GeneralBots/gb
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
gb/SECURITY_CHECKLIST.md
Rodrigo Rodriguez (Pragmatismo) c3c235f8c4 feat(ui): migrate desktop environment to Window Manager 
- Updated UI.md with the completed specification and status
- Synced botui submodule with new desktop.html and window-manager.js implementation
- Synced botserver submodule with latest changes
2026-02-24 19:02:48 -03:00

4.8 KiB
Raw Blame History

General Bots Security Checklist

Critical (P1) - Must Fix Immediately

Authentication & Authorization

  • SecurityManager Integration - Initialize in bootstrap
  • CSRF Protection - Enable for all state-changing endpoints
  • Error Handling - Replace all unwrap()/expect() calls
  • Security Headers - Apply to all HTTP routes

Data Protection

  • TLS/MTLS - Ensure certificates are generated and validated
  • SafeCommand Usage - Replace all Command::new() calls
  • Error Sanitization - Use ErrorSanitizer for all HTTP errors

High Priority (P2) - Fix Within 2 Weeks

Authentication

  • Passkey Support - Complete WebAuthn implementation
  • MFA Enhancement - Add backup codes and recovery flows
  • API Key Management - Implement rotation and expiration

Monitoring & Detection

  • Security Monitoring - Integrate SecurityMonitor with app events
  • DLP Policies - Configure default policies for PII/PCI/PHI
  • Rate Limiting - Apply consistent limits across all endpoints

Medium Priority (P3) - Fix Within 1 Month

Infrastructure

  • Certificate Management - Add expiration monitoring and auto-renewal
  • Audit Logging - Ensure comprehensive coverage
  • Security Testing - Create dedicated test suite

Compliance

  • Security Documentation - Update policies and procedures
  • Compliance Mapping - Map controls to SOC2/GDPR/ISO27001
  • Evidence Collection - Implement automated evidence gathering

Quick Wins (Can be done today)

Code Quality

  • Run cargo clippy --workspace and fix all warnings
  • Use cargo audit to check for vulnerable dependencies
  • Replace 10 unwrap() calls with proper error handling

Configuration

  • Check .env files for hardcoded secrets (move to /tmp/)
  • Verify botserver-stack/conf/ permissions
  • Review Cargo.toml for unnecessary dependencies

Testing

  • Test authentication flows with invalid credentials
  • Verify CSRF tokens are required for POST/PUT/DELETE
  • Check security headers on main endpoints

Daily Security Tasks

Morning Check

  • Review botserver.log for security events
  • Check cargo audit for new vulnerabilities
  • Monitor failed login attempts
  • Verify certificate expiration dates

Ongoing Monitoring

  • Watch for unusual access patterns
  • Monitor DLP policy violations
  • Track security metric trends
  • Review audit logs for anomalies

Weekly Tasks

  • Run full security scan with protection tools
  • Review and rotate any expiring credentials
  • Update security dependencies
  • Backup security configurations

Emergency Response

If you suspect a breach:

  1. Isolate - Disconnect affected systems
  2. Preserve - Don't delete logs or evidence
  3. Document - Record all actions and observations
  4. Escalate - Contact security team immediately
  5. Contain - Implement temporary security measures
  6. Investigate - Determine scope and impact
  7. Remediate - Fix vulnerabilities and restore services
  8. Learn - Update procedures to prevent recurrence

Security Tools Commands

Dependency Scanning

cargo audit
cargo deny check
cargo geiger

Code Analysis

cargo clippy --workspace -- -D warnings
cargo fmt --check

Security Testing

# Run security tests
cargo test -p bottest --test security

# Check for unsafe code
cargo geiger --forbid

# Audit dependencies
cargo audit --deny warnings

Protection Tools

# Security scanning
curl -X POST http://localhost:9000/api/security/protection/scan

# Get security report
curl http://localhost:9000/api/security/protection/report

# Check tool status
curl http://localhost:9000/api/security/protection/status

Common Security Issues to Watch For

1. Hardcoded Secrets

Bad: password = "secret123" in code Good: password = env::var("DB_PASSWORD")? from /tmp/

2. Unsafe Command Execution

Bad: Command::new("rm").arg("-rf").arg(user_input) Good: SafeCommand::new("rm")?.arg("-rf")?.arg(sanitized_input)?

3. Missing Input Validation

Bad: format!("SELECT * FROM {}", user_table) Good: validate_table_name(&user_table)?; format!("SELECT * FROM {}", safe_table)

4. Information Disclosure

Bad: Json(json!({ "error": e.to_string() })) Good: let sanitized = log_and_sanitize(&e, "context", None); (StatusCode::INTERNAL_SERVER_ERROR, sanitized)

Security Contact Information

Primary Contact: security@pragmatismo.com.br
Backup Contact: Check security.txt at /.well-known/security.txt

Emergency Response: Follow procedures in botbook/src/12-auth/security-policy.md

Last Updated: 2026-02-22
Review Frequency: Weekly
Next Review: 2026-03-01