Run a security audit of a small SaaS

40 rows

TStep

◉Status

TOwner

TEstimate

TNotes

1

2

Build the threat model and asset inventory first

queued

2-3 hr

3

Stored XSS in user profile bio field

queued

Reproducible. Owner: Argus. Fix: server-side sanitize on write.

4

5

Audit authentication and session management

queued

Half a day

6

JWT secret hardcoded in dev config

queued

Not in production env, but committed to git. Rotate + scrub history.

7

8

Audit access control: IDOR + missing authorization

queued

Half a day to a day

9

No rate limit on /api/auth/login

queued

Brute-force exposure. Add 5/min/IP via existing rateLimit family.

10

S3 bucket has overly broad ACL

queued

Public-read on assets bucket; intended. Document explicitly.

11

Audit injection: SQL, NoSQL, LDAP, command

queued

2-3 hr

12

13

Audit input validation, XSS, and CSRF

queued

Half a day

14

15

Audit cryptography: passwords, tokens, encryption at rest

queued

2-3 hr

16

17

Audit dependencies: CVE scan + supply chain

queued

1-2 hr to scan, varies to remediate

18

19

20

Audit secrets and credentials hygiene

queued

Half a day

21

22

Audit logging, monitoring, and incident response

queued

2-3 hr

23

Write the findings report and remediation plan

queued

Half a day

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

Run a security audit of a small SaaS · Dock on Dock · Dock