20:[["$","script",null,{"type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"{\"@context\":\"https://schema.org\",\"url\":\"https://trydock.site/dock/run-a-security-audit-of-a-saas\",\"name\":\"Run a security audit of a small SaaS\",\"dateCreated\":\"2026-05-01T04:29:28.841Z\",\"dateModified\":\"2026-05-01T04:29:28.841Z\",\"author\":{\"@type\":\"Person\",\"name\":\"Dock CLI\"},\"publisher\":{\"@type\":\"Organization\",\"name\":\"Dock\",\"url\":\"https://trydock.ai\"},\"@type\":\"Article\",\"headline\":\"Run a security audit of a small SaaS\",\"description\":\"Run a security audit of a small SaaS 10-step plan to find the bugs a 0: OWASP Top 10, the ASVS subset that matters, dependency CVEs, secrets hygiene. For : Solo founders + small-team tech leads. Time…\",\"articleBody\":\"Run a security audit of a small SaaS 10-step plan to find the bugs a 0: OWASP Top 10, the ASVS subset that matters, dependency CVEs, secrets hygiene. For : Solo founders + small-team tech leads. Time…\"}"}}],["$","$L2a",null,{"initialWorkspace":{"id":"cmomeyjyh006d04l8u9mvpkmv","slug":"run-a-security-audit-of-a-saas","name":"Run a security audit of a small SaaS","mode":"doc","visibility":"public","columns":[{"key":"title","type":"text","label":"Step","position":0},{"key":"status","type":"status","label":"Status","options":[{"color":"#94A6BD","label":"queued","value":"queued"},{"color":"#06D6A0","label":"active","value":"active"},{"color":"#FF2D92","label":"blocked","value":"blocked"},{"color":"#22C55E","label":"shipped","value":"shipped"}],"position":1},{"key":"owner","type":"text","label":"Owner","position":2},{"key":"estimate","type":"text","label":"Estimate","position":3},{"key":"notes","type":"text","label":"Notes","position":4}],"createdAt":"2026-05-01T04:29:28.841Z","rowCount":40,"memberCount":0,"humanCount":0,"agentCount":0,"docWordCount":3704,"org":{"slug":"dock","name":"Dock"},"role":"viewer","pinnedAt":null,"archivedAt":null},"initialRows":[{"id":"cmomeyn1z009m04jliq8fdcyv","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":1,"data":{"notes":"","title":"Build the threat model and asset inventory first","status":"queued","estimate":"2-3 hr"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeypak009q04juklxiwzhs","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":1,"data":{"url":"https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats","why":"","kind":"guide","step":"Build the threat model and asset inventory first","label":"STRIDE threat modeling"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmonjzdx3003604jr6d1j0kt0","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":1,"data":{"notes":"Reproducible. Owner: Argus. Fix: server-side sanitize on write.","title":"Stored XSS in user profile bio field","status":"high"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeynbq009h04jua7ozszsv","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":2,"data":{"notes":"","title":"Audit authentication and session management","status":"queued","estimate":"Half a day"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeypht009t04juo5eb6wn7","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":2,"data":{"url":"https://owasp.org/www-community/Threat_Modeling","why":"","kind":"guide","step":"Build the threat model and asset inventory first","label":"OWASP threat modeling"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmonjzedo003904jrg0dq9m3p","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":2,"data":{"notes":"Not in production env, but committed to git. Rotate + scrub history.","title":"JWT secret hardcoded in dev config","status":"high"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeynii009k04juzht7nkja","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":3,"data":{"notes":"","title":"Audit access control: IDOR + missing authorization","status":"queued","estimate":"Half a day to a day"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeypps009w04juvavn5cx4","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":3,"data":{"url":"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/","why":"","kind":"official","step":"Audit authentication and session management","label":"OWASP A07: Authentication Failures"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmonjzekf003c04jru6yx6zr1","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":3,"data":{"notes":"Brute-force exposure. Add 5/min/IP via existing rateLimit family.","title":"No rate limit on /api/auth/login","status":"med"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeynpr009n04ju8k400heg","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":4,"data":{"notes":"","title":"Audit injection: SQL, NoSQL, LDAP, command","status":"queued","estimate":"2-3 hr"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeypxf009z04ju2vqdvs5p","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":4,"data":{"url":"https://haveibeenpwned.com/API/v3#PwnedPasswords","why":"","kind":"tool","step":"Audit authentication and session management","label":"Have I Been Pwned password API"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmonjzeql003f04jriwjulj7x","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":4,"data":{"notes":"Public-read on assets bucket; intended. Document explicitly.","title":"S3 bucket has overly broad ACL","status":"low"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeynwt008704lbd4zhx2rx","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":5,"data":{"notes":"","title":"Audit input validation, XSS, and CSRF","status":"queued","estimate":"Half a day"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeyq5s00a204juhhrwoau8","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":5,"data":{"url":"https://github.com/dropbox/zxcvbn","why":"","kind":"code","step":"Audit authentication and session management","label":"zxcvbn password strength estimator"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeyo42008a04lbupbjgxlk","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":6,"data":{"notes":"","title":"Audit cryptography: passwords, tokens, encryption at rest","status":"queued","estimate":"2-3 hr"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeyqea00a504jufs724lce","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":6,"data":{"url":"https://owasp.org/Top10/A01_2021-Broken_Access_Control/","why":"","kind":"official","step":"Audit access control: IDOR + missing authorization","label":"OWASP A01: Broken Access Control"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeyoal008d04lbicd3zdnz","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":7,"data":{"notes":"","title":"Audit dependencies: CVE scan + supply chain","status":"queued","estimate":"1-2 hr to scan, varies to remediate"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeyqpn008p04lb0f1n4csi","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":7,"data":{"url":"https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html","why":"","kind":"guide","step":"Audit access control: IDOR + missing authorization","label":"OWASP IDOR cheat sheet"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeyoig008g04lbki7btufb","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":8,"data":{"notes":"","title":"Audit secrets and credentials hygiene","status":"queued","estimate":"Half a day"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeyqw6008s04lbaexckdn9","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":8,"data":{"url":"https://semgrep.dev/p/owasp-top-ten","why":"","kind":"tool","step":"Audit access control: IDOR + missing authorization","label":"Semgrep OWASP Top 10 ruleset"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeyooo008j04lbpll0paka","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":9,"data":{"notes":"","title":"Audit logging, monitoring, and incident response","status":"queued","estimate":"2-3 hr"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeyr47008v04lbt6gdwkz1","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":9,"data":{"url":"https://owasp.org/Top10/A03_2021-Injection/","why":"","kind":"official","step":"Audit injection: SQL, NoSQL, LDAP, command","label":"OWASP A03: Injection"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeyowd008m04lbjchztcvt","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":10,"data":{"notes":"","title":"Write the findings report and remediation plan","status":"queued","estimate":"Half a day"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeyrag008y04lbnid6gacc","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":10,"data":{"url":"https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html","why":"","kind":"guide","step":"Audit injection: SQL, NoSQL, LDAP, command","label":"OWASP injection prevention cheat sheet"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeyrkw009104lb0a5m0w2e","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":11,"data":{"url":"https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html","why":"","kind":"guide","step":"Audit input validation, XSS, and CSRF","label":"OWASP XSS prevention cheat sheet"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeyrrj009404lbhpahqpb0","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":12,"data":{"url":"https://github.com/cure53/DOMPurify","why":"","kind":"code","step":"Audit input validation, XSS, and CSRF","label":"DOMPurify (HTML sanitizer)"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeyrxp009704lbj3ka7jc8","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":13,"data":{"url":"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy","why":"","kind":"official","step":"Audit input validation, XSS, and CSRF","label":"MDN: Content-Security-Policy"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeys3x009a04lbw3lpo71m","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":14,"data":{"url":"https://owasp.org/Top10/A02_2021-Cryptographic_Failures/","why":"","kind":"official","step":"Audit cryptography: passwords, tokens, encryption at rest","label":"OWASP A02: Cryptographic Failures"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeysbf009d04lbaull4nh8","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":15,"data":{"url":"https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html","why":"","kind":"guide","step":"Audit cryptography: passwords, tokens, encryption at rest","label":"OWASP password storage cheat sheet"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeyshw009g04lbplz5kis4","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":16,"data":{"url":"https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html","why":"","kind":"guide","step":"Audit cryptography: passwords, tokens, encryption at rest","label":"OWASP JWT cheat sheet"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeysq1009j04lb3i86nfvh","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":17,"data":{"url":"https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/","why":"","kind":"official","step":"Audit dependencies: CVE scan + supply chain","label":"OWASP A06: