{ "metadata": { "project": "LLM Gateway", "audit_date": "2026-04-25", "total_findings": 73, "critical_count": 8, "high_count": 24, "medium_count": 28, "low_count": 13 }, "findings": [ { "id": "AOS-30FF1E", "title": "Broken Access Control - JWT Algorithm Substitution", "severity": "critical", "sla_hours": 4, "pillar": "S6-SHIN", "status": "resolved", "resolved_date": "2026-04-25", "description": "JWT validation lacked algorithm pinning, allowing algorithm substitution attacks" }, { "id": "PrLAC-07", "title": "Insufficient Authentication - NIST SP 800-63B Non-Compliance", "severity": "critical", "sla_hours": 4, "pillar": "S6-SHIN", "status": "pending", "resolved_date": null, "description": "Authentication mechanism does not comply with NIST SP 800-63B guidelines. Missing: MFA support, secure password hashing, session management policies, account lockout mechanisms, rate limiting" }, { "id": "CIS-3.2", "title": "Data in Transit Encryption Not Enforced", "severity": "critical", "sla_hours": 4, "pillar": "S2-TEN", "status": "pending", "resolved_date": null, "description": "API endpoints do not enforce HTTPS/TLS 1.3. Mixed content and unencrypted channel warnings present" }, { "id": "SEC-SECRETS-001", "title": "Hardcoded Secrets in Source Code", "severity": "critical", "sla_hours": 4, "pillar": "S5-FU", "status": "pending", "resolved_date": null, "description": "API keys, database credentials, and JWT secrets found in source code and configuration files" }, { "id": "SEC-INJECTION-001", "title": "SQL Injection Vulnerability in Database Layer", "severity": "critical", "sla_hours": 4, "pillar": "S5-FU", "status": "pending", "resolved_date": null, "description": "Dynamic SQL query construction without parameterized queries in scoring engine" }, { "id": "SEC-AUTH-002", "title": "Missing CSRF Protection on State-Changing Endpoints", "severity": "critical", "sla_hours": 4, "pillar": "S6-SHIN", "status": "pending", "resolved_date": null, "description": "POST/PUT/DELETE endpoints lack CSRF token validation" }, { "id": "SEC-RATELIMIT-001", "title": "Missing Rate Limiting - DDoS Vulnerability", "severity": "critical", "sla_hours": 4, "pillar": "S4-RAI", "status": "pending", "resolved_date": null, "description": "No rate limiting on API endpoints. System vulnerable to brute force and DoS attacks" }, { "id": "SEC-LOGGING-001", "title": "Sensitive Data Logging - Information Disclosure", "severity": "critical", "sla_hours": 4, "pillar": "S6-SHIN", "status": "pending", "resolved_date": null, "description": "API requests/responses logged with full JWT tokens, database passwords, and user data" }, { "id": "PERF-001", "title": "Missing Input Validation - XSS Vulnerability", "severity": "high", "sla_hours": 24, "pillar": "S5-FU", "status": "pending", "resolved_date": null, "description": "User input fields not sanitized before rendering. Stored XSS possible in request history" }, { "id": "PERF-002", "title": "Insufficient Error Handling - Stack Trace Leakage", "severity": "high", "sla_hours": 24, "pillar": "S6-SHIN", "status": "pending", "resolved_date": null, "description": "Production error responses leak internal stack traces and system information" }, { "id": "PERF-003", "title": "Missing HSTS Headers", "severity": "high", "sla_hours": 24, "pillar": "S2-TEN", "status": "pending", "resolved_date": null, "description": "HTTP Strict-Transport-Security header not set. Vulnerable to SSL stripping attacks" }, { "id": "PERF-004", "title": "Missing CSP Headers", "severity": "high", "sla_hours": 24, "pillar": "S5-FU", "status": "pending", "resolved_date": null, "description": "Content-Security-Policy header not configured. Vulnerable to XSS and injection attacks" }, { "id": "PERF-005", "title": "Weak Password Policy", "severity": "high", "sla_hours": 24, "pillar": "S6-SHIN", "status": "pending", "resolved_date": null, "description": "Password requirements insufficient. No minimum length, complexity, or history requirements" }, { "id": "PERF-006", "title": "Missing Multi-Factor Authentication", "severity": "high", "sla_hours": 24, "pillar": "S6-SHIN", "status": "pending", "resolved_date": null, "description": "Single-factor authentication only. No TOTP/WebAuthn support" }, { "id": "PERF-007", "title": "Insufficient Dependency Scanning", "severity": "high", "sla_hours": 24, "pillar": "S5-FU", "status": "pending", "resolved_date": null, "description": "No automated scanning for vulnerable dependencies. npm audit not