ldy26098
/
BMAD-METHOD
mirror of https://github.com/bmad-code-org/BMAD-METHOD.git
1
0
Fork 0
Code Packages Projects Releases Wiki Activity

feat(bmm): add security audit workflow with OWASP Top 10 

- Add workflow.yaml for comprehensive security auditing
- Add instructions.md with step-by-step audit process
- Add owasp-checklist.md covering all OWASP Top 10 categories
- Add security-report.template.md for consistent reporting
This commit is contained in:
Ibrahim Elsahafy 2025-12-31 21:07:15 +04:00
parent 2a746a6fc4
commit 4284f80a9a
4 changed files with 718 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

269
src/modules/bmm/workflows/testarch/security-audit/instructions.md Normal file
View File

@ -0,0 +1,269 @@
# Security Audit Workflow Instructions
## Overview
Conduct a comprehensive security audit of the codebase covering OWASP Top 10 vulnerabilities, dependency security, secret detection, and authentication/authorization patterns.
## Workflow Steps
### Step 1: Scope Determination
**Ask user for audit scope:**
```
Security Audit Scope Selection
Available scopes:
1. [full] Complete security audit (recommended)
2. [owasp] OWASP Top 10 vulnerability focus
3. [deps] Dependency vulnerabilities only
4. [secrets] Secret detection only
5. [auth] Authentication/authorization review
6. [api] API security assessment
Select scope [1-6] or enter scope name:
```
### Step 2: Context Loading
**Load project context:**
1. Load architecture document for understanding system design
2. Load project-context.md for coding standards and patterns
3. Identify technology stack (framework, language, dependencies)
4. Note any existing security configurations
### Step 3: OWASP Top 10 Assessment
**For each vulnerability category:**
#### A01:2021 - Broken Access Control
- [ ] Check for missing access controls on functions
- [ ] Review CORS configuration
- [ ] Verify principle of least privilege
- [ ] Check for insecure direct object references (IDOR)
- [ ] Review JWT/session validation
#### A02:2021 - Cryptographic Failures
- [ ] Check for hardcoded secrets
- [ ] Verify HTTPS enforcement
- [ ] Review encryption algorithms used
- [ ] Check password hashing (bcrypt, argon2)
- [ ] Verify secure random number generation
#### A03:2021 - Injection
- [ ] SQL injection in database queries
- [ ] NoSQL injection patterns
- [ ] Command injection in system calls
- [ ] LDAP injection
- [ ] XPath injection
#### A04:2021 - Insecure Design
- [ ] Review authentication flows
- [ ] Check for business logic flaws
- [ ] Verify rate limiting implementation
- [ ] Review error handling patterns
#### A05:2021 - Security Misconfiguration
- [ ] Default credentials check
- [ ] Unnecessary features enabled
- [ ] Error messages exposing info
- [ ] Security headers missing
- [ ] Debug mode in production
#### A06:2021 - Vulnerable Components
- [ ] Outdated dependencies
- [ ] Known CVEs in dependencies
- [ ] Unmaintained packages
- [ ] License compliance issues
#### A07:2021 - Authentication Failures
- [ ] Weak password policies
- [ ] Missing brute-force protection
- [ ] Session management issues
- [ ] Multi-factor authentication gaps
#### A08:2021 - Software Integrity Failures
- [ ] CI/CD pipeline security
- [ ] Unsigned code/packages
- [ ] Insecure deserialization
- [ ] Missing integrity checks
#### A09:2021 - Logging & Monitoring Failures
- [ ] Insufficient logging