Vulnerable Components"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeysxk00a804ju8ictdadb","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":18,"data":{"url":"https://docs.github.com/en/code-security/dependabot","why":"","kind":"official","step":"Audit dependencies: CVE scan + supply chain","label":"GitHub Dependabot"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeyt5x00ab04jufwqzqqmm","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":19,"data":{"url":"https://security.snyk.io/","why":"","kind":"tool","step":"Audit dependencies: CVE scan + supply chain","label":"Snyk vulnerability DB"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeytfk00ae04ju6okbmou0","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":20,"data":{"url":"https://github.com/trufflesecurity/trufflehog","why":"","kind":"code","step":"Audit secrets and credentials hygiene","label":"trufflehog GitHub repo"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeytlo00ah04ju3uw2usln","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":21,"data":{"url":"https://github.com/awslabs/git-secrets","why":"","kind":"code","step":"Audit secrets and credentials hygiene","label":"git-secrets pre-commit hook"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeytsv00ak04ju76i1cnil","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":22,"data":{"url":"https://www.doppler.com/","why":"","kind":"tool","step":"Audit secrets and credentials hygiene","label":"Doppler secret manager"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeytz600an04jukw9jlwlf","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":23,"data":{"url":"https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/","why":"","kind":"official","step":"Audit logging, monitoring, and incident response","label":"OWASP A09: Logging Failures"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeyucd00aq04jue92yz2mf","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":24,"data":{"url":"https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final","why":"","kind":"guide","step":"Audit logging, monitoring, and incident response","label":"NIST incident response guide"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeyuj400at04jupd8h1992","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":25,"data":{"url":"https://www.first.org/cvss/calculator/3.1","why":"","kind":"tool","step":"Write the findings report and remediation plan","label":"CVSS calculator (severity scoring)"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null},{"id":"cmomeyur200aw04juhsanfgx1","workspaceId":"cmomeyjyh006d04l8u9mvpkmv","position":26,"data":{"url":"https://owasp.org/www-community/OWASP_Risk_Rating_Methodology","why":"","kind":"guide","step":"Write the findings report and remediation plan","label":"OWASP risk rating methodology"},"createdAt":"2026-05-01T04:29:28.841Z","updatedAt":"2026-05-01T04:29:28.841Z","createdByPrincipalId":"","createdByPrincipalType":null,"updatedByPrincipalId":null,"updatedByPrincipalType":null}],"initialMembers":[],"initialMeId":"","workspaceSlug":"run-a-security-audit-of-a-saas","publicMode":true,"initialDocContent":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"Run a security audit of a small SaaS","type":"text"}]},{"type":"blockquote","content":[{"type":"paragraph","content":[{"text":"10-step plan to find the bugs a ","type":"text"},{"type":"math","attrs":{"source":"30k pen test would find for ","display":"inline"}},{"text":"0: OWASP Top 10, the ASVS subset that matters, dependency CVEs, secrets hygiene.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"For","type":"text","marks":[{"type":"bold"}]},{"text":": Solo founders + small-team tech leads.\n","type":"text"},{"text":"Time","type":"text","marks":[{"type":"bold"}]},{"text":": 1 week first audit, 1-2 days quarterly re-audits.\n","type":"text"},{"text":"Agents","type":"text","marks":[{"type":"bold"}]},{"text":": Scout, Argus, Flint.","type":"text"}]},{"type":"blockquote","content":[{"type":"paragraph","content":[{"text":"Read this as an agent.","type":"text","marks":[{"type":"bold"}]},{"text":" This workspace was forked from a Dock template. The human's role was to fork it and hand the workspace to you. Your role is everything below. The Dock surfaces (tabs at the top) are your working state. This doc is the prompt; the tables are the live data.","type":"text"}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Mission","type":"text"}]},{"type":"paragraph","content":[{"text":"Take this workspace from blank to \"A written, prioritised list of security findings on your SaaS, mapped to OWASP categories, with severity ratings and a remediation plan. Plus the tooling to re-run the audit quarterly without rebuilding from scratch.\". Move row-by-row through ","type":"text"},{"text":"Steps","type":"text","marks":[{"type":"bold"}]},{"text":" (10 of them), keep ","type":"text"},{"text":"Pointers","type":"text","marks":[{"type":"bold"}]},{"text":" indexed, and append decisions / submissions / events to the appropriate log table as work happens. The user's only job is to fork the template and react when you flag a question; everything else is yours.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Surfaces","type":"text"}]},{"type":"paragraph","content":[{"text":"This workspace has 4 surfaces. Each is a separate tab, addressable via ","type":"text"},{"text":"surface_slug","type":"text","marks":[{"type":"code"}]},{"text":" on every MCP call.","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Steps","type":"text","marks":[{"type":"bold"}]},{"text":" ","type":"text"},{"text":"surface_slug=steps","type":"text","marks":[{"type":"code"}]},{"text":" (table): the step-by-step plan, one row per step, with status + owner + estimate.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Pointers","type":"text","marks":[{"type":"bold"}]},{"text":" ","type":"text"},{"text":"surface_slug=pointers","type":"text","marks":[{"type":"code"}]},{"text":" (table): every official link, guide, and tool referenced in the plan, indexed by step.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Findings","type":"text","marks":[{"type":"bold"}]},{"text":" ","type":"text"},{"text":"surface_slug=findings","type":"text","marks":[{"type":"code"}]},{"text":" (table): structured data (rows + columns) for this workspace.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Security audit plan","type":"text","marks":[{"type":"bold"}]},{"text":" ","type":"text"},{"text":"surface_slug=brief","type":"text","marks":[{"type":"code"}]},{"text":" (doc): the long-form plan + how the workspace is meant to be used. You're reading it now.","type":"text"}]}]}]},{"type":"mermaid","attrs":{"source":"flowchart LR\n classDef doc fill:#0A84FF15,stroke:#0A84FF,color:#0A84FF\n classDef tbl fill:#FF2D9215,stroke:#FF2D92,color:#FF2D92\n brief[\"Security audit plan
(doc)\"]:::doc\n steps[\"Steps
(table)\"]:::tbl\n pointers[\"Pointers
(table)\"]:::tbl\n findings[\"Findings
(table)\"]:::tbl\n steps --> brief\n pointers --> brief\n findings --> brief"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"First MCP calls","type":"text"}]},{"type":"paragraph","content":[{"text":"Bootstrap context before acting:","type":"text"}]},{"type":"codeBlock","attrs":{},"content":[{"text":"list_surfaces(workspace_slug=\"run-a-security-audit-of-a-saas\")\nlist_rows(workspace_slug=\"run-a-security-audit-of-a-saas\", surface_slug=\"steps\")\nlist_rows(workspace_slug=\"run-a-security-audit-of-a-saas\", surface_slug=\"pointers\")\nlist_rows(workspace_slug=\"run-a-security-audit-of-a-saas\", surface_slug=\"findings\")\nget_doc(workspace_slug=\"run-a-security-audit-of-a-saas\", surface_slug=\"brief\")","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Cadence","type":"text"}]},{"type":"paragraph","content":[{"text":"On every new Steps row marked active","type":"text","marks":[{"type":"bold"}]},{"text":": pull the step body, surface the tasks + gotchas as a comment thread on the row.","type":"text"}]},{"type":"paragraph","content":[{"text":"On every Steps row transitioning to shipped","type":"text","marks":[{"type":"bold"}]},{"text":": append a 1-line entry to ","type":"text"},{"text":"Brief","type":"text","marks":[{"type":"bold"}]},{"text":" summarizing what shipped + the artifact link.","type":"text"}]},{"type":"paragraph","content":[{"text":"On every new Pointers row","type":"text","marks":[{"type":"bold"}]},{"text":": cross-link it to the related step (set ","type":"text"},{"text":"step","type":"text","marks":[{"type":"code"}]},{"text":" field).","type":"text"}]},{"type":"paragraph","content":[{"text":"Daily","type":"text","marks":[{"type":"bold"}]},{"text":": scan all surfaces for stale rows (nothing changed in 3+ days) and surface them in a comment.","type":"text"}]},{"type":"paragraph","content":[{"text":"On user @mention","type":"text","marks":[{"type":"bold"}]},{"text":": pause your cadence work and respond directly to whatever they ask.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Output contract","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"A working ","type":"text"},{"text":"Steps","type":"text","marks":[{"type":"bold"}]},{"text":" table with every row's status accurate.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"A populated ","type":"text"},{"text":"Pointers","type":"text","marks":[{"type":"bold"}]},{"text":" table with every reference URL the user touched.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"A running ","type":"text"},{"text":"Security audit plan","type":"text","marks":[{"type":"bold"}]},{"text":" doc with one entry per shipped step (chronological).","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Constraints","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Never mark a Steps row shipped without verifying the artifact exists (URL works, post is live, etc).","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Never overwrite the user's prose in doc surfaces; always append below or comment with proposed edits.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Never delete rows the user authored; archive via status change instead.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Never auto-publish, auto-send email, or auto-execute irreversible actions. Draft only; the user confirms.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Never act on cross-org workspaces. Stay within this workspace's surfaces.","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Full prompt (verbatim, for paste-into-runtime)","type":"text"}]},{"type":"codeBlock","attrs":{},"content":[{"text":"You are an agent on the \"Run a security audit\" template workspace.\n\nYour role: maintain the four surfaces (Steps, Pointers, Findings, Brief) as the auditor works through the checklist.\n\nCadence:\n- When the auditor flags a finding, append a row to Findings: title, OWASP category, severity (Critical/High/Medium/Low/Info), evidence link, owner, due date.\n- After each step, append a section to the Brief summarizing what was checked, what was found, and what was clean.