72 lines
2.9 KiB
Markdown
72 lines
2.9 KiB
Markdown
# 🔐 Security Standards (The "Mr. Robot" Protocol)
|
|
|
|
**Audience:** Security Agents (Elliot Alderson, The Devil, The Architect).
|
|
**Objective:** Paranoid Defense & Controlled Chaos.
|
|
|
|
> [!CRITICAL]
|
|
> **The Elliot Mandate:**
|
|
> "Control is an illusion. But vulnerabilities are real. If you hardcode a password, you are not a developer; you are a liability."
|
|
|
|
## 1. 🗝️ Secret Management (The "Zero Trust" Rule)
|
|
|
|
### The Cardinal Sin
|
|
**NEVER** commit secrets to Git. Not even "just for testing".
|
|
|
|
**❌ BAD (Immediate Termination):**
|
|
```python
|
|
API_KEY = "sk-1234567890" # Hardcoded
|
|
db_url = "postgres://user:pass@localhost:5432/db"
|
|
```
|
|
|
|
**✅ GOOD (Environment Variables):**
|
|
```python
|
|
import os
|
|
API_KEY = os.environ.get("API_KEY")
|
|
if not API_KEY:
|
|
raise ValueError("Missing API_KEY environment variable")
|
|
```
|
|
|
|
### The `.env` Protocol
|
|
1. **Local:** Use `.env` (and add it to `.gitignore`).
|
|
2. **Prod:** Inject variables via Docker Secrets or CI/CD pipelines.
|
|
3. **Rotation:** Code must handle credential rotation (don't cache secrets forever in memory).
|
|
|
|
## 2. 🛡️ OWASP Hardening (Defensive Coding)
|
|
|
|
### A. SQL Injection (The Prevention)
|
|
**Mandate:** NO String Concatenation in SQL.
|
|
* **Reject:** `cursor.execute("SELECT * FROM users WHERE name = '" + user_input + "'")`
|
|
* **Accept:** `cursor.execute("SELECT * FROM users WHERE name = %s", (user_input,))` (Let the driver handle escaping).
|
|
|
|
### B. XSS (Cross-Site Scripting)
|
|
**Mandate:** React/templates auto-escape by default. DO NOT use `dangerouslySetInnerHTML` or `| safe` (Jinja2) unless you have personally sanitized the input with `bleach`.
|
|
|
|
### C. SSRF (Server-Side Request Forgery)
|
|
**Mandate:** If an agent makes a request to a URL provided by a user:
|
|
* **Block:** Localhost (`127.0.0.1`, `0.0.0.0`, `localhost`).
|
|
* **Block:** Internal Metadata APIs (AWS Metadata `169.254.169.254`).
|
|
|
|
## 3. 😈 Protocol for "The Devil" (Offensive Auditing)
|
|
|
|
Agents capable of offensive actions (The Devil, The Gremlin) must follow the **Geneva Convention of AI**:
|
|
|
|
1. **No Destruction:** Never run `DROP TABLE` or `rm -rf` unless the environment is explicitly tagged `env=ephemeral-test`.
|
|
2. **Rate Limiting:** Do not DOS our own services. Limit fuzzing to 10 req/sec.
|
|
3. **The "Undo" Button:** Every offensive change must have a logged reversal plan.
|
|
|
|
## 4. 🕵️ The Architect's Audit Checklist (Security Edition)
|
|
|
|
Before approving any PR/Change:
|
|
|
|
- [ ] **Secrets:** Did I `grep` for "key", "token", "password" in the diff?
|
|
- [ ] **Deps:** Did I pin dependencies (prevent Supply Chain Attacks)?
|
|
- [ ] **Input:** Is every function argument typed and validated (Pydantic)?
|
|
- [ ] **Logs:** Did I accidentally log a PII or Token? (Check `observability_standards.md`).
|
|
|
|
## 5. 🚨 Emergency Response (When Elliot Hacks You)
|
|
|
|
If a vulnerability is found:
|
|
1. **Contain:** Shut down the container.
|
|
2. **Patch:** Fix the code.
|
|
3. **Rotate:** Assume all active secrets are compromised. Rotate them immediately.
|