integrated in CI" }, { "id": "PERF-008", "title": "Missing Security.txt Configuration", "severity": "high", "sla_hours": 24, "pillar": "S7-HO", "status": "pending", "resolved_date": null, "description": "No /.well-known/security.txt file for vulnerability disclosure policy" }, { "id": "PERF-009", "title": "Inadequate Encryption Algorithm Selection", "severity": "high", "sla_hours": 24, "pillar": "S2-TEN", "status": "pending", "resolved_date": null, "description": "TLS 1.2 still enabled. Should enforce TLS 1.3 only" }, { "id": "PERF-010", "title": "Missing CORS Security Configuration", "severity": "high", "sla_hours": 24, "pillar": "S6-SHIN", "status": "pending", "resolved_date": null, "description": "CORS headers allow all origins (*). Should whitelist specific domains" }, { "id": "PERF-011", "title": "Weak Session Management", "severity": "high", "sla_hours": 24, "pillar": "S6-SHIN", "status": "pending", "resolved_date": null, "description": "Session tokens lack expiration, rotation, and secure flags" }, { "id": "PERF-012", "title": "Missing Database Connection Encryption", "severity": "high", "sla_hours": 24, "pillar": "S2-TEN", "status": "pending", "resolved_date": null, "description": "Database connections not encrypted. sslmode=disable in production" }, { "id": "PERF-013", "title": "Insufficient Audit Logging", "severity": "high", "sla_hours": 24, "pillar": "S7-HO", "status": "pending", "resolved_date": null, "description": "No audit trail for administrative actions, authentication attempts, or data modifications" }, { "id": "PERF-014", "title": "Missing Security Headers - X-Content-Type-Options", "severity": "high", "sla_hours": 24, "pillar": "S5-FU", "status": "pending", "resolved_date": null, "description": "X-Content-Type-Options header not set. Vulnerable to MIME sniffing attacks" }, { "id": "PERF-015", "title": "Insufficient API Key Management", "severity": "high", "sla_hours": 24, "pillar": "S6-SHIN", "status": "pending", "resolved_date": null, "description": "API keys lack rotation policy, expiration dates, and scope limitations" }, { "id": "PERF-016", "title": "Missing Vulnerability Disclosure Program", "severity": "high", "sla_hours": 24, "pillar": "S7-HO", "status": "pending", "resolved_date": null, "description": "No documented security bug bounty or responsible disclosure process" }, { "id": "PERF-017", "title": "Insufficient Data Retention Policy", "severity": "high", "sla_hours": 24, "pillar": "S7-HO", "status": "pending", "resolved_date": null, "description": "Logs and sensitive data retained indefinitely. No retention policy documented" }, { "id": "PERF-018", "title": "Missing Infrastructure as Code Scanning", "severity": "high", "sla_hours": 24, "pillar": "S2-TEN", "status": "pending", "resolved_date": null, "description": "No scanning of Docker, Kubernetes, and Terraform configurations for security issues" }, { "id": "MED-001", "title": "Missing API Versioning Strategy", "severity": "medium", "sla_hours": 120, "pillar": "S5-FU", "status": "pending", "resolved_date": null, "description": "No API version management. Breaking changes affect all clients" }, { "id": "MED-002", "title": "Insufficient Query Result Pagination", "severity": "medium", "sla_hours": 120, "pillar": "S3-YOROI", "status": "pending", "resolved_date": null, "description": "API endpoints return unlimited result sets. Resource exhaustion possible" }, { "id": "MED-003", "title": "Missing Health Check Endpoints", "severity": "medium", "sla_hours": 120, "pillar": "S3-YOROI", "status": "pending", "resolved_date": null, "description": "No standardized health check endpoints. Difficult to implement zero-downtime deployments" }, { "id": "MED-004", "title": "Insufficient Idempotency Support", "severity": "medium", "sla_hours": 120, "pillar": "S5-FU", "status": "pending", "resolved_date": null, "description": "API endpoints not idempotent. Duplicate requests cause unintended side effects" }, { "id": "MED-005", "title": "Missing Request ID Correlation", "severity": "medium", "sla_hours": 120, "pillar": "S7-HO", "status": "pending", "resolved_date": null, "description": "No request ID propagation. Difficult to trace requests through distributed system" }, { "id": "MED-006", "title": "Insufficient Batch Operation Limits", "severity": "medium", "sla_hours": 120, "pillar": "S3-YOROI", "status": "pending", "resolved_date": null, "description": "No limits on batch operation sizes. Resource exhaustion attacks