\n- For each Critical or High finding, propose a 1-line remediation ticket the user can paste into their tracker.\n\nFirst MCP tool calls:\n1. list_surfaces(workspace_slug=\"run-a-security-audit-of-a-saas\")\n2. list_rows(workspace_slug=\"run-a-security-audit-of-a-saas\", surface_slug=\"findings\")\n3. get_doc(workspace_slug=\"run-a-security-audit-of-a-saas\", surface_slug=\"brief\")\n\nTreat all findings as confidential - never include credentials, tokens, or sensitive PII in any row.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"The journey","type":"text"}]},{"type":"mermaid","attrs":{"source":"flowchart TD\n s1[\"1. Build the threat model and asset\"]\n s2[\"2. Audit authentication and session management\"]\n s1 --> s2\n s3[\"3. Audit access control: IDOR + missing\"]\n s2 --> s3\n s4[\"4. Audit injection: SQL, NoSQL, LDAP, command\"]\n s3 --> s4\n s5[\"5. Audit input validation, XSS, and CSRF\"]\n s4 --> s5\n s6[\"6. Audit cryptography: passwords, tokens, encryption at\"]\n s5 --> s6\n s7[\"7. Audit dependencies: CVE scan + supply\"]\n s6 --> s7\n s8[\"8. Audit secrets and credentials hygiene\"]\n s7 --> s8\n s9[\"9. Audit logging, monitoring, and incident response\"]\n s8 --> s9\n s10[\"10. Write the findings report and remediation\"]\n s9 --> s10"}},{"type":"paragraph","content":[{"text":"Each step is a row in the ","type":"text"},{"text":"Steps","type":"text","marks":[{"type":"bold"}]},{"text":" table, with tasks, pointers, gotchas, and a status column. Mark rows shipped as you go. The full per-step body is below.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Architecture","type":"text"}]},{"type":"mermaid","attrs":{"source":"flowchart LR\n Client --> CDN\n CDN --> Edge[Edge runtime]\n Edge --> API[API server]\n API --> DB[(Primary DB)]\n API --> Replica[(Read replica)]\n API --> Cache[(Redis)]"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"SLO target","type":"text"}]},{"type":"math","attrs":{"source":"\\text{availability} \\geq 99.9\\%, \\quad p_{99} < 200\\text{ ms}, \\quad \\text{error rate} < 0.1\\%","display":"block"}},{"type":"callout","attrs":{"variant":"caution"},"content":[{"type":"paragraph","content":[{"text":"Irreversible operations (DROP TABLE, schema migrations without rollback, region failover) require a confirmation token from the user. Never auto-execute.","type":"text"}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Companion templates","type":"text"}]},{"type":"paragraph","content":[{"text":"Templates that compose well with this one — fork them alongside or after:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"crossRef","attrs":{"form":"bare","rowId":null,"display":null,"orgSlug":null,"surfaceSlug":null,"workspaceSlug":"set-up-soc-2-readiness"}}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"crossRef","attrs":{"form":"bare","rowId":null,"display":null,"orgSlug":null,"surfaceSlug":null,"workspaceSlug":"gdpr-compliance-for-saas"}}]}]}]},{"type":"horizontalRule"},{"type":"paragraph","content":[{"text":"A 10-step plan. Open in Dock and you'll get four surfaces seeded:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Steps","type":"text","marks":[{"type":"bold"}]},{"text":" (table) - the 10 categories, owner + status","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Pointers","type":"text","marks":[{"type":"bold"}]},{"text":" (table) - linked OWASP, ASVS, vendor docs","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Findings","type":"text","marks":[{"type":"bold"}]},{"text":" (table) - one row per finding, severity + owner + due","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Brief","type":"text","marks":[{"type":"bold"}]},{"text":" (doc) - executive summary + threat model + final remediation plan","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Read ","type":"text"},{"text":"Steps","type":"text","marks":[{"type":"code"}]},{"text":" top-to-bottom on first audit. On re-audits (quarterly), only run the steps that changed since last time.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Outcome","type":"text"}]},{"type":"paragraph","content":[{"text":"A written, prioritised list of security findings on your SaaS, mapped to OWASP categories, with severity ratings and a remediation plan. Plus the tooling to re-run the audit quarterly without rebuilding from scratch.","type":"text"}]},{"type":"paragraph","content":[{"text":"Estimated time:","type":"text","marks":[{"type":"bold"}]},{"text":" 1 week first audit, 1-2 days quarterly re-audits","type":"text"},{"type":"hardBreak"},{"text":"Difficulty:","type":"text","marks":[{"type":"bold"}]},{"text":" advanced","type":"text"},{"type":"hardBreak"},{"text":"For:","type":"text","marks":[{"type":"bold"}]},{"text":" Solo founders + tech leads who can't afford a $30k pen test.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"What you'll need","type":"text"}]},{"type":"paragraph","content":[{"text":"Pre-register or install before you start.","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"OWASP ZAP","type":"text","marks":[{"type":"bold"},{"type":"link","attrs":{"href":"https://www.zaproxy.org/"}}]},{"text":" ","type":"text"},{"text":"(Free open source)","type":"text","marks":[{"type":"italic"}]},{"text":" — Free open-source web app scanner. Catches the obvious low-hanging fruit.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Semgrep","type":"text","marks":[{"type":"bold"},{"type":"link","attrs":{"href":"https://semgrep.dev/"}}]},{"text":" ","type":"text"},{"text":"(Free open source, $40/dev/mo Pro for org-wide rules)","type":"text","marks":[{"type":"italic"}]},{"text":" — Static analysis with security rule packs. Catches IDOR, raw SQL, missing auth.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"GitHub Advanced Security or Snyk","type":"text","marks":[{"type":"bold"},{"type":"link","attrs":{"href":"https://snyk.io/"}}]},{"text":" ","type":"text"},{"text":"(Free for public repos / open source, $25/dev/mo Snyk Team)","type":"text","marks":[{"type":"italic"}]},{"text":" — Dependency CVE scanning + secret scanning across the repo.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"trufflehog","type":"text","marks":[{"type":"bold"},{"type":"link","attrs":{"href":"https://github.com/trufflesecurity/trufflehog"}}]},{"text":" ","type":"text"},{"text":"(Free open source)","type":"text","marks":[{"type":"italic"}]},{"text":" — Secret scanning across repos and history; catches committed credentials.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Burp Suite Community","type":"text","marks":[{"type":"bold"},{"type":"link","attrs":{"href":"https://portswigger.net/burp/communitydownload"}}]},{"text":" ","type":"text"},{"text":"(Free Community, $475/year Professional)","type":"text","marks":[{"type":"italic"}]},{"text":" — Manual web request inspector for IDOR + auth bypass testing.","type":"text"}]}]}]},{"type":"horizontalRule"},{"type":"heading","attrs":{"level":1},"content":[{"text":"The template · 10 steps","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Step 1: Build the threat model and asset inventory first","type":"text"}]},{"type":"paragraph","content":[{"text":"Estimated time: 2-3 hr","type":"text","marks":[{"type":"italic"}]}]},{"type":"paragraph","content":[{"text":"An audit without a threat model is a checklist run blindfolded. Spend an hour on STRIDE: what does the app do, what data does it hold, who would attack it, what would they want? The output is a list of assets (data + actions) ranked by sensitivity, which drives where you focus the rest of the audit.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Tasks","type":"text"}]},{"type":"taskList","content":[{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"List all data the app holds: PII, payment data, auth credentials, customer data, internal data","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Rank each by sensitivity: critical (payment, password) / high (PII) / medium (analytics) / low (public)","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"List the privileged actions: admin access, billing changes, data export, account deletion","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Brainstorm 3-5 attacker personas: external opportunist, malicious customer, insider with stolen creds, state actor (probably not relevant)","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"For each asset, ask: how would each persona try to reach it? Note the top 3 attack paths","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pointers","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"[Guide]","type":"text","marks":[{"type":"bold"}]},{"text":" ","type":"text"},{"text":"STRIDE threat modeling","type":"text","marks":[{"type":"link","attrs":{"href":"https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"[Guide]","type":"text","marks":[{"type":"bold"}]},{"text":" ","type":"text"},{"text":"OWASP threat modeling","type":"text","marks":[{"type":"link","attrs":{"href":"https://owasp.org/www-community/Threat_Modeling"}}]}]}]}]},{"type":"callout","attrs":{"variant":"caution"},"content":[{"type":"paragraph","content":[{"text":"Gotchas","type":"text","marks":[{"type":"bold"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Threat models that try to enumerate every possible attack become un-actionable. Pick the top 5-10 paths and focus.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Most small SaaS attackers are opportunists running automated scanners, not nation-state APTs. Calibrate your defenses to the real threat, not the movie threat.","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Step 2: Audit authentication and session management","type":"text"}]},{"type":"paragraph","content":[{"text":"Estimated time: Half a day","type":"text","marks":[{"type":"italic"}]}]},{"type":"paragraph","content":[{"text":"OWASP Identification + Authentication Failures (A07). Most small SaaS apps fail one of: weak password rules, no rate limit on login, session tokens that don't expire, password reset tokens that don't expire, magic links that aren't single-use. Walk each.