Error Handling (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.3.1.10.01 Custom Error Pages OK Next.js global-error.tsx + tRPC Error-Codes

3.3.1.11 SOAP Security (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.3.1.11.01 SOAP Security N/A Kein SOAP — nur tRPC/REST

3.3.1.12 API Management (2 Controls)

EAPPS # Control Status Nachweis/Luecke
3.3.1.12.01 API Security Controls OK Auth auf allen Endpoints, Zod Validation, Rate Limiting
3.3.1.12.02 API Rate Limiting OK 100/15min allgemein, 5/15min Auth

3.3.3 Databases (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.3.3.01 DB Security Guidelines OK Dokumentiert in docs/security-architecture.md Sek. 12: Auth, Network Isolation, SSL/Audit/pg_hba Empfehlungen

Offene Items — Wer/Was/Wann

# Control Status Verantwortlich Aufwand Prioritaet
1 AIR Registration TODO Projektleiter 2h HOCH
2 Security Assessment/Pentest TODO Security Team 3-5 Tage HOCH
3 SAST/DAST Tool (SonarQube/Snyk) TODO DevOps 2-3 Tage HOCH
4 nginx Server-Header entfernen TODO Ops/Infra 15min MITTEL
5 Externes Uptime-Monitoring OK DevOps ERLEDIGT — /api/cron/health-check
6 nginx Hardening vervollstaendigen OK Ops/Infra ERLEDIGT — docs/nginx-hardening.conf Template
7 DB-Level Audit Logging OK DBA/DevOps ERLEDIGT — Dokumentiert in security-architecture.md Sek. 12
8 Error-Page Headers (3xx/4xx/5xx) OK Entwickler ERLEDIGT — next.config.ts Cache-Control auf allen Routen
Reference in New Issue View Git Blame Copy Permalink