- [ ] Missing audit trails
- [ ] No alerting mechanisms
- [ ] Log injection vulnerabilities
#### A10:2021 - Server-Side Request Forgery
- [ ] Unvalidated URL parameters
- [ ] Internal service exposure
- [ ] DNS rebinding risks
### Step 4: Dependency Vulnerability Scan
**Scan dependencies for known vulnerabilities:**
```bash
# Node.js
npm audit
npx better-npm-audit audit
# Python
pip-audit
safety check
# Go
govulncheck ./...
# General
trivy fs .
grype .
```
**Document findings:**
- CVE identifier
- Severity (Critical/High/Medium/Low)
- Affected package and version
- Fix version available
- Remediation path
### Step 5: Secret Detection
**Scan for exposed secrets:**
Patterns to detect:
- API keys (AWS, GCP, Azure, etc.)
- Database connection strings
- Private keys (RSA, SSH)
- OAuth tokens
- JWT secrets
- Password literals
- Environment variable leaks
**Tools:**
```bash
# Gitleaks
gitleaks detect --source . --verbose
# TruffleHog
trufflehog filesystem .
# detect-secrets
detect-secrets scan
```
**Check locations:**
- Source code files
- Configuration files
- Environment files (.env, .env.*)
- Docker files
- CI/CD configurations
- Git history
### Step 6: Authentication/Authorization Review
**Authentication checks:**
- Password storage mechanism
- Session management
- Token handling (JWT, OAuth)
- MFA implementation
- Password reset flow
- Account lockout policy
**Authorization checks:**
- Role-based access control (RBAC)
- Attribute-based access control (ABAC)
- API endpoint protection
- Resource-level permissions
- Admin panel security
### Step 7: API Security Assessment
**Review API endpoints for:**
- Authentication requirements
- Rate limiting
- Input validation
- Output encoding
- CORS configuration
- API versioning
- Documentation exposure
**Check for:**
- Mass assignment vulnerabilities
- Excessive data exposure
- Broken function level authorization
- Improper inventory management
### Step 8: Generate Report
**Create security audit report with:**
```markdown
# Security Audit Report
**Date:** {date}
**Scope:** {audit_scope}
**Auditor:** {user_name} + TEA Agent
## Executive Summary
{brief_overview_of_findings}
## Risk Summary
| Severity | Count |
|----------|-------|
| Critical | X |
| High | X |
| Medium | X |
| Low | X |
## Findings
### Critical Findings
{detailed_critical_issues}
### High Severity Findings
{detailed_high_issues}
### Medium Severity Findings
{detailed_medium_issues}
### Low Severity Findings
{detailed_low_issues}
## Recommendations
{prioritized_remediation_steps}
## Appendix
- Full OWASP checklist results
- Dependency scan output
- Secret detection results
```
### Step 9: Remediation Guidance
**For each finding, provide:**
1. Clear description of the vulnerability
2. Location in codebase (file:line)
3. Risk assessment (likelihood + impact)
4. Remediation steps
5. Code example of fix (where applicable)
6. References (CWE, OWASP, CVE)
### Step 10: Validation Checklist
Before completing audit:
- [ ] All scope items assessed
- [ ] Findings documented with evidence
- [ ] Severity ratings justified
- [ ] Remediation steps actionable
- [ ] Report saved to output location
- [ ] No false positives in critical findings
## Output
Save report to: `{output_file}`
Notify user of completion with:
- Summary of findings
- Link to full report
- Top 3 priority items to address
- Offer to help with remediation