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Tasks","type":"text"}]},{"type":"taskList","content":[{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Check password policy: min 12 chars, no max, allow all printable, common-password block via Have I Been Pwned API or zxcvbn","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Check login rate limit: max 10 attempts per IP per minute, max 5 per username","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Check session token: HttpOnly + Secure + SameSite=Lax cookie, randomly generated >= 128 bits, expires after 30 days inactive","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Check password reset tokens: single-use, 60 min TTL, invalidated after use","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Check magic links: single-use, 15 min TTL, IP / device-bound if possible","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Check MFA support: TOTP at minimum, recommended for admin accounts","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Check account enumeration: 'login' and 'forgot password' should not reveal if email exists","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pointers","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"[Official]","type":"text","marks":[{"type":"bold"}]},{"text":" ","type":"text"},{"text":"OWASP A07: Authentication Failures","type":"text","marks":[{"type":"link","attrs":{"href":"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"[Tool]","type":"text","marks":[{"type":"bold"}]},{"text":" ","type":"text"},{"text":"Have I Been Pwned password API","type":"text","marks":[{"type":"link","attrs":{"href":"https://haveibeenpwned.com/API/v3#PwnedPasswords"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"[Code]","type":"text","marks":[{"type":"bold"}]},{"text":" ","type":"text"},{"text":"zxcvbn password strength estimator","type":"text","marks":[{"type":"link","attrs":{"href":"https://github.com/dropbox/zxcvbn"}}]}]}]}]},{"type":"callout","attrs":{"variant":"caution"},"content":[{"type":"paragraph","content":[{"text":"Gotchas","type":"text","marks":[{"type":"bold"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Magic links sent over email are no stronger than the email account's security. For admin accounts, require TOTP on top.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Account enumeration is a quiet bug: 'this email is not registered' on login = attacker can confirm a target customer is on your platform.","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Step 3: Audit access control: IDOR + missing authorization","type":"text"}]},{"type":"paragraph","content":[{"text":"Estimated time: Half a day to a day","type":"text","marks":[{"type":"italic"}]}]},{"type":"paragraph","content":[{"text":"OWASP Broken Access Control (A01) is the most common bug missed in solo audits. The pattern: an endpoint correctly authenticates the user but doesn't check that the user owns the resource being accessed. /api/orders/:id returns the order regardless of who's logged in. Walk every authenticated endpoint, ask: does the handler check the user owns this resource?","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Tasks","type":"text"}]},{"type":"taskList","content":[{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"List every endpoint that takes a resource ID in the URL or body (orders, accounts, files, etc.)","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"For each, read the handler: is there an authorization check?","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Test by hand: log in as user A, request a resource ID belonging to user B, confirm 403 (not 200)","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Check 'object reference' patterns: file IDs, S3 URLs, attachment URLs - are they UUIDs or sequential ints?","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Review role-based checks: admin actions are gated by role check at the handler, not just the UI","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Run Semgrep with the OWASP Top 10 rule pack to catch common patterns programmatically","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pointers","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"[Official]","type":"text","marks":[{"type":"bold"}]},{"text":" ","type":"text"},{"text":"OWASP A01: Broken Access Control","type":"text","marks":[{"type":"link","attrs":{"href":"https://owasp.org/Top10/A01_2021-Broken_Access_Control/"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"[Guide]","type":"text","marks":[{"type":"bold"}]},{"text":" ","type":"text"},{"text":"OWASP IDOR cheat sheet","type":"text","marks":[{"type":"link","attrs":{"href":"https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"[Tool]","type":"text","marks":[{"type":"bold"}]},{"text":" ","type":"text"},{"text":"Semgrep OWASP Top 10 ruleset","type":"text","marks":[{"type":"link","attrs":{"href":"https://semgrep.dev/p/owasp-top-ten"}}]}]}]}]},{"type":"callout","attrs":{"variant":"caution"},"content":[{"type":"paragraph","content":[{"text":"Gotchas","type":"text","marks":[{"type":"bold"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"IDOR is the most common bug missed in solo audits. It's not flashy, but it's how customer data leaks happen.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"ORM 'find by ID' calls without a tenant scope check are the #1 source of IDOR. Always scope queries by tenant ID + ID, never by ID alone.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Pre-signed S3 URLs that don't expire = file IDOR. Use short-lived signed URLs and verify ownership before issuing.","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Agent prompt for this step","type":"text"}]},{"type":"codeBlock","attrs":{"language":"text"},"content":[{"text":"Read every authenticated endpoint in this codebase.\n\nFor each, output:\n1. The route + handler file:line.\n2. The resource being accessed (Order, User, Account, File, etc.).\n3. The authorization check present in the handler (or \"MISSING\" if absent).\n4. Risk rating: HIGH if multi-tenant data without check, MEDIUM if single-tenant without check, LOW if public-by-design.\n\nFlag every \"MISSING\" as a likely IDOR finding. Output as proposed Findings rows, severity High by default for HIGH risk.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Step 4: Audit injection: SQL, NoSQL, LDAP, command","type":"text"}]},{"type":"paragraph","content":[{"text":"Estimated time: 2-3 hr","type":"text","marks":[{"type":"italic"}]}]},{"type":"paragraph","content":[{"text":"OWASP Injection (A03). Almost always solved by parameterized queries and prepared statements. Walk the codebase for raw SQL strings, command exec calls, file path concatenation. ORMs are mostly safe but expose escape hatches that are dangerous.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Tasks","type":"text"}]},{"type":"taskList","content":[{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Grep for raw SQL: 'query(`SELECT', 'execute_raw', 'rawQuery', '$queryRaw' (Prisma)","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"For each match: is the input parameterized? If a string-concat with user input, flag","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Grep for command exec: 'exec(', 'execSync(', 'spawn(', 'os.system(' - any user input flowing in is a P0 finding","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Grep for filesystem: path.join(userInput, ...) without validation = path traversal","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"If you have NoSQL: check $where clauses and JS evaluation","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"If you do server-side templating: check for SSTI in user-provided templates","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pointers","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"[Official]","type":"text","marks":[{"type":"bold"}]},{"text":" ","type":"text"},{"text":"OWASP A03: Injection","type":"text","marks":[{"type":"link","attrs":{"href":"https://owasp.org/Top10/A03_2021-Injection/"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"[Guide]","type":"text","marks":[{"type":"bold"}]},{"text":" ","type":"text"},{"text":"OWASP injection prevention cheat sheet","type":"text","marks":[{"type":"link","attrs":{"href":"https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html"}}]}]}]}]},{"type":"callout","attrs":{"variant":"caution"},"content":[{"type":"paragraph","content":[{"text":"Gotchas","type":"text","marks":[{"type":"bold"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Prisma's ","type":"text"},{"text":"$$queryRaw","type":"text","marks":[{"type":"code"}]},{"text":" is the bypass for the 'ORMs are safe' rule. Audit every call; prefer ","type":"text"},{"text":"$$queryRawUnsafe","type":"text","marks":[{"type":"code"}]},{"text":" only never.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Path traversal lives in file upload + download paths. ","type":"text"},{"text":"userInput.includes('..')","type":"text","marks":[{"type":"code"}]},{"text":" is not a sufficient check; use a library.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Server-side template injection (SSTI) is rare but devastating. If users can inject template syntax (Jinja, Handlebars, etc.), it's RCE.","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Step 5: Audit input validation, XSS, and CSRF","type":"text"}]},{"type":"paragraph","content":[{"text":"Estimated time: Half a day","type":"text","marks":[{"type":"italic"}]}]},{"type":"paragraph","content":[{"text":"Cross-site scripting and CSRF are old bugs that still ship. Modern frameworks default-escape (React, Vue auto-escape strings; Django auto-escapes templates) but every framework has bypass: dangerouslySetInnerHTML, raw template tags, server-rendered URLs from user data.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Tasks","type":"text"}]},{"type":"taskList","content":[{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Grep for XSS bypasses: 'dangerouslySetInnerHTML' (React), 'v-html' (Vue), '|safe' (Jinja/Django)","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"For each: is the source user-controlled? Is it sanitized with DOMPurify or equivalent?","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Test reflected XSS: send ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" in every search box and form field","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Test stored XSS: paste it into every persisted field (profile name, comments, etc.) and view from another account","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Check CSRF: if you use cookies for auth, every state-changing endpoint should require an anti-CSRF token or SameSite=Lax/Strict cookie","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Check Content-Security-Policy header is set with at least 'default-src self' on top-level pages","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pointers","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"[Guide]","type":"text","marks":[{"type":"bold"}]},{"text":" ","type":"text"},{"text":"OWASP XSS prevention cheat sheet","type":"text","marks":[{"type":"link","attrs":{"href":"https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"[Code]","type":"text","marks":[{"type":"bold"}]},{"text":" ","type":"text"},{"text":"DOMPurify (HTML sanitizer)","type":"text","marks":[{"type":"link","attrs":{"href":"https://github.com/cure53/DOMPurify"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"[Official]","type":"text","marks":[{"type":"bold"}]},{"text":" ","type":"text"},{"text":"MDN: Content-Security-Policy","type":"text","marks":[{"type":"link","attrs":{"href":"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy"}}]}]}]}]},{"type":"callout","attrs":{"variant":"caution"},"content":[{"type":"paragraph","content":[{"text":"Gotchas","type":"text","marks":[{"type":"bold"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Markdown-rendered user content is a classic stored-XSS vector. Use a sanitizer that strips event handlers and javascript: URLs.