possible" }, { "id": "MED-007", "title": "Missing Temporal Consistency Validation", "severity": "medium", "sla_hours": 120, "pillar": "S5-FU", "status": "pending", "resolved_date": null, "description": "No validation of timestamps. Backdated requests could bypass rate limits" }, { "id": "MED-008", "title": "Insufficient Error Code Documentation", "severity": "medium", "sla_hours": 120, "pillar": "S7-HO", "status": "pending", "resolved_date": null, "description": "API error codes not documented. Difficult for clients to handle errors properly" }, { "id": "MED-009", "title": "Missing Graceful Degradation Support", "severity": "medium", "sla_hours": 120, "pillar": "S3-YOROI", "status": "pending", "resolved_date": null, "description": "System fails completely if one dependency unavailable. No circuit breaker fallbacks" }, { "id": "MED-010", "title": "Insufficient Testing - 60% Coverage", "severity": "medium", "sla_hours": 120, "pillar": "S5-FU", "status": "pending", "resolved_date": null, "description": "Test coverage only 60%. Target: 80%+. Missing: E2E tests, integration tests" }, { "id": "MED-011", "title": "Missing Request Size Limits", "severity": "medium", "sla_hours": 120, "pillar": "S3-YOROI", "status": "pending", "resolved_date": null, "description": "No limits on request body size. Possible DoS via large payloads" }, { "id": "MED-012", "title": "Insufficient Deployment Rollback Strategy", "severity": "medium", "sla_hours": 120, "pillar": "S2-TEN", "status": "pending", "resolved_date": null, "description": "No automated rollback on deployment failure. Manual intervention required" }, { "id": "MED-013", "title": "Missing Observability - Tracing Infrastructure", "severity": "medium", "sla_hours": 120, "pillar": "S7-HO", "status": "pending", "resolved_date": null, "description": "No distributed tracing (OpenTelemetry/Jaeger). Difficult to debug production issues" }, { "id": "MED-014", "title": "Insufficient Metrics Collection", "severity": "medium", "sla_hours": 120, "pillar": "S7-HO", "status": "pending", "resolved_date": null, "description": "Missing: request latency histograms, error rate metrics, queue depth metrics" }, { "id": "MED-015", "title": "Missing Backup and Disaster Recovery Plan", "severity": "medium", "sla_hours": 120, "pillar": "S3-YOROI", "status": "pending", "resolved_date": null, "description": "No documented backup strategy or RTO/RPO targets" }, { "id": "MED-016", "title": "Insufficient Database Connection Pooling", "severity": "medium", "sla_hours": 120, "pillar": "S3-YOROI", "status": "pending", "resolved_date": null, "description": "No connection pooling. Each request opens new database connection" }, { "id": "MED-017", "title": "Missing Caching Strategy Documentation", "severity": "medium", "sla_hours": 120, "pillar": "S3-YOROI", "status": "pending", "resolved_date": null, "description": "Cache invalidation strategy not documented. Stale data possible" }, { "id": "MED-018", "title": "Insufficient Async Operation Handling", "severity": "medium", "sla_hours": 120, "pillar": "S5-FU", "status": "pending", "resolved_date": null, "description": "No standardized pattern for long-running operations. Clients can't poll status" }, { "id": "MED-019", "title": "Missing Webhook Validation", "severity": "medium", "sla_hours": 120, "pillar": "S5-FU", "status": "pending", "resolved_date": null, "description": "Webhook endpoints lack signature verification. Could accept forged events" }, { "id": "MED-020", "title": "Insufficient Configuration Management", "severity": "medium", "sla_hours": 120, "pillar": "S2-TEN", "status": "pending", "resolved_date": null, "description": "Configuration hardcoded or poorly managed. No audit trail for changes" }, { "id": "MED-021", "title": "Missing Data Consistency Validation", "severity": "medium", "sla_hours": 120, "pillar": "S5-FU", "status": "pending", "resolved_date": null, "description": "No foreign key constraints or data integrity checks in database schema" }, { "id": "MED-022", "title": "Insufficient Retry Logic", "severity": "medium", "sla_hours": 120, "pillar": "S3-YOROI", "status": "pending", "resolved_date": null, "description": "External API calls lack exponential backoff. Could overwhelm dependencies" }, { "id": "MED-023", "title": "Missing Deadline/Timeout Enforcement", "severity": "medium", "sla_hours": 120, "pillar": "S3-YOROI", "status": "pending", "resolved_date": null, "description": "No context deadlines. Long-running