Open
Description
Would love to see support for:
-
Appl/API routes (a list of entry points that describes the attack surface)
- This could be "front door" like HTTP endpoints or "back door" mq endpoints, databases, APIs, etc...
-
Each route has...
- Security controls like secure comms, authentication, access control, encryption, input validation, escaping, logging, etc...
- Important operations. - what happens during this route
- Dangerous operations - using powerful capabilities
- Accesses to backend systems
-
Each security control has some general details like....
* Authentication
* SSO
* MFA
* Password details
* etc...
* Authorization
* Set of roles available
* Object reference approach
* Cross-Site Request appraoch
* Encryption
* What algorithms are used, how initialized, where are keys stored -
But each route has some specifics about how security controls are actually used.
* Is this route authenticated?
* Which access control checks (for which roles) are enforced (access control matrix)
* Does this route encrypt data - with which algorithm?
* etc...