Security Audit Methodology¶
Версия: 1.0 Дата: 13.01.2026 Контракт: order-001-phase1-ru Задача: 2.2.5 Security Audit (A4A-23)
1. Обзор¶
Этот документ описывает методологию проведения security audit для системы CalmTrader. Аудит проводится регулярно (рекомендуется ежеквартально) и при значительных изменениях в инфраструктуре или коде.
1.1 Цели аудита¶
- Идентификация уязвимостей
- Оценка соответствия best practices
- Проверка конфигурации безопасности
- Валидация защиты данных
1.2 Scope¶
| Область | Включено | Исключено |
|---|---|---|
| Infrastructure | Hetzner, Docker, Traefik | Physical security |
| Network | Firewall, SSL, ports | DDoS testing |
| Application | API, Bot code | Penetration testing |
| Data | Encryption, PII handling | GDPR compliance audit |
| Dependencies | Python packages | OS packages |
2. Области проверки¶
2.1 Infrastructure Security¶
Checklist:
- SSH конфигурация
- Key-based authentication only
- Root login disabled
-
Non-standard port (optional)
-
Firewall (UFW)
- Default deny incoming
- Only necessary ports open (22, 80, 443)
-
Logging enabled
-
Docker
- Non-root containers
- AppArmor/seccomp profiles
- No privileged containers
-
Volumes with proper permissions
-
File permissions
- .env files restricted (600)
- SSH keys restricted (600)
- Config files readable only by owner
2.2 Network Security¶
Checklist:
- TLS Configuration
- TLS 1.2+ only
- Strong cipher suites
- Valid certificate (Let's Encrypt)
-
HSTS enabled
-
Port exposure
- Internal services not exposed
- PostgreSQL only internal
- Redis only internal
-
MinIO console restricted
-
HTTP Security Headers
- X-Content-Type-Options
- X-Frame-Options
- Strict-Transport-Security
- Content-Security-Policy (for web apps)
2.3 Application Security¶
Checklist:
- Input validation
- All user inputs validated
- SQL injection prevention (ORM)
-
Command injection prevention
-
Authentication
- Telegram auth validation
- Admin auth implemented
-
Session management
-
Authorization
- Role-based access control
- is_admin flag checked
-
API endpoints protected
-
Error handling
- No stack traces in production
- Generic error messages
- Proper logging
2.4 Data Security¶
Checklist:
- Sensitive data
- Passwords hashed (if any)
- API keys in .env only
-
No secrets in code/logs
-
PII handling
- Minimal data collection
- Data retention policy
-
Deletion on request
-
Database
- Connection encryption
- Strong credentials
- Backup encryption
2.5 Dependencies¶
Checklist:
- Known vulnerabilities
- pip-audit clean
- safety check clean
-
Regular updates
-
Supply chain
- Trusted sources only (PyPI)
- Lock files (uv.lock)
- Version pinning
3. Инструменты¶
3.1 Code Analysis¶
| Инструмент | Назначение | Команда |
|---|---|---|
| bandit | Python security linter | uv run bandit -r app/ |
| safety | Dependency vulnerabilities | uv run safety check |
| pip-audit | CVE scanning | uv run pip-audit |
| ruff | Code quality (includes security rules) | uv run ruff check |
3.2 Infrastructure Analysis¶
| Инструмент | Назначение | Команда |
|---|---|---|
| nmap | Port scanning | nmap -sV host |
| ssh-audit | SSH config audit | ssh-audit host |
| testssl.sh | SSL/TLS testing | testssl.sh host:443 |
| docker bench | Docker security | docker run docker/docker-bench-security |
3.3 Manual Checks¶
# Firewall status
ssh server "ufw status verbose"
# Open ports
ssh server "ss -tlnp"
# SSH config
ssh server "cat /etc/ssh/sshd_config | grep -v '^#'"
# File permissions
ssh server "ls -la /path/to/.env"
# Docker security
ssh server "docker info | grep Security"
4. Severity Classification¶
4.1 Levels¶
| Level | Описание | CVSS Score | Response |