215
src/modules/bmm/workflows/testarch/security-audit/owasp-checklist.md Normal file
View File

@ -0,0 +1,215 @@
# OWASP Top 10 (2021) Security Checklist
## A01:2021 - Broken Access Control
### Access Control Checks
- [ ] All endpoints require authentication unless explicitly public
- [ ] Authorization checked on every request (not just UI)
- [ ] Deny by default policy implemented
- [ ] CORS properly configured with allowlisted origins
- [ ] Directory listing disabled on web servers
- [ ] Metadata files (.git, .svn) not accessible
- [ ] Rate limiting implemented on sensitive endpoints
### IDOR Prevention
- [ ] Object references are indirect or validated
- [ ] User can only access their own resources
- [ ] Admin functions properly protected
- [ ] API endpoints validate ownership
### Session Security
- [ ] Session invalidated on logout
- [ ] Session timeout implemented
- [ ] Session fixation prevented
- [ ] Concurrent session limits (if required)
---
## A02:2021 - Cryptographic Failures
### Data Protection
- [ ] Sensitive data identified and classified
- [ ] Data encrypted at rest
- [ ] Data encrypted in transit (TLS 1.2+)
- [ ] No sensitive data in URLs
- [ ] Secure cookies (HttpOnly, Secure, SameSite)
### Password Security
- [ ] Passwords hashed with bcrypt/argon2/scrypt
- [ ] No MD5/SHA1 for passwords
- [ ] Salt unique per password
- [ ] Work factor appropriate (>=10 for bcrypt)
### Key Management
- [ ] No hardcoded secrets in code
- [ ] Secrets in environment variables or vault
- [ ] Encryption keys rotated periodically
- [ ] Secure random number generation
---
## A03:2021 - Injection
### SQL Injection
- [ ] Parameterized queries used everywhere
- [ ] ORM/query builder used correctly
- [ ] No string concatenation in queries
- [ ] Input validation on all user data
### NoSQL Injection
- [ ] MongoDB queries use proper operators
- [ ] No eval() on user input
- [ ] Input sanitized for NoSQL patterns
### Command Injection
- [ ] No shell commands with user input
- [ ] If needed, strict allowlist validation
- [ ] Escape special characters
### XSS Prevention
- [ ] Output encoding on all user data
- [ ] Content-Security-Policy header set
- [ ] Dangerous HTML stripped or sanitized
- [ ] Template engines auto-escape
---
## A04:2021 - Insecure Design
### Threat Modeling
- [ ] Security requirements documented
- [ ] Threat model exists for critical flows
- [ ] Security user stories in backlog
### Business Logic
- [ ] Rate limiting on business operations
- [ ] Transaction limits enforced server-side
- [ ] Workflow state validated
### Error Handling
- [ ] Generic error messages to users
- [ ] Detailed errors only in logs
- [ ] No stack traces in production
---
## A05:2021 - Security Misconfiguration
### Server Configuration
- [ ] Unnecessary features disabled
- [ ] Default accounts removed/changed
- [ ] Directory browsing disabled
- [ ] Error pages customized
### Security Headers
- [ ] Content-Security-Policy
- [ ] X-Content-Type-Options: nosniff
- [ ] X-Frame-Options or CSP frame-ancestors
- [ ] Strict-Transport-Security
- [ ] X-XSS-Protection (legacy browsers)
- [ ] Referrer-Policy
### Cloud/Container Security
- [ ] Least privilege IAM roles
- [ ] Security groups properly configured
- [ ] Container images scanned
- [ ] No root processes in containers
---
## A06:2021 - Vulnerable Components
### Dependency Management
- [ ] Dependencies up to date
- [ ] No known CVEs in dependencies
- [ ] Automated vulnerability scanning
- [ ] Lock files committed (package-lock, yarn.lock)
### Update Process
- [ ] Regular dependency updates scheduled
- [ ] Security updates prioritized
- [ ] Breaking changes tested before deploy
---
## A07:2021 - Authentication Failures
### Password Policies
- [ ] Minimum length >= 8 characters
- [ ] No common password check
- [ ] Breach database check (optional)
- [ ] Account lockout after failures
### Multi-Factor Authentication
- [ ] MFA available for sensitive accounts
- [ ] MFA recovery process secure
- [ ] TOTP/WebAuthn preferred over SMS
### Session Management
- [ ] Strong session IDs (>=128 bits)
- [ ] Session regeneration on privilege change
- [ ] Secure session storage
---
## A08:2021 - Software Integrity Failures
### CI/CD Security
- [ ] Build pipeline secured
- [ ] Dependency sources verified
- [ ] Signed commits (optional)
- [ ] Artifact integrity verified
### Deserialization
- [ ] No unsafe deserialization of user data
- [ ] Type checking before deserialization
- [ ] Integrity checks on serialized data
---
## A09:2021 - Logging & Monitoring Failures
### Logging
- [ ] Authentication events logged
- [ ] Access control failures logged
- [ ] Input validation failures logged
- [ ] Sensitive data NOT logged
### Monitoring
- [ ] Alerts for suspicious activity
- [ ] Log aggregation implemented
- [ ] Incident response plan exists
---
## A10:2021 - Server-Side Request Forgery
### URL Validation
- [ ] User-supplied URLs validated
- [ ] Allowlist of permitted domains
- [ ] No access to internal services
- [ ] DNS rebinding prevented
### Network Segmentation
- [ ] Internal services not exposed
- [ ] Firewall rules block unnecessary traffic
---
## Severity Rating Guide
| Severity | CVSS Score | Examples |
|----------|------------|----------|
| Critical | 9.0-10.0 | RCE, Auth bypass, Data breach |
| High | 7.0-8.9 | SQL injection, Privilege escalation |
| Medium | 4.0-6.9 | XSS, CSRF, Info disclosure |
| Low | 0.1-3.9 | Minor info leak, Missing headers |
---
## References
- [OWASP Top 10](https://owasp.org/Top10/)
- [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
- [CWE Top 25](https://cwe.mitre.org/top25/)
- [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework)

194
src/modules/bmm/workflows/testarch/security-audit/security-report.template.md Normal file
View File

