Skip to content

security.md

Latest commit

 

History

History
33 lines (23 loc) · 3.04 KB

security.md

File metadata and controls

33 lines (23 loc) · 3.04 KB

Security Operations and Threat Modeling

Author: Basil Saji Mathew (BSM) Role: Cybersecurity Engineer

The IP Whitelisting Automation System has been engineered utilizing a security-first ideology. Given that the platform fundamentally interfaces with network boundary parameters, defense-in-depth methodologies are strictly enforced.

Threat Matrices and Applied Mitigations

1. Command Injection Prevention

A core capability of this application requires it to interface with tools such as iptables. Traditional applications construct string commands (e.g., os.system("iptables -A INPUT -s " + ip_address)). This introduces profound vulnerability to arbitrary execution. Mitigation: The system strictly constructs execution variables inside isolated parameter lists utilizing Python's subprocess library (e.g., ["iptables", "-I", "INPUT", "-s", ip_address, "-j", "ACCEPT"]). It bypasses the system shell entirely, stripping out arbitrary injection capabilities.

2. Denial of Service (DoS) and Resource Mapping

Attacking the API gateway with heavily malformed data generally consumes application resource pools. Mitigation: Built heavily on Pydantic and FastAPI, the system rejects malformed JSON and incorrect IP structures at the ingress parsing level natively in C via underlying engines. Traffic fails instantly with HTTP 422 errors, protecting the database pooling structures.

3. Lateral Movement Risk

A compromised web service provides attackers direct pathways to system kernels. Mitigation: Web application operations are completely decoupled from network privileges. The API layer (FastAPI) operates entirely unprivileged. The required elevation constraints (NET_ADMIN) are assigned exclusively to isolated, internal Celery worker containers which possess no exposing ports.

4. Post-Breach Compliance and Forensics

In external environments, internal misbehavior or compromised identities can issue unauthorized configurations. Mitigation: Dual-commitment transactions ensure that database changes cannot finalize unless an audit log is explicitly generated in tandem with the primary record. Audit logs do not possess arbitrary deletion structures inside the application.

Mandatory Production Hardening Requirements

Prior to transferring the deployment from a development branch into production staging, administrators must guarantee the following tasks:

  1. VPC Encapsulation: The primary HTTP APIs must be shielded behind internal Virtual Private Clouds.
  2. TLS / SSL Termination: Implement a reverse proxy (Nginx, Traefik, or HAProxy) terminating TLS connections. No traffic should transmit to Uvicorn over port 80/8000 via cleartext.
  3. Secret Rotation: Modify the .env parameter SECRET_KEY. Employ a Cryptographically Secure Pseudorandom Number Generator (CSPRNG) utilizing an output length of no less than 64 characters.
  4. Registration Control: Evaluate disabling POST /auth/register to prevent unauthorized generation of administrative accounts. Switch to internal manual database seeds for user generation.