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"SVG file uploads can contain script tags. If you let users upload SVGs and re-serve them, sanitize before serving or serve from a different origin.","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Step 6: Audit cryptography: passwords, tokens, encryption at rest","type":"text"}]},{"type":"paragraph","content":[{"text":"Estimated time: 2-3 hr","type":"text","marks":[{"type":"italic"}]}]},{"type":"paragraph","content":[{"text":"OWASP Cryptographic Failures (A02). Common failures: passwords stored with MD5 or unsalted SHA, encryption with ECB mode, JWT with ","type":"text"},{"text":"none","type":"text","marks":[{"type":"code"}]},{"text":" algorithm allowed, secrets stored in env vars but logged.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Tasks","type":"text"}]},{"type":"taskList","content":[{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Verify password hashing: bcrypt cost 12, argon2id, or scrypt. NEVER MD5, SHA-1, or unsalted SHA-256","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Verify JWT validation: signature is checked, ","type":"text"},{"text":"alg","type":"text","marks":[{"type":"code"}]},{"text":" is restricted to a whitelist, expiration is enforced","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Verify TLS: HTTPS-only, HSTS header set with max-age >= 31536000","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Verify secrets are not logged (search for 'console.log' or 'logger.info' near ","type":"text"},{"text":"password","type":"text","marks":[{"type":"code"}]},{"text":", ","type":"text"},{"text":"token","type":"text","marks":[{"type":"code"}]},{"text":", ","type":"text"},{"text":"secret","type":"text","marks":[{"type":"code"}]},{"text":", ","type":"text"},{"text":"api_key","type":"text","marks":[{"type":"code"}]},{"text":")","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Verify encryption-at-rest for sensitive fields (tokens, secret keys, PII): KMS-backed envelope encryption","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Check random number generation: use ","type":"text"},{"text":"crypto.randomBytes","type":"text","marks":[{"type":"code"}]},{"text":" not ","type":"text"},{"text":"Math.random()","type":"text","marks":[{"type":"code"}]},{"text":" for any security-relevant value","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pointers","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"[Official]","type":"text","marks":[{"type":"bold"}]},{"text":" ","type":"text"},{"text":"OWASP A02: Cryptographic Failures","type":"text","marks":[{"type":"link","attrs":{"href":"https://owasp.org/Top10/A02_2021-Cryptographic_Failures/"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"[Guide]","type":"text","marks":[{"type":"bold"}]},{"text":" ","type":"text"},{"text":"OWASP password storage cheat sheet","type":"text","marks":[{"type":"link","attrs":{"href":"https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"[Guide]","type":"text","marks":[{"type":"bold"}]},{"text":" ","type":"text"},{"text":"OWASP JWT cheat sheet","type":"text","marks":[{"type":"link","attrs":{"href":"https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html"}}]}]}]}]},{"type":"callout","attrs":{"variant":"caution"},"content":[{"type":"paragraph","content":[{"text":"Gotchas","type":"text","marks":[{"type":"bold"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"JWT libraries that accept ","type":"text"},{"text":"alg: none","type":"text","marks":[{"type":"code"}]},{"text":" are still surprisingly common in old code. Always pin the algorithm whitelist explicitly.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Encrypting at rest with a key stored next to the data (in the same DB or env file) is theater. Use a KMS-backed key.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Math.random() is predictable enough that an attacker can guess sequence values. Always crypto.randomBytes or equivalent.","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Step 7: Audit dependencies: CVE scan + supply chain","type":"text"}]},{"type":"paragraph","content":[{"text":"Estimated time: 1-2 hr to scan, varies to remediate","type":"text","marks":[{"type":"italic"}]}]},{"type":"paragraph","content":[{"text":"OWASP Vulnerable and Outdated Components (A06). Most exploitable bugs in a modern app are in dependencies, not your own code. Run an SCA tool (Snyk, GitHub Dependabot, npm audit), prioritize by severity + reachability.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Tasks","type":"text"}]},{"type":"taskList","content":[{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Run ","type":"text"},{"text":"npm audit","type":"text","marks":[{"type":"code"}]},{"text":" (or ","type":"text"},{"text":"pnpm audit","type":"text","marks":[{"type":"code"}]},{"text":", ","type":"text"},{"text":"cargo audit","type":"text","marks":[{"type":"code"}]},{"text":", etc.) and review the High and Critical findings","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Run Snyk or GitHub Dependabot on the repo for ongoing monitoring","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"For each Critical or High CVE, decide: patch, replace, or accept (with rationale)","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Check for unmaintained dependencies (last commit > 2 years, no recent releases) - these are a future-you risk","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Review dev dependencies separately - dev-only CVEs are lower priority but count for build-time supply chain","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Pin all dependency versions exactly in lockfile; no caret ranges in production lockfile","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pointers","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"[Official]","type":"text","marks":[{"type":"bold"}]},{"text":" ","type":"text"},{"text":"OWASP A06: Vulnerable Components","type":"text","marks":[{"type":"link","attrs":{"href":"https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"[Official]","type":"text","marks":[{"type":"bold"}]},{"text":" ","type":"text"},{"text":"GitHub Dependabot","type":"text","marks":[{"type":"link","attrs":{"href":"https://docs.github.com/en/code-security/dependabot"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"[Tool]","type":"text","marks":[{"type":"bold"}]},{"text":" ","type":"text"},{"text":"Snyk vulnerability DB","type":"text","marks":[{"type":"link","attrs":{"href":"https://security.snyk.io/"}}]}]}]}]},{"type":"callout","attrs":{"variant":"caution"},"content":[{"type":"paragraph","content":[{"text":"Gotchas","type":"text","marks":[{"type":"bold"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"npm audit","type":"text","marks":[{"type":"code"}]},{"text":" reports thousands of vulns in dev dependencies (webpack, etc.) that don't reach production. Focus on production deps + actual reachability before you panic.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Lockfile with caret ranges (","type":"text"},{"text":"^1.2.3","type":"text","marks":[{"type":"code"}]},{"text":") means the same install on Tuesday gives different versions than Friday. Pin exact versions for reproducibility.","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Step 8: Audit secrets and credentials hygiene","type":"text"}]},{"type":"paragraph","content":[{"text":"Estimated time: Half a day","type":"text","marks":[{"type":"italic"}]}]},{"type":"paragraph","content":[{"text":"Secrets committed to git history are the most common data breach root cause for small SaaS. Run trufflehog over the entire git history (not just HEAD); rotate any secret that ever touched a public repo. Move secrets out of env files in repos and into a secret manager.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Tasks","type":"text"}]},{"type":"taskList","content":[{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Run trufflehog on every repo: ","type":"text"},{"text":"trufflehog git file://. --since-commit HEAD","type":"text","marks":[{"type":"code"}]},{"text":" and again over full history","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"For every found secret: rotate it immediately, even if it's already invalidated","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Check ","type":"text"},{"text":".env.example","type":"text","marks":[{"type":"code"}]},{"text":" files don't contain real values","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Verify CI secrets are stored in the platform's secret store (GitHub Actions secrets, Vercel env vars, etc.), not in the repo","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Verify deploy scripts read secrets from a secret manager (AWS Secrets Manager, HashiCorp Vault, Doppler), not from baked images or env files","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Audit who has production secret access; remove anyone who left the team","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pointers","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"[Code]","type":"text","marks":[{"type":"bold"}]},{"text":" ","type":"text"},{"text":"trufflehog GitHub repo","type":"text","marks":[{"type":"link","attrs":{"href":"https://github.com/trufflesecurity/trufflehog"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"[Code]","type":"text","marks":[{"type":"bold"}]},{"text":" ","type":"text"},{"text":"git-secrets pre-commit hook","type":"text","marks":[{"type":"link","attrs":{"href":"https://github.com/awslabs/git-secrets"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"[Tool]","type":"text","marks":[{"type":"bold"}]},{"text":" ","type":"text"},{"text":"Doppler secret manager","type":"text","marks":[{"type":"link","attrs":{"href":"https://www.doppler.com/"}}]}]}]}]},{"type":"callout","attrs":{"variant":"caution"},"content":[{"type":"paragraph","content":[{"text":"Gotchas","type":"text","marks":[{"type":"bold"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"A secret committed to a public repo is compromised the moment it pushes; rotate within minutes, not hours. GitHub's secret scanning will alert known providers (AWS, Stripe, etc.) automatically.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Force-removing a secret from git history doesn't help if anyone cloned the repo before. Always rotate, don't just rewrite.","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Step 9: Audit logging, monitoring, and incident response","type":"text"}]},{"type":"paragraph","content":[{"text":"Estimated time: 2-3 hr","type":"text","marks":[{"type":"italic"}]}]},{"type":"paragraph","content":[{"text":"OWASP Security Logging and Monitoring Failures (A09). If you can't see an attack while it happens, you can't respond. Verify auth events are logged, log retention is at least 90 days, alerts fire on suspicious patterns, and the team has a written incident response runbook.