This guide helps you implement the security recommendations from the UIUC security requirements evaluation.
All security documentation is in the docs/ directory:
-
UIUC_SECURITY_EXECUTIVE_SUMMARY.md ⭐ START HERE
- Executive overview of security evaluation
- Key findings and recommendations
- Implementation roadmap
- Risk assessment
-
- Comprehensive security requirements analysis
- Detailed gap analysis
- Security requirements matrix
- Technical recommendations
-
- 100+ test case specifications
- Automated and manual testing procedures
- Security testing tools and setup
- Test schedule and reporting
-
- Quick reference checklists
- Pre-deployment security review
- Code review security items
- Incident response procedures
# Install test dependencies
pip install pytest pytest-asyncio pytest-cov
# Run security test suite
pytest tests/security/ -v
# Run with coverage
pytest tests/security/ --cov=src/canvas_mcp --cov-report=htmlExpected Results: Some tests will pass (basic checks), some will be skipped (features not yet implemented).
The .github/workflows/security-testing.yml workflow is ready to use:
-
Ensure GitHub Actions is enabled for your repository
-
The workflow runs automatically on:
- Every push to main/development
- Every pull request
- Weekly (Sundays)
-
Review results in the Actions tab
- Read the Executive Summary
- Check the security requirements matrix
- Review the critical gaps identified
- Prioritize implementation based on your needs
Priority 1: Code Execution Sandboxing (2-3 weeks)
- Implement Docker-based isolation for TypeScript execution
- See
docs/UIUC_SECURITY_REQUIREMENTS.mdSection 4.1
Priority 2: Security Audit Logging (1 week)
- Add logging for PII access and security events
- See
docs/UIUC_SECURITY_REQUIREMENTS.mdSection 6.1
Priority 3: Dependency Scanning (1 day)
- Enable Dependabot in GitHub repository settings
- Add pip-audit to CI/CD (already in workflow)
# FERPA compliance tests
pytest tests/security/test_ferpa_compliance.py -v
# Authentication security tests
pytest tests/security/test_authentication.py -v
# Code execution security tests
pytest tests/security/test_code_execution.py -v
# Input validation tests
pytest tests/security/test_input_validation.py -v
# Dependency security tests
pytest tests/security/test_dependencies.py -v# SAST tools
pip install bandit semgrep
# Dependency scanners
pip install pip-audit safety
# Secret detection
pip install detect-secrets
# Run SAST scan
bandit -r src/canvas_mcp/
# Run dependency scan
pip-audit
# Run secret scan
detect-secrets scanTrack these metrics to monitor security posture:
| Metric | Target | Current |
|---|---|---|
| Test Coverage | >80% | TBD |
| Critical Vulns | 0 | TBD |
| High Vulns | <5 | TBD |
| Tests Passing | 100% | ~60% |
| FERPA Compliance | 100% | ~70% |
Update these metrics after running the security tests.
From the evaluation, these are the critical gaps requiring immediate attention:
Current: Code executes with full user permissions
Risk: Arbitrary code execution, credential theft, system compromise
Solution: Docker/VM isolation, file system restrictions, network isolation
Effort: High (2-3 weeks)
Priority: Critical
Current: No logging of PII access or security events
Risk: FERPA non-compliance, no audit trail, delayed incident detection
Solution: Implement comprehensive security event logging
Effort: Medium (1 week)
Priority: Critical
Current: API tokens stored in plaintext
Risk: Token exposure if file system compromised
Solution: OS credential manager integration
Effort: Medium (1 week)
Priority: High
Current: Logs may contain student PII
Risk: FERPA compliance violation
Solution: Sanitize all logs and error messages
Effort: Medium (1 week)
Priority: High
Current: No automated security monitoring
Risk: Delayed threat detection
Solution: Implement monitoring and alerting
Effort: High (2-3 weeks)
Priority: Medium
- Review security documentation
- Run security test suite
- Enable GitHub Actions security workflow
- Start code execution sandboxing implementation
- Enable Dependabot for dependency scanning
- Complete code execution sandboxing
- Implement security audit logging
- Add PII sanitization to logs
- Encrypt API tokens at rest
- Complete FERPA compliance verification
- Implement MCP client authentication
- Add security monitoring and alerting
- Complete all security tests
- Conduct penetration testing
- Document security procedures
- Weekly automated security scans
- Monthly security reviews
- Quarterly assessments
- Annual third-party audit
- Overview: UIUC_SECURITY_EXECUTIVE_SUMMARY.md
- Requirements: UIUC_SECURITY_REQUIREMENTS.md
- Testing: SECURITY_TESTING_PLAN.md
- Checklist: SECURITY_CHECKLIST.md
- Security Issues: Use GitHub Security Advisory
- Questions: Open GitHub issue with
securitylabel - Policy: See SECURITY.md
You've successfully implemented the security plan when:
- ✅ All critical security gaps addressed
- ✅ Security test suite passing (>80% of tests)
- ✅ Automated security scanning enabled
- ✅ Zero critical vulnerabilities
- ✅ FERPA compliance verified
- ✅ Security documentation complete
- ✅ Incident response plan tested
- ✅ Regular security reviews scheduled
Recommended order:
- Today: Read Executive Summary (30 min)
- This Week: Run security tests and enable CI/CD workflow (1 hour)
- This Month: Address critical security gaps (2-3 weeks)
- This Quarter: Complete high and medium priority items (8 weeks)
- Ongoing: Maintain security with regular testing and reviews
Version: 1.0
Last Updated: January 2026
Status: Ready for Implementation