Hartmut
0 Followers · 0 Following
  • Joined on 2026-04-12
Repositories
2
 Projects Packages Public Activity Starred Repositories
Hartmut opened issue Hartmut/CapaKraken#45 2026-04-16 22:05:10 +02:00
Security [HIGH]: CSP wildcards (*.openai.com, *.azure.com), unsafe-inline styles, SVG routes skip CSP
Hartmut opened issue Hartmut/CapaKraken#47 2026-04-16 22:05:10 +02:00
Security [HIGH]: Read-only proxy bypass via tRPC callers + missing $transaction/$queryRaw blocks
Hartmut opened issue Hartmut/CapaKraken#42 2026-04-16 22:05:09 +02:00
Security [HIGH]: E2E_TEST_MODE bypass must fail-fast in production
Hartmut opened issue Hartmut/CapaKraken#41 2026-04-16 22:05:09 +02:00
Security [HIGH]: Session/Cookie hardening — Secure flag, concurrent-session enforcement, JTI exposure
Hartmut opened issue Hartmut/CapaKraken#43 2026-04-16 22:05:09 +02:00
Security [HIGH]: MFA TOTP replay-race + missing backup codes
Hartmut opened issue Hartmut/CapaKraken#44 2026-04-16 22:05:09 +02:00
Security [HIGH]: API middleware default-allows /api/* — new routes inherit public access
Hartmut opened issue Hartmut/CapaKraken#39 2026-04-16 22:05:08 +02:00
Security [HIGH]: Prompt-injection guard trivially bypassable (regex-only, no Unicode normalization)
Hartmut opened issue Hartmut/CapaKraken#36 2026-04-16 22:05:08 +02:00
Security [CRITICAL]: Unbounded password inputs enable Argon2 DoS
Hartmut opened issue Hartmut/CapaKraken#37 2026-04-16 22:05:08 +02:00
Security [CRITICAL]: Rate-limiter only keys by email — IP-based brute-force and targeted lockout possible
Hartmut opened issue Hartmut/CapaKraken#38 2026-04-16 22:05:08 +02:00
Security [HIGH]: Assistant chat message content unbounded — AI cost/memory DoS
Hartmut opened issue Hartmut/CapaKraken#40 2026-04-16 22:05:08 +02:00
Security [HIGH]: Login timing attack enables user-email enumeration
Hartmut commented on issue Hartmut/CapaKraken#1 2026-04-16 10:20:07 +02:00
CDP Compliance Epic — alle Controls

Progress Update — 2026-04-16

Controls-Status

Anwendbare Controls (20):

Hartmut commented on issue Hartmut/CapaKraken#24 2026-04-16 10:20:07 +02:00
CDP 35948469: Designate SPOC for Sharing Information (app/AI)

Action Plan

CDP-Requirement: Single Point of Contact für Outbound-Sharing von Projekt-Dokumenten/Daten designieren.

Designation

  • SPOC: h.noerenberg (Projekt-Owner, Repo-Owner,…
Hartmut commented on issue Hartmut/CapaKraken#28 2026-04-16 10:20:07 +02:00
CDP 35948519: Utilize a Secure DevOps environment supporting code scanning services

Action Plan

CDP-Requirement: CI/CD-Pipeline muss SAST + DAST + SCA durchführen, Critical/High blocken.

Status — Coverage-Matrix

Hartmut commented on issue Hartmut/CapaKraken#3 2026-04-16 10:20:06 +02:00
CDP 35948468: Provide Written Notification (app)

Action Plan

CDP-Requirement: Admin-Rollenzuweisung muss formell schriftlich kommuniziert werden.

Status

  • Infrastruktur vorhanden: packages/api/src/lib/email.ts (nodemailer) —…
Hartmut commented on issue Hartmut/CapaKraken#17 2026-04-16 10:20:06 +02:00
CDP 35948464: General

Status

Parent-Control für Detail-Checklisten — delegiert an Sub-Tickets:

Hartmut commented on issue Hartmut/CapaKraken#7 2026-04-16 10:20:06 +02:00
CDP 35948472: Maintain current application inventory (dev)

Action Plan

CDP-Requirement: Application-Inventory in Accenture-System (AIR — Accenture Information Repository) eintragen.

Status

  • Internes App-Inventory-Dokument: `docs/acn-sta…
Hartmut commented on issue Hartmut/CapaKraken#10 2026-04-16 10:20:06 +02:00
CDP 35948471: Deliver project specific CDP training (app/AI)

Action Plan

CDP-Requirement: Alle Team-Mitglieder müssen binnen 30 Tagen nach Onboarding CDP-Training absolvieren.

Status

  • Team: Aktuell 1-Person-Team (h.noerenberg) — kein…
Hartmut commented on issue Hartmut/CapaKraken#6 2026-04-16 10:20:06 +02:00
CDP 35948473: Implement Patching Process (app/AI)

Action Plan

CDP-Requirement: Patching-Schedule dokumentieren + durchsetzen, mit Client-Sign-off (hier: intern).

Status

  • Dependency Audit läuft nightly: `.github/workflows/nightly…
Hartmut commented on issue Hartmut/CapaKraken#31 2026-04-16 10:20:05 +02:00
CDP 35948520/Checkliste General: 35 Web App Security Checks

Korrektur nach Code-Review

Zwei als 🔴 markierte Checks sind tatsächlich bereits implementiert und wurden auf korrigiert:

  1. Account-Lockoutapps/web/src/server/auth.ts:52-68