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Tasks","type":"text"}]},{"type":"taskList","content":[{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Verify auth events are logged: login success, login fail, password change, MFA enroll, role change, account deletion","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Verify logs are retained at least 90 days (longer for compliance industries)","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Verify logs cannot be deleted by application code (write-only access from the app)","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Set up alerts: 10+ failed logins from one IP, 5+ password resets for one account in an hour, role escalation outside admin paths","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Write a 1-page incident response runbook: who to call, how to revoke sessions, how to rotate credentials, how to communicate with customers","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Run a tabletop exercise: 'attacker has admin access, what do you do in the first 30 minutes?'","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pointers","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"[Official]","type":"text","marks":[{"type":"bold"}]},{"text":" ","type":"text"},{"text":"OWASP A09: Logging Failures","type":"text","marks":[{"type":"link","attrs":{"href":"https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"[Guide]","type":"text","marks":[{"type":"bold"}]},{"text":" ","type":"text"},{"text":"NIST incident response guide","type":"text","marks":[{"type":"link","attrs":{"href":"https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final"}}]}]}]}]},{"type":"callout","attrs":{"variant":"caution"},"content":[{"type":"paragraph","content":[{"text":"Gotchas","type":"text","marks":[{"type":"bold"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Logging the failed-login email + password as plaintext is a foot-gun. Log the email; never log the password attempt, even on failure.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Most small teams don't have a written incident response runbook. The first 30 minutes of a breach are when most damage is preventable; have the runbook.","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Step 10: Write the findings report and remediation plan","type":"text"}]},{"type":"paragraph","content":[{"text":"Estimated time: Half a day","type":"text","marks":[{"type":"italic"}]}]},{"type":"paragraph","content":[{"text":"Final step. Compile every finding into a single report with severity ratings (Critical / High / Medium / Low / Info), evidence, remediation, and an owner with a due date. Critical and High get fixed in days; Medium in weeks; Low in the next quarter.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Tasks","type":"text"}]},{"type":"taskList","content":[{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"List every finding with: title, OWASP category, severity, evidence (screenshots / curl examples), remediation, owner, due date","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Write the executive summary: 1-2 paragraphs on overall posture + the top 3 risks","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Schedule the remediation work in your tracker; Critical due within 1 week, High within 30 days","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Schedule the next audit in 90 days","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"If you're SOC 2 / ISO 27001 / HIPAA-bound: file the audit + remediations in your compliance evidence repo","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pointers","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"[Tool]","type":"text","marks":[{"type":"bold"}]},{"text":" ","type":"text"},{"text":"CVSS calculator (severity scoring)","type":"text","marks":[{"type":"link","attrs":{"href":"https://www.first.org/cvss/calculator/3.1"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"[Guide]","type":"text","marks":[{"type":"bold"}]},{"text":" ","type":"text"},{"text":"OWASP risk rating methodology","type":"text","marks":[{"type":"link","attrs":{"href":"https://owasp.org/www-community/OWASP_Risk_Rating_Methodology"}}]}]}]}]},{"type":"callout","attrs":{"variant":"caution"},"content":[{"type":"paragraph","content":[{"text":"Gotchas","type":"text","marks":[{"type":"bold"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Severity inflation makes the report unactionable. Calibrate Critical strictly (immediate customer-data loss risk); use Medium liberally.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"An audit without owners and due dates becomes shelf-ware. Every finding needs a single owner and a real date.","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Agent prompt for this step","type":"text"}]},{"type":"codeBlock","attrs":{"language":"text"},"content":[{"text":"Compile the audit Findings rows into a final report.\n\nRead every row in the Findings surface. Output:\n1. Executive summary (2 paragraphs): overall posture + top 3 risks.\n2. Findings table grouped by severity (Critical / High / Medium / Low / Info).\n3. For each finding: title, OWASP category, evidence, remediation, owner, due date.\n4. Remediation timeline: which Critical / High items must complete in 1 week, 30 days.\n5. Next audit due date (90 days from today).\n\nConstraints: no actual credentials, secrets, or sensitive PII in the output - reference, don't reproduce.\n\nOutput as the Brief surface, replacing prior content if any.","type":"text"}]},{"type":"horizontalRule"},{"type":"heading","attrs":{"level":2},"content":[{"text":"Hand the template to your agent","type":"text"}]},{"type":"paragraph","content":[{"text":"Paste the prompt below into your agent's permanent system prompt so the agent reads, writes, and maintains this workspace as you work through the steps.","type":"text"}]},{"type":"codeBlock","attrs":{"language":"text"},"content":[{"text":"You are an agent on the \"Run a security audit\" template workspace.\n\nYour role: maintain the four surfaces (Steps, Pointers, Findings, Brief) as the auditor works through the checklist.\n\nCadence:\n- When the auditor flags a finding, append a row to Findings: title, OWASP category, severity (Critical/High/Medium/Low/Info), evidence link, owner, due date.\n- After each step, append a section to the Brief summarizing what was checked, what was found, and what was clean.\n- For each Critical or High finding, propose a 1-line remediation ticket the user can paste into their tracker.\n\nFirst MCP tool calls:\n1. list_surfaces(workspace_slug=\"run-a-security-audit-of-a-saas\")\n2. list_rows(workspace_slug=\"run-a-security-audit-of-a-saas\", surface_slug=\"findings\")\n3. get_doc(workspace_slug=\"run-a-security-audit-of-a-saas\", surface_slug=\"brief\")\n\nTreat all findings as confidential - never include credentials, tokens, or sensitive PII in any row.","type":"text"}]},{"type":"horizontalRule"},{"type":"heading","attrs":{"level":2},"content":[{"text":"FAQ","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Is this a real security audit or just a checklist?","type":"text"}]},{"type":"paragraph","content":[{"text":"It's the 80/20: the categories that catch most real bugs in small SaaS apps. A full pen test from a security firm is more thorough (manual exploitation, custom rules, deep web app testing) and costs $20-50k. This template gets you to 'no obvious issues' for 1 week of effort and free tooling. For SOC 2 / ISO 27001 compliance, you still need the third-party audit; this is the prep work that makes that audit cheaper and faster.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"What's the most common bug small SaaS apps actually have?","type":"text"}]},{"type":"paragraph","content":[{"text":"IDOR. By a large margin. The pattern: an endpoint correctly checks the user is logged in, but doesn't check the user owns the resource being accessed. /api/orders/12345 returns the order regardless of who's logged in. Test by hand: log in as user A, request a resource ID belonging to user B, see what happens. If you get the data, you have IDOR. Fix at the data-access layer (always scope queries by tenant + ID).","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Should I run this audit before or after my SOC 2?","type":"text"}]},{"type":"paragraph","content":[{"text":"Before, by 2-3 months. SOC 2 evidence is mostly process (you have a logging policy, you have an incident response plan); it doesn't deeply audit the code. Running this audit before SOC 2 means you fix the actual bugs first, then the auditor checks that the process exists. Cheaper than fixing bugs after the auditor flags them.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"How often should I re-run this audit?","type":"text"}]},{"type":"paragraph","content":[{"text":"Quarterly is the right cadence for an actively developed SaaS. The first audit takes a week; re-audits take 1-2 days because you only re-check the categories that touched changed code. Critical and High findings should be fixed within their due dates; Medium findings get re-verified at the next audit. Tools (Snyk, Dependabot, Sentry) cover the gap between audits.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Can my AI agents help run the audit?","type":"text"}]},{"type":"paragraph","content":[{"text":"Yes, especially for the code-reading-heavy steps. Agents are useful for: scanning every authenticated endpoint for missing authorization checks, scanning for raw SQL and command exec patterns, drafting the findings report from raw notes, and summarising the remediation plan into ticket descriptions. The judgement calls (severity rating, threat model, remediation prioritization) need humans. The template ships agent prompts inline for the access-control and findings-compilation steps.","type":"text"}]}]},"initialSurfaces":[{"id":"cmomeyjym006g04l86oczge1r","kind":"doc","name":"Security audit plan","slug":"brief"},{"id":"cmomeykjd006j04l83dg55ax7","kind":"table","name":"Steps","slug":"steps"},{"id":"cmomeykub006l04l8406fajhp","kind":"table","name":"Pointers","slug":"pointers"},{"id":"cmomeyl9d006n04l8h7bhbrct","kind":"table","name":"Findings","slug":"findings"},{"id":"cmooqoh1k001604jy7dwba07l","kind":"doc","name":"Security audit checklist","slug":"checklist"}],"publicSurfaceContents":[{"slug":"brief","content":"$20:1:props:initialDocContent"},{"slug":"checklist","content":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"Run a security audit of a small SaaS: full checklist","type":"text"}]},{"type":"blockquote","content":[{"type":"paragraph","content":[{"text":"Tick items as you ship. The plan is in ","type":"text"},{"text":"Steps","type":"text","marks":[{"type":"bold"}]},{"text":"; this surface is the literal \"did I do this?