lfg2025/archy
1
0
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects Releases 33 Wiki Activity
Files
dcddc7a5ddb2ca4f8b03ebff3cb36a832cbcfef2
archy/docs/security-audit-prep.md
Dorian 8143f6871f feat: hardware compatibility, TPM attestation, security audit prep 
- Y2-01: docs/hardware-compatibility.md — 2 certified platforms,
  4 planned, minimum requirements, known quirks
- Y3-04: tpm.rs — TPM 2.0 attestation types (TpmStatus, TpmAttestation,
  detect_tpm), ready for tss-esapi integration
- Y5-03: docs/security-audit-prep.md — audit scope, completed internal
  audits, recommended firms, budget estimates

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-14 05:57:32 +00:00

1.6 KiB
Raw Blame History

Security Audit Preparation

Scope for External Audit

Priority 1: Critical Path

  • Authentication (bcrypt, session management, CSRF, rate limiting)
  • Cryptography (Ed25519 signing, ChaCha20-Poly1305 backup encryption, Argon2 KDF)
  • Container isolation (Podman security, cap-drop, no-new-privileges)
  • Network security (Tor integration, federation over hidden services)
  • Input validation (RPC endpoints, path traversal prevention)

Priority 2: Data Security

  • Secrets management (identity keys, wallet credentials)
  • Backup encryption (key derivation, storage format)
  • DWN message integrity (peer sync, deduplication)
  • Verifiable Credentials (W3C VC issuance, verification)

Priority 3: Infrastructure

  • Nginx configuration (headers, proxy settings, CSP)
  • Systemd service hardening (watchdog, capabilities)
  • UFW firewall rules (Podman subnet access)
  • Log sanitization (no secrets in logs)

Completed Internal Audits

  • SEC-01: RPC endpoint input validation audit (100+ endpoints)
  • SEC-02: Rate limiting on federation endpoints
  • SEC-03: CSRF validation on all state-changing endpoints
  • SEC-04: Container security profiles (cap-drop ALL, no-new-privileges)
  • SEC-05: Log rotation configured
  • SEC-06: Security headers verified (X-Frame-Options, CSP, etc.)

Recommended Audit Firms

  • Trail of Bits (Rust + cryptography expertise)
  • NCC Group (infrastructure + application security)
  • Cure53 (web application + browser security)
  • Doyensec (Rust + WebSocket + API security)

Budget Estimate

  • Comprehensive audit (2-4 weeks): $50,000 - $150,000
  • Focused crypto + auth audit (1-2 weeks): $25,000 - $60,000
  • Penetration test only (1 week): $15,000 - $30,000
Reference in New Issue View Git Blame Copy Permalink