Add comprehensive security tests for OWASP A02, A05, A07, and A08 categories
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Findings Ledger CI / build-test (push) Has been cancelled
Findings Ledger CI / migration-validation (push) Has been cancelled
Findings Ledger CI / generate-manifest (push) Has been cancelled
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Lighthouse CI / Lighthouse Audit (push) Has been cancelled
Lighthouse CI / Axe Accessibility Audit (push) Has been cancelled
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Policy Simulation / policy-simulate (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Findings Ledger CI / build-test (push) Has been cancelled
Findings Ledger CI / migration-validation (push) Has been cancelled
Findings Ledger CI / generate-manifest (push) Has been cancelled
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Lighthouse CI / Lighthouse Audit (push) Has been cancelled
Lighthouse CI / Axe Accessibility Audit (push) Has been cancelled
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Policy Simulation / policy-simulate (push) Has been cancelled
- Implemented tests for Cryptographic Failures (A02) to ensure proper handling of sensitive data, secure algorithms, and key management. - Added tests for Security Misconfiguration (A05) to validate production configurations, security headers, CORS settings, and feature management. - Developed tests for Authentication Failures (A07) to enforce strong password policies, rate limiting, session management, and MFA support. - Created tests for Software and Data Integrity Failures (A08) to verify artifact signatures, SBOM integrity, attestation chains, and feed updates.
This commit is contained in:
master
@@ -361,7 +361,61 @@ export const TTFS_FIXTURES = {
|
||||
};
|
||||
```
|
||||
|
||||
## 12) References
|
||||
## 12) Observability
|
||||
|
||||
### 12.1 Grafana Dashboard
|
||||
|
||||
The TTFS observability dashboard provides real-time visibility into signal latency, cache performance, and SLO compliance.
|
||||
|
||||
- **Dashboard file**: `docs/modules/telemetry/operations/dashboards/ttfs-observability.json`
|
||||
- **UID**: `ttfs-overview`
|
||||
|
||||
**Key panels:**
|
||||
- TTFS P50/P95/P99 by Surface (timeseries)
|
||||
- Cache Hit Rate (stat)
|
||||
- SLO Breaches (stat with threshold coloring)
|
||||
- Signal Source Distribution (piechart)
|
||||
- Signals by Kind (stacked timeseries)
|
||||
- Error Rate (timeseries)
|
||||
- TTFS Latency Heatmap
|
||||
- Top Failure Signatures (table)
|
||||
|
||||
### 12.2 Alert Rules
|
||||
|
||||
TTFS alerts are defined in `docs/modules/telemetry/operations/alerts/ttfs-alerts.yaml`.
|
||||
|
||||
**Critical alerts:**
|
||||
| Alert | Threshold | For |
|
||||
|-------|-----------|-----|
|
||||
| `TtfsP95High` | P95 > 5s | 5m |
|
||||
| `TtfsSloBreach` | >10 breaches in 5m | 1m |
|
||||
| `FirstSignalEndpointDown` | Orchestrator unavailable | 2m |
|
||||
|
||||
**Warning alerts:**
|
||||
| Alert | Threshold | For |
|
||||
|-------|-----------|-----|
|
||||
| `TtfsCacheHitRateLow` | <70% | 10m |
|
||||
| `TtfsErrorRateHigh` | >1% | 5m |
|
||||
| `FirstSignalEndpointLatencyHigh` | P95 > 500ms | 5m |
|
||||
|
||||
### 12.3 Load Testing
|
||||
|
||||
Load tests validate TTFS performance under realistic conditions.
|
||||
|
||||
- **Test file**: `tests/load/ttfs-load-test.js`
|
||||
- **Framework**: k6
|
||||
|
||||
**Scenarios:**
|
||||
- Sustained: 50 RPS for 5 minutes
|
||||
- Spike: Ramp to 200 RPS
|
||||
- Soak: 25 RPS for 15 minutes
|
||||
|
||||
**Thresholds:**
|
||||
- Cache-hit P95 ≤ 250ms
|
||||
- Cold-path P95 ≤ 500ms
|
||||
- Error rate < 0.1%
|
||||
|
||||
## 13) References
|
||||
|
||||
- Advisory: `docs/product-advisories/14-Dec-2025 - UX and Time-to-Evidence Technical Reference.md`
|
||||
- Sprint 1 (Foundation): `docs/implplan/SPRINT_0338_0001_0001_ttfs_foundation.md`
|
||||
@@ -371,3 +425,6 @@ export const TTFS_FIXTURES = {
|
||||
- TTE Architecture: `docs/modules/telemetry/architecture.md`
|
||||
- Telemetry Schema: `docs/schemas/ttfs-event.schema.json`
|
||||
- Database Schema: `docs/db/schemas/ttfs.sql`
|
||||
- Grafana Dashboard: `docs/modules/telemetry/operations/dashboards/ttfs-observability.json`
|
||||
- Alert Rules: `docs/modules/telemetry/operations/alerts/ttfs-alerts.yaml`
|
||||
- Load Tests: `tests/load/ttfs-load-test.js`
|
||||
|
||||
Reference in New Issue
Block a user