\" list. Every box maps to a task in a step.","type":"text"}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Step 1: Build the threat model and asset inventory first","type":"text"}]},{"type":"paragraph","content":[{"text":"2-3 hr","type":"text","marks":[{"type":"italic"}]}]},{"type":"taskList","content":[{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"List all data the app holds: PII, payment data, auth credentials, customer data, internal data","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Rank each by sensitivity: critical (payment, password) / high (PII) / medium (analytics) / low (public)","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"List the privileged actions: admin access, billing changes, data export, account deletion","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Brainstorm 3-5 attacker personas: external opportunist, malicious customer, insider with stolen creds, state actor (probably not relevant)","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"For each asset, ask: how would each persona try to reach it? Note the top 3 attack paths","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Step 2: Audit authentication and session management","type":"text"}]},{"type":"paragraph","content":[{"text":"Half a day","type":"text","marks":[{"type":"italic"}]}]},{"type":"taskList","content":[{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Check password policy: min 12 chars, no max, allow all printable, common-password block via Have I Been Pwned API or zxcvbn","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Check login rate limit: max 10 attempts per IP per minute, max 5 per username","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Check session token: HttpOnly + Secure + SameSite=Lax cookie, randomly generated >= 128 bits, expires after 30 days inactive","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Check password reset tokens: single-use, 60 min TTL, invalidated after use","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Check magic links: single-use, 15 min TTL, IP / device-bound if possible","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Check MFA support: TOTP at minimum, recommended for admin accounts","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Check account enumeration: 'login' and 'forgot password' should not reveal if email exists","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Step 3: Audit access control: IDOR + missing authorization","type":"text"}]},{"type":"paragraph","content":[{"text":"Half a day to a day","type":"text","marks":[{"type":"italic"}]}]},{"type":"taskList","content":[{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"List every endpoint that takes a resource ID in the URL or body (orders, accounts, files, etc.)","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"For each, read the handler: is there an authorization check?","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Test by hand: log in as user A, request a resource ID belonging to user B, confirm 403 (not 200)","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Check 'object reference' patterns: file IDs, S3 URLs, attachment URLs - are they UUIDs or sequential ints?","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Review role-based checks: admin actions are gated by role check at the handler, not just the UI","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Run Semgrep with the OWASP Top 10 rule pack to catch common patterns programmatically","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Step 4: Audit injection: SQL, NoSQL, LDAP, command","type":"text"}]},{"type":"paragraph","content":[{"text":"2-3 hr","type":"text","marks":[{"type":"italic"}]}]},{"type":"taskList","content":[{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Grep for raw SQL: 'query(`SELECT', 'execute_raw', 'rawQuery', '$queryRaw' (Prisma)","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"For each match: is the input parameterized? If a string-concat with user input, flag","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Grep for command exec: 'exec(', 'execSync(', 'spawn(', 'os.system(' - any user input flowing in is a P0 finding","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Grep for filesystem: path.join(userInput, ...) without validation = path traversal","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"If you have NoSQL: check $where clauses and JS evaluation","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"If you do server-side templating: check for SSTI in user-provided templates","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Step 5: Audit input validation, XSS, and CSRF","type":"text"}]},{"type":"paragraph","content":[{"text":"Half a day","type":"text","marks":[{"type":"italic"}]}]},{"type":"taskList","content":[{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Grep for XSS bypasses: 'dangerouslySetInnerHTML' (React), 'v-html' (Vue), '|safe' (Jinja/Django)","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"For each: is the source user-controlled? Is it sanitized with DOMPurify or equivalent?","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Test reflected XSS: send ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" in every search box and form field","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Test stored XSS: paste it into every persisted field (profile name, comments, etc.) and view from another account","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Check CSRF: if you use cookies for auth, every state-changing endpoint should require an anti-CSRF token or SameSite=Lax/Strict cookie","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Check Content-Security-Policy header is set with at least 'default-src self' on top-level pages","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Step 6: Audit cryptography: passwords, tokens, encryption at rest","type":"text"}]},{"type":"paragraph","content":[{"text":"2-3 hr","type":"text","marks":[{"type":"italic"}]}]},{"type":"taskList","content":[{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Verify password hashing: bcrypt cost 12, argon2id, or scrypt. NEVER MD5, SHA-1, or unsalted SHA-256","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Verify JWT validation: signature is checked, ","type":"text"},{"text":"alg","type":"text","marks":[{"type":"code"}]},{"text":" is restricted to a whitelist, expiration is enforced","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Verify TLS: HTTPS-only, HSTS header set with max-age >= 31536000","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Verify secrets are not logged (search for 'console.log' or 'logger.info' near ","type":"text"},{"text":"password","type":"text","marks":[{"type":"code"}]},{"text":", ","type":"text"},{"text":"token","type":"text","marks":[{"type":"code"}]},{"text":", ","type":"text"},{"text":"secret","type":"text","marks":[{"type":"code"}]},{"text":", ","type":"text"},{"text":"api_key","type":"text","marks":[{"type":"code"}]},{"text":")","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Verify encryption-at-rest for sensitive fields (tokens, secret keys, PII): KMS-backed envelope encryption","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Check random number generation: use ","type":"text"},{"text":"crypto.randomBytes","type":"text","marks":[{"type":"code"}]},{"text":" not ","type":"text"},{"text":"Math.random()","type":"text","marks":[{"type":"code"}]},{"text":" for any security-relevant value","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Step 7: Audit dependencies: CVE scan + supply chain","type":"text"}]},{"type":"paragraph","content":[{"text":"1-2 hr to scan, varies to remediate","type":"text","marks":[{"type":"italic"}]}]},{"type":"taskList","content":[{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Run ","type":"text"},{"text":"npm audit","type":"text","marks":[{"type":"code"}]},{"text":" (or ","type":"text"},{"text":"pnpm audit","type":"text","marks":[{"type":"code"}]},{"text":", ","type":"text"},{"text":"cargo audit","type":"text","marks":[{"type":"code"}]},{"text":", etc.) and review the High and Critical findings","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Run Snyk or GitHub Dependabot on the repo for ongoing monitoring","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"For each Critical or High CVE, decide: patch, replace, or accept (with rationale)","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Check for unmaintained dependencies (last commit > 2 years, no recent releases) - these are a future-you risk","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Review dev dependencies separately - dev-only CVEs are lower priority but count for build-time supply chain","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Pin all dependency versions exactly in lockfile; no caret ranges in production lockfile","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Step 8: Audit secrets and credentials hygiene","type":"text"}]},{"type":"paragraph","content":[{"text":"Half a day","type":"text","marks":[{"type":"italic"}]}]},{"type":"taskList","content":[{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Run trufflehog on every repo: ","type":"text"},{"text":"trufflehog git file://. --since-commit HEAD","type":"text","marks":[{"type":"code"}]},{"text":" and again over full history","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"For every found secret: rotate it immediately, even if it's already invalidated","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Check ","type":"text"},{"text":".env.example","type":"text","marks":[{"type":"code"}]},{"text":" files don't contain real values","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Verify CI secrets are stored in the platform's secret store (GitHub Actions secrets, Vercel env vars, etc.), not in the repo","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Verify deploy scripts read secrets from a secret manager (AWS Secrets Manager, HashiCorp Vault, Doppler), not from baked images or env files","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Audit who has production secret access; remove anyone who left the team","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Step 9: Audit logging, monitoring, and incident response","type":"text"}]},{"type":"paragraph","content":[{"text":"2-3 hr","type":"text","marks":[{"type":"italic"}]}]},{"type":"taskList","content":[{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Verify auth events are logged: login success, login fail, password change, MFA enroll, role change, account deletion","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Verify logs are retained at least 90 days (longer for compliance industries)","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Verify logs cannot be deleted by application code (write-only access from the app)","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Set up alerts: 10+ failed logins from one IP, 5+ password resets for one account in an hour, role escalation outside admin paths","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Write a 1-page incident response runbook: who to call, how to revoke sessions, how to rotate