|---|---|---|---|
| Critical | Remote code execution, data breach | 9.0-10.0 | Immediate fix |
| High | Auth bypass, privilege escalation | 7.0-8.9 | Fix within 24h |
| Medium | Information disclosure, DoS | 4.0-6.9 | Fix within 1 week |
| Low | Minor issues, hardening | 0.1-3.9 | Fix within 1 month |
| Info | Best practice recommendations | N/A | Optional |
4.2 Examples¶
| Finding | Severity | Reasoning |
|---|---|---|
| SQL injection | Critical | RCE/data breach possible |
| Exposed admin panel | High | Unauthorized access |
| Missing HSTS header | Medium | MitM possible |
| .env readable by all | Medium | Credential exposure |
| Outdated dependency (no CVE) | Low | Potential future risk |
| Missing rate limiting | Info | Best practice |
5. OWASP Top 10 Checklist¶
5.1 2021 OWASP Top 10¶
| # | Vulnerability | Check | Status |
|---|---|---|---|
| A01 | Broken Access Control | Admin endpoints protected | |
| A02 | Cryptographic Failures | TLS configured, no plaintext secrets | |
| A03 | Injection | ORM used, no raw SQL | |
| A04 | Insecure Design | Input validation, error handling | |
| A05 | Security Misconfiguration | Firewall, Docker, SSH config | |
| A06 | Vulnerable Components | pip-audit, safety | |
| A07 | Auth Failures | Telegram auth, session management | |
| A08 | Software/Data Integrity | Lock files, signed commits | |
| A09 | Logging Failures | Structured logging, no PII in logs | |
| A10 | SSRF | No user-controlled URLs |
6. Процесс аудита¶
6.1 Phases¶
6.2 Detailed Steps¶
Phase 1: Planning - Define scope - Gather credentials/access - Schedule downtime if needed
Phase 2: Reconnaissance - Run automated tools - Collect configuration files - Map infrastructure
Phase 3: Analysis - Review tool outputs - Manual verification - Classify findings
Phase 4: Reporting - Document findings - Assign severity - Write recommendations
Phase 5: Remediation - Fix critical/high issues - Track in Linear - Re-test fixes
6.3 Timeline¶
| Phase | Duration |
|---|---|
| Planning | 1 hour |
| Reconnaissance | 2-4 hours |
| Analysis | 2-4 hours |
| Reporting | 2-4 hours |
| Remediation | Variable |
7. Reporting Format¶
7.1 Executive Summary¶
- Overall security posture
- Key findings count by severity
- Critical recommendations
7.2 Finding Format¶
### [SEVERITY-ID] Finding Title
**Severity:** Critical/High/Medium/Low/Info
**Category:** Infrastructure/Network/Application/Data/Dependencies
**CWE:** CWE-XXX (if applicable)
**CVSS:** X.X (if applicable)
**Description:**
What was found and why it's a problem.
**Evidence:**
Code snippet, screenshot, or command output.
**Impact:**
What could happen if exploited.
**Recommendation:**
How to fix it.
**References:**
- Link to documentation
- CWE/CVE links
7.3 Remediation Tracking¶
| ID | Finding | Severity | Status | Owner | Due Date |
|---|---|---|---|---|---|
| SEC-001 | ... | Critical | Fixed | @user | 2026-01-14 |
8. Frequency¶
| Audit Type | Frequency | Trigger |
|---|---|---|
| Full audit | Quarterly | Scheduled |
| Quick scan | Monthly | Automated |
| Dependency check | Weekly | CI/CD |
| Ad-hoc | As needed | Major changes |
Приложения¶
A. Tool Installation¶
B. Quick Audit Script¶
#!/bin/bash
# quick-audit.sh
echo "=== Code Security Audit ==="
cd apps/api && uv run bandit -r app/ -f txt
cd ../bot && uv run bandit -r app/ -f txt
echo "=== Dependency Audit ==="
cd ../api && uv run pip-audit
cd ../bot && uv run pip-audit
echo "=== Infrastructure Check ==="
ssh trader-psy "ufw status && ss -tlnp"
C. Related Documents¶
- SOPs — Standard Operating Procedures
- Security Report — Audit Results
Документ создан в рамках выполнения контракта order-001-phase1-ru