@ -0,0 +1,194 @@
# Security Audit Report
**Project:** {{project_name}}
**Date:** {{date}}
**Scope:** {{audit_scope}}
**Auditor:** {{user_name}} + TEA Agent
---
## Executive Summary
{{executive_summary}}
---
## Risk Summary
| Severity | Count | Status |
|----------|-------|--------|
| Critical | {{critical_count}} | {{critical_status}} |
| High | {{high_count}} | {{high_status}} |
| Medium | {{medium_count}} | {{medium_status}} |
| Low | {{low_count}} | {{low_status}} |
**Overall Risk Level:** {{overall_risk}}
---
## Technology Stack
| Component | Technology | Version |
|-----------|------------|---------|
| Framework | {{framework}} | {{framework_version}} |
| Language | {{language}} | {{language_version}} |
| Database | {{database}} | {{database_version}} |
| Authentication | {{auth_method}} | - |
---
## Critical Findings
{{#each critical_findings}}
### {{this.id}}: {{this.title}}
**Severity:** CRITICAL
**Category:** {{this.category}}
**Location:** `{{this.location}}`
**Description:**
{{this.description}}
**Evidence:**
```
{{this.evidence}}
```
**Impact:**
{{this.impact}}
**Remediation:**
{{this.remediation}}
**References:**
- {{this.references}}
---
{{/each}}
## High Severity Findings
{{#each high_findings}}
### {{this.id}}: {{this.title}}
**Severity:** HIGH
**Category:** {{this.category}}
**Location:** `{{this.location}}`
**Description:**
{{this.description}}
**Remediation:**
{{this.remediation}}
---
{{/each}}
## Medium Severity Findings
{{#each medium_findings}}
### {{this.id}}: {{this.title}}
**Severity:** MEDIUM
**Category:** {{this.category}}
**Location:** `{{this.location}}`
**Description:**
{{this.description}}
**Remediation:**
{{this.remediation}}
---
{{/each}}
## Low Severity Findings
{{#each low_findings}}
### {{this.id}}: {{this.title}}
**Severity:** LOW
**Category:** {{this.category}}
**Description:**
{{this.description}}
**Remediation:**
{{this.remediation}}
---
{{/each}}
## Dependency Vulnerabilities
| Package | Version | CVE | Severity | Fix Version |
|---------|---------|-----|----------|-------------|
{{#each dependency_vulns}}
| {{this.package}} | {{this.version}} | {{this.cve}} | {{this.severity}} | {{this.fix_version}} |
{{/each}}
---
## Secret Detection Results
| Type | File | Line | Status |
|------|------|------|--------|
{{#each secrets_found}}
| {{this.type}} | {{this.file}} | {{this.line}} | {{this.status}} |
{{/each}}
---
## OWASP Coverage
| Category | Status | Findings |
|----------|--------|----------|
| A01 - Broken Access Control | {{a01_status}} | {{a01_count}} |
| A02 - Cryptographic Failures | {{a02_status}} | {{a02_count}} |
| A03 - Injection | {{a03_status}} | {{a03_count}} |
| A04 - Insecure Design | {{a04_status}} | {{a04_count}} |
| A05 - Security Misconfiguration | {{a05_status}} | {{a05_count}} |
| A06 - Vulnerable Components | {{a06_status}} | {{a06_count}} |
| A07 - Authentication Failures | {{a07_status}} | {{a07_count}} |
| A08 - Software Integrity Failures | {{a08_status}} | {{a08_count}} |
| A09 - Logging & Monitoring Failures | {{a09_status}} | {{a09_count}} |
| A10 - SSRF | {{a10_status}} | {{a10_count}} |
---
## Recommendations
### Immediate Actions (Critical/High)
1. {{immediate_action_1}}
2. {{immediate_action_2}}
3. {{immediate_action_3}}
### Short-term Actions (Medium)
1. {{short_term_action_1}}
2. {{short_term_action_2}}
### Long-term Improvements (Low/Hardening)
1. {{long_term_action_1}}
2. {{long_term_action_2}}
---
## Appendix A: Tools Used
- Dependency Scanner: {{dep_scanner}}
- Secret Scanner: {{secret_scanner}}
- Static Analysis: {{static_analysis}}
## Appendix B: Files Reviewed
{{#each files_reviewed}}
- `{{this}}`
{{/each}}
---
**Report Generated:** {{timestamp}}
**Next Audit Recommended:** {{next_audit_date}}

40
src/modules/bmm/workflows/testarch/security-audit/workflow.yaml Normal file
View File

@ -0,0 +1,40 @@
# Security Audit Workflow
name: testarch-security-audit
description: "Comprehensive security audit covering OWASP Top 10, dependency vulnerabilities, secret detection, and authentication/authorization review"
author: "BMAD"
version: "1.0.0"
# Configuration sources
config_source: "{project-root}/_bmad/bmm/config.yaml"
user_name: "{config_source}:user_name"
communication_language: "{config_source}:communication_language"
user_skill_level: "{config_source}:user_skill_level"
document_output_language: "{config_source}:document_output_language"
planning_artifacts: "{config_source}:planning_artifacts"
implementation_artifacts: "{config_source}:implementation_artifacts"
output_folder: "{implementation_artifacts}"
date: system-generated
# Workflow components
installed_path: "{project-root}/_bmad/bmm/workflows/testarch/security-audit"
instructions: "{installed_path}/instructions.md"
checklist: "{installed_path}/owasp-checklist.md"
report_template: "{installed_path}/security-report.template.md"
# Input references
architecture_doc: "{planning_artifacts}/*architecture*.md"
project_context: "**/project-context.md"
# Output
output_file: "{output_folder}/security-audit-report-{date}.md"
# Audit scope options
audit_scopes:
- full # Complete security audit
- owasp # OWASP Top 10 focus
- deps # Dependency vulnerabilities only
- secrets # Secret detection only
- auth # Authentication/authorization only
- api # API security only
standalone: true