cesnimda/jobtrackingapp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add adversarial security assessment findings

Browse Source
This commit is contained in:
cesnimda
2026-04-11 14:30:32 +02:00
parent ce26325682
commit b4719a9916
2 changed files with 296 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gsd/REQUIREMENTS.md
+24 -2
View File
@@ -26,6 +26,26 @@ This file is the explicit capability and coverage contract for the project.
- Validation: mapped
- Notes: Shared/team workflows are not the current product target.
### R018 — Run an adversarial security assessment against the application across input validation, authentication, authorization, API exposure, file uploads, and data exposure.
- Class: operational
- Status: active
- Description: Run an adversarial security assessment against the application across input validation, authentication, authorization, API exposure, file uploads, and data exposure.
- Why it matters: The next milestone is explicitly a hostile security-testing pass intended to find vulnerabilities before attackers do.
- Source: user-security-milestone
- Primary owning slice: M013
- Validation: Produce verified findings or an explicit no-finding result for each requested attack category.
- Notes: Assessment should assume weak protections and behave like an aggressive tester, not a happy-path reviewer.
### R019 — For each security issue found, record the vulnerability description, an example exploit input, risk level, and a clear remediation recommendation.
- Class: functional
- Status: active
- Description: For each security issue found, record the vulnerability description, an example exploit input, risk level, and a clear remediation recommendation.
- Why it matters: Security testing is only useful if the output is actionable for remediation and triage.
- Source: user-security-milestone
- Primary owning slice: M013
- Validation: Each finding includes description, exploit example, risk rating, and fix guidance.
- Notes: If no issue is found in a category, the milestone should still document what was tested and the observed boundary.
## Validated
### R001 — The user finds a job outside the app, imports it into the app, and starts the application workflow from that imported role.
@@ -218,10 +238,12 @@ This file is the explicit capability and coverage contract for the project.
| R015 | anti-feature | out-of-scope | none | none | n/a |
| R016 | out-of-scope | out-of-scope | none | none | n/a |
| R017 | out-of-scope | out-of-scope | none | none | n/a |
| R018 | operational | active | M013 | none | Produce verified findings or an explicit no-finding result for each requested attack category. |
| R019 | functional | active | M013 | none | Each finding includes description, exploit example, risk rating, and fix guidance. |
## Coverage Summary
- Active requirements: 2
- Mapped to slices: 2
- Active requirements: 4
- Mapped to slices: 4
- Validated: 8 (R001, R002, R003, R004, R005, R006, R007, R010)
- Unmapped active requirements: 0