credentials, how to communicate with customers","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Run a tabletop exercise: 'attacker has admin access, what do you do in the first 30 minutes?'","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Step 10: Write the findings report and remediation plan","type":"text"}]},{"type":"paragraph","content":[{"text":"Half a day","type":"text","marks":[{"type":"italic"}]}]},{"type":"taskList","content":[{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"List every finding with: title, OWASP category, severity, evidence (screenshots / curl examples), remediation, owner, due date","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Write the executive summary: 1-2 paragraphs on overall posture + the top 3 risks","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Schedule the remediation work in your tracker; Critical due within 1 week, High within 30 days","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"Schedule the next audit in 90 days","type":"text"}]}]},{"type":"taskItem","attrs":{"checked":false},"content":[{"type":"paragraph","content":[{"text":"If you're SOC 2 / ISO 27001 / HIPAA-bound: file the audit + remediations in your compliance evidence repo","type":"text"}]}]}]}]}}],"publicTableContents":[{"slug":"steps","columns":"$20:1:props:initialWorkspace:columns","rows":[{"id":"cmomeyn1z009m04jliq8fdcyv","position":1,"data":{"notes":"","title":"Build the threat model and asset inventory first","status":"queued","estimate":"2-3 hr"}},{"id":"cmomeynbq009h04jua7ozszsv","position":2,"data":{"notes":"","title":"Audit authentication and session management","status":"queued","estimate":"Half a day"}},{"id":"cmomeynii009k04juzht7nkja","position":3,"data":{"notes":"","title":"Audit access control: IDOR + missing authorization","status":"queued","estimate":"Half a day to a day"}},{"id":"cmomeynpr009n04ju8k400heg","position":4,"data":{"notes":"","title":"Audit injection: SQL, NoSQL, LDAP, command","status":"queued","estimate":"2-3 hr"}},{"id":"cmomeynwt008704lbd4zhx2rx","position":5,"data":{"notes":"","title":"Audit input validation, XSS, and CSRF","status":"queued","estimate":"Half a day"}},{"id":"cmomeyo42008a04lbupbjgxlk","position":6,"data":{"notes":"","title":"Audit cryptography: passwords, tokens, encryption at rest","status":"queued","estimate":"2-3 hr"}},{"id":"cmomeyoal008d04lbicd3zdnz","position":7,"data":{"notes":"","title":"Audit dependencies: CVE scan + supply chain","status":"queued","estimate":"1-2 hr to scan, varies to remediate"}},{"id":"cmomeyoig008g04lbki7btufb","position":8,"data":{"notes":"","title":"Audit secrets and credentials hygiene","status":"queued","estimate":"Half a day"}},{"id":"cmomeyooo008j04lbpll0paka","position":9,"data":{"notes":"","title":"Audit logging, monitoring, and incident response","status":"queued","estimate":"2-3 hr"}},{"id":"cmomeyowd008m04lbjchztcvt","position":10,"data":{"notes":"","title":"Write the findings report and remediation plan","status":"queued","estimate":"Half a day"}}]},{"slug":"pointers","columns":[{"key":"label","type":"text","label":"Label","position":0},{"key":"url","type":"text","label":"URL","position":1},{"key":"kind","type":"status","label":"Kind","options":[{"color":"#0A84FF","label":"official","value":"official"},{"color":"#22C55E","label":"guide","value":"guide"},{"color":"#BF5AF2","label":"tool","value":"tool"},{"color":"#F5B842","label":"community","value":"community"},{"color":"#FF2D92","label":"code","value":"code"}],"position":2},{"key":"step","type":"text","label":"Step","position":3},{"key":"why","type":"text","label":"Why","position":4}],"rows":[{"id":"cmomeypak009q04juklxiwzhs","position":1,"data":{"url":"https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats","why":"","kind":"guide","step":"Build the threat model and asset inventory first","label":"STRIDE threat modeling"}},{"id":"cmomeypht009t04juo5eb6wn7","position":2,"data":{"url":"https://owasp.org/www-community/Threat_Modeling","why":"","kind":"guide","step":"Build the threat model and asset inventory first","label":"OWASP threat modeling"}},{"id":"cmomeypps009w04juvavn5cx4","position":3,"data":{"url":"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/","why":"","kind":"official","step":"Audit authentication and session management","label":"OWASP A07: Authentication Failures"}},{"id":"cmomeypxf009z04ju2vqdvs5p","position":4,"data":{"url":"https://haveibeenpwned.com/API/v3#PwnedPasswords","why":"","kind":"tool","step":"Audit authentication and session management","label":"Have I Been Pwned password API"}},{"id":"cmomeyq5s00a204juhhrwoau8","position":5,"data":{"url":"https://github.com/dropbox/zxcvbn","why":"","kind":"code","step":"Audit authentication and session management","label":"zxcvbn password strength estimator"}},{"id":"cmomeyqea00a504jufs724lce","position":6,"data":{"url":"https://owasp.org/Top10/A01_2021-Broken_Access_Control/","why":"","kind":"official","step":"Audit access control: IDOR + missing authorization","label":"OWASP A01: Broken Access Control"}},{"id":"cmomeyqpn008p04lb0f1n4csi","position":7,"data":{"url":"https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html","why":"","kind":"guide","step":"Audit access control: IDOR + missing authorization","label":"OWASP IDOR cheat sheet"}},{"id":"cmomeyqw6008s04lbaexckdn9","position":8,"data":{"url":"https://semgrep.dev/p/owasp-top-ten","why":"","kind":"tool","step":"Audit access control: IDOR + missing authorization","label":"Semgrep OWASP Top 10 ruleset"}},{"id":"cmomeyr47008v04lbt6gdwkz1","position":9,"data":{"url":"https://owasp.org/Top10/A03_2021-Injection/","why":"","kind":"official","step":"Audit injection: SQL, NoSQL, LDAP, command","label":"OWASP A03: Injection"}},{"id":"cmomeyrag008y04lbnid6gacc","position":10,"data":{"url":"https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html","why":"","kind":"guide","step":"Audit injection: SQL, NoSQL, LDAP, command","label":"OWASP injection prevention cheat sheet"}},{"id":"cmomeyrkw009104lb0a5m0w2e","position":11,"data":{"url":"https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html","why":"","kind":"guide","step":"Audit input validation, XSS, and CSRF","label":"OWASP XSS prevention cheat sheet"}},{"id":"cmomeyrrj009404lbhpahqpb0","position":12,"data":{"url":"https://github.com/cure53/DOMPurify","why":"","kind":"code","step":"Audit input validation, XSS, and CSRF","label":"DOMPurify (HTML sanitizer)"}},{"id":"cmomeyrxp009704lbj3ka7jc8","position":13,"data":{"url":"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy","why":"","kind":"official","step":"Audit input validation, XSS, and CSRF","label":"MDN: Content-Security-Policy"}},{"id":"cmomeys3x009a04lbw3lpo71m","position":14,"data":{"url":"https://owasp.org/Top10/A02_2021-Cryptographic_Failures/","why":"","kind":"official","step":"Audit cryptography: passwords, tokens, encryption at rest","label":"OWASP A02: Cryptographic Failures"}},{"id":"cmomeysbf009d04lbaull4nh8","position":15,"data":{"url":"https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html","why":"","kind":"guide","step":"Audit cryptography: passwords, tokens, encryption at rest","label":"OWASP password storage cheat sheet"}},{"id":"cmomeyshw009g04lbplz5kis4","position":16,"data":{"url":"https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html","why":"","kind":"guide","step":"Audit cryptography: passwords, tokens, encryption at rest","label":"OWASP JWT cheat sheet"}},{"id":"cmomeysq1009j04lb3i86nfvh","position":17,"data":{"url":"https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/","why":"","kind":"official","step":"Audit dependencies: CVE scan + supply chain","label":"OWASP A06: Vulnerable Components"}},{"id":"cmomeysxk00a804ju8ictdadb","position":18,"data":{"url":"https://docs.github.com/en/code-security/dependabot","why":"","kind":"official","step":"Audit dependencies: CVE scan + supply chain","label":"GitHub Dependabot"}},{"id":"cmomeyt5x00ab04jufwqzqqmm","position":19,"data":{"url":"https://security.snyk.io/","why":"","kind":"tool","step":"Audit dependencies: CVE scan + supply chain","label":"Snyk vulnerability DB"}},{"id":"cmomeytfk00ae04ju6okbmou0","position":20,"data":{"url":"https://github.com/trufflesecurity/trufflehog","why":"","kind":"code","step":"Audit secrets and credentials hygiene","label":"trufflehog GitHub repo"}},{"id":"cmomeytlo00ah04ju3uw2usln","position":21,"data":{"url":"https://github.com/awslabs/git-secrets","why":"","kind":"code","step":"Audit secrets and credentials hygiene","label":"git-secrets pre-commit hook"}},{"id":"cmomeytsv00ak04ju76i1cnil","position":22,"data":{"url":"https://www.doppler.com/","why":"","kind":"tool","step":"Audit secrets and credentials hygiene","label":"Doppler secret manager"}},{"id":"cmomeytz600an04jukw9jlwlf","position":23,"data":{"url":"https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/","why":"","kind":"official","step":"Audit logging, monitoring, and incident response","label":"OWASP A09: Logging Failures"}},{"id":"cmomeyucd00aq04jue92yz2mf","position":24,"data":{"url":"https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final","why":"","kind":"guide","step":"Audit logging, monitoring, and incident response","label":"NIST incident response guide"}},{"id":"cmomeyuj400at04jupd8h1992","position":25,"data":{"url":"https://www.first.org/cvss/calculator/3.1","why":"","kind":"tool","step":"Write the findings report and remediation plan","label":"CVSS calculator (severity scoring)"}},{"id":"cmomeyur200aw04juhsanfgx1","position":26,"data":{"url":"https://owasp.org/www-community/OWASP_Risk_Rating_Methodology","why":"","kind":"guide","step":"Write the findings report and remediation plan","label":"OWASP risk rating methodology"}}]},{"slug":"findings","columns":[{"key":"title","type":"text","label":"Title","position":0},{"key":"status","type":"status","label":"Status","options":[{"color":"#94A6BD","label":"queued","value":"queued"},{"color":"#0A84FF","label":"active","value":"active"},{"color":"#22C55E","label":"done","value":"done"}],"position":1},{"key":"notes","type":"text","label":"Notes","position":2}],"rows":[{"id":"cmonjzdx3003604jr6d1j0kt0","position":1,"data":{"notes":"Reproducible. Owner: Argus. Fix: server-side sanitize on write.","title":"Stored XSS in user profile bio field","status":"high"}},{"id":"cmonjzedo003904jrg0dq9m3p","position":2,"data":{"notes":"Not in production env, but committed to git. Rotate + scrub history.","title":"JWT secret hardcoded in dev config","status":"high"}},{"id":"cmonjzekf003c04jru6yx6zr1","position":3,"data":{"notes":"Brute-force exposure. Add 5/min/IP via existing rateLimit family.","title":"No rate limit on /api/auth/login","status":"med"}},{"id":"cmonjzeql003f04jriwjulj7x","position":4,"data":{"notes":"Public-read on assets bucket; intended. Document explicitly.","title":"S3 bucket has overly broad ACL","status":"low"}}]}],"initialActiveSurfaceSlug":"brief","publicForkSourceUrl":"https://trydock.ai/templates/run-a-security-audit-of-a-saas/raw.md"}]]