requests could hang indefinitely" }, { "id": "MED-024", "title": "Insufficient OpenAPI/Swagger Documentation", "severity": "medium", "sla_hours": 120, "pillar": "S7-HO", "status": "pending", "resolved_date": null, "description": "API documentation incomplete or outdated. Difficult for clients to integrate" }, { "id": "MED-025", "title": "Missing Load Testing Results", "severity": "medium", "sla_hours": 120, "pillar": "S3-YOROI", "status": "pending", "resolved_date": null, "description": "No load testing performed. Unknown scalability limits and bottlenecks" }, { "id": "MED-026", "title": "Insufficient Deprecation Policy", "severity": "medium", "sla_hours": 120, "pillar": "S5-FU", "status": "pending", "resolved_date": null, "description": "No documented deprecation timeline for old API versions" }, { "id": "MED-027", "title": "Missing Security Code Review Process", "severity": "medium", "sla_hours": 120, "pillar": "S7-HO", "status": "pending", "resolved_date": null, "description": "No mandatory security review before merge. SAST tools not integrated" }, { "id": "MED-028", "title": "Insufficient Incident Response Plan", "severity": "medium", "sla_hours": 120, "pillar": "S7-HO", "status": "pending", "resolved_date": null, "description": "No incident response runbooks. Unclear escalation path during incidents" }, { "id": "LOW-001", "title": "Missing Documentation - Architecture Guide", "severity": "low", "sla_hours": 720, "pillar": "S7-HO", "status": "pending", "resolved_date": null, "description": "System architecture not documented. New developers lack context" }, { "id": "LOW-002", "title": "Incomplete Code Comments", "severity": "low", "sla_hours": 720, "pillar": "S7-HO", "status": "pending", "resolved_date": null, "description": "Complex algorithms lack inline comments explaining business logic" }, { "id": "LOW-003", "title": "Missing CONTRIBUTING Guidelines", "severity": "low", "sla_hours": 720, "pillar": "S7-HO", "status": "pending", "resolved_date": null, "description": "No CONTRIBUTING.md. External contributors lack guidance" }, { "id": "LOW-004", "title": "Outdated README", "severity": "low", "sla_hours": 720, "pillar": "S7-HO", "status": "pending", "resolved_date": null, "description": "README installation instructions outdated. New setup fails" }, { "id": "LOW-005", "title": "Missing Changelog", "severity": "low", "sla_hours": 720, "pillar": "S7-HO", "status": "pending", "resolved_date": null, "description": "No CHANGELOG.md documenting breaking changes and features" }, { "id": "LOW-006", "title": "Insufficient Code Formatting Standards", "severity": "low", "sla_hours": 720, "pillar": "S5-FU", "status": "pending", "resolved_date": null, "description": "No Prettier/ESLint configuration. Inconsistent code style" }, { "id": "LOW-007", "title": "Missing Commit Message Standards", "severity": "low", "sla_hours": 720, "pillar": "S7-HO", "status": "pending", "resolved_date": null, "description": "No commitlint enforcement. Commit messages inconsistent" }, { "id": "LOW-008", "title": "Missing Branch Protection Rules", "severity": "low", "sla_hours": 720, "pillar": "S7-HO", "status": "pending", "resolved_date": null, "description": "Direct pushes to main allowed. No review requirement" }, { "id": "LOW-009", "title": "Insufficient Type Coverage", "severity": "low", "sla_hours": 720, "pillar": "S5-FU", "status": "pending", "resolved_date": null, "description": "TypeScript strict mode not enabled. Type coverage ~75%" }, { "id": "LOW-010", "title": "Missing Pre-commit Hooks", "severity": "low", "sla_hours": 720, "pillar": "S5-FU", "status": "pending", "resolved_date": null, "description": "No husky pre-commit hooks. Lint checks only on CI" }, { "id": "LOW-011", "title": "Insufficient Performance Benchmarks", "severity": "low", "sla_hours": 720, "pillar": "S3-YOROI", "status": "pending", "resolved_date": null, "description": "No baseline performance benchmarks. Regressions undetected" }, { "id": "LOW-012", "title": "Missing Environment Variable Documentation", "severity": "low", "sla_hours": 720, "pillar": "S7-HO", "status": "pending", "resolved_date": null, "description": ".env.example incomplete. Required variables not documented" }, { "id": "LOW-013", "title": "Insufficient Monitoring Alerts", "severity": "low", "sla_hours": 720, "pillar": "S7-HO", "status": "pending", "resolved_date": null, "description": "No alerting configured. Issues detected only after customer reports" } ] }