security-mcp 1.1.4 → 1.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +116 -264
- package/defaults/checklists/ai.json +20 -1
- package/defaults/checklists/api.json +35 -1
- package/defaults/checklists/infra.json +34 -1
- package/defaults/checklists/mobile.json +23 -1
- package/defaults/checklists/payments.json +15 -1
- package/defaults/checklists/web.json +11 -1
- package/defaults/security-policy.json +2 -2
- package/dist/cli/index.js +0 -0
- package/dist/gate/baseline.js +82 -7
- package/dist/gate/catalog.js +10 -2
- package/dist/gate/checks/ai.js +757 -39
- package/dist/gate/checks/auth-deep.js +920 -216
- package/dist/gate/checks/business-logic.js +751 -0
- package/dist/gate/checks/ci-pipeline.js +399 -4
- package/dist/gate/checks/crypto.js +423 -2
- package/dist/gate/checks/dependencies.js +571 -15
- package/dist/gate/checks/graphql.js +201 -19
- package/dist/gate/checks/infra.js +246 -1
- package/dist/gate/checks/injection-deep.js +827 -184
- package/dist/gate/checks/k8s.js +114 -1
- package/dist/gate/checks/mobile-android.js +917 -3
- package/dist/gate/checks/mobile-ios.js +797 -5
- package/dist/gate/checks/required-artifacts.js +194 -0
- package/dist/gate/checks/runtime.js +178 -0
- package/dist/gate/checks/secrets.js +244 -13
- package/dist/gate/checks/supply-chain-deep.js +787 -0
- package/dist/gate/checks/web-nextjs.js +572 -48
- package/dist/gate/diff.js +17 -5
- package/dist/gate/evidence.js +8 -1
- package/dist/gate/exceptions.js +131 -9
- package/dist/gate/policy.js +280 -131
- package/dist/mcp/audit-chain.js +122 -28
- package/dist/mcp/auth.js +169 -0
- package/dist/mcp/learning.js +129 -4
- package/dist/mcp/model-router.js +158 -21
- package/dist/mcp/orchestration.js +186 -51
- package/dist/mcp/server.js +337 -53
- package/dist/repo/fs.js +24 -1
- package/dist/repo/search.js +31 -6
- package/dist/review/store.js +52 -1
- package/package.json +7 -7
- package/skills/_TEMPLATE/SKILL.md +99 -0
- package/skills/advanced-dos-tester/SKILL.md +109 -0
- package/skills/agentic-loop-exploiter/SKILL.md +368 -0
- package/skills/ai-llm-redteam/SKILL.md +104 -0
- package/skills/ai-model-supply-chain-agent/SKILL.md +103 -0
- package/skills/algorithm-implementation-reviewer/SKILL.md +98 -0
- package/skills/android-penetration-tester/SKILL.md +455 -46
- package/skills/anti-replay-tester/SKILL.md +106 -0
- package/skills/appsec-code-auditor/SKILL.md +85 -0
- package/skills/artifact-integrity-analyst/SKILL.md +441 -0
- package/skills/attack-navigator/SKILL.md +467 -8
- package/skills/auth-session-hacker/SKILL.md +102 -0
- package/skills/aws-penetration-tester/SKILL.md +456 -0
- package/skills/azure-penetration-tester/SKILL.md +490 -3
- package/skills/binary-auth-validator/SKILL.md +111 -0
- package/skills/bot-detection-specialist/SKILL.md +109 -0
- package/skills/business-logic-attacker/SKILL.md +231 -0
- package/skills/capec-code-mapper/SKILL.md +84 -0
- package/skills/cert-pin-rotation-specialist/SKILL.md +112 -0
- package/skills/cicd-pipeline-hijacker/SKILL.md +405 -0
- package/skills/ciso-orchestrator/SKILL.md +454 -43
- package/skills/cloud-infra-specialist/SKILL.md +118 -0
- package/skills/compliance-gap-analyst/SKILL.md +422 -0
- package/skills/compliance-grc/SKILL.md +85 -0
- package/skills/compliance-lifecycle-tracker/SKILL.md +84 -0
- package/skills/credential-stuffing-specialist/SKILL.md +102 -0
- package/skills/crypto-pki-specialist/SKILL.md +87 -0
- package/skills/csa-ccm-mapper/SKILL.md +84 -0
- package/skills/csf2-governance-mapper/SKILL.md +84 -0
- package/skills/deep-link-fuzzer/SKILL.md +109 -0
- package/skills/dependency-confusion-attacker/SKILL.md +415 -0
- package/skills/device-integrity-aggregator/SKILL.md +108 -0
- package/skills/dos-resilience-tester/SKILL.md +97 -0
- package/skills/dread-scorer/SKILL.md +84 -0
- package/skills/egress-policy-enforcer/SKILL.md +99 -0
- package/skills/evidence-collector/SKILL.md +98 -0
- package/skills/file-upload-attacker/SKILL.md +109 -0
- package/skills/gcp-penetration-tester/SKILL.md +459 -2
- package/skills/git-history-secret-scanner/SKILL.md +106 -0
- package/skills/iam-privesc-graph-builder/SKILL.md +152 -0
- package/skills/incident-responder/SKILL.md +111 -0
- package/skills/injection-specialist/SKILL.md +102 -0
- package/skills/ios-security-auditor/SKILL.md +282 -0
- package/skills/json-ambiguity-tester/SKILL.md +0 -0
- package/skills/k8s-container-escaper/SKILL.md +384 -0
- package/skills/key-management-lifecycle-analyst/SKILL.md +98 -0
- package/skills/kill-switch-engineer/SKILL.md +102 -0
- package/skills/linddun-privacy-analyst/SKILL.md +102 -0
- package/skills/logic-race-fuzzer/SKILL.md +443 -0
- package/skills/mobile-api-network-attacker/SKILL.md +421 -0
- package/skills/mobile-binary-hardener/SKILL.md +102 -0
- package/skills/mobile-security-specialist/SKILL.md +85 -0
- package/skills/mobile-webview-auditor/SKILL.md +96 -0
- package/skills/model-extraction-attacker/SKILL.md +219 -0
- package/skills/multipart-abuse-tester/SKILL.md +84 -0
- package/skills/oauth-pkce-specialist/SKILL.md +104 -0
- package/skills/parser-exhaustion-tester/SKILL.md +142 -0
- package/skills/pentest-infra/SKILL.md +98 -0
- package/skills/pentest-social/SKILL.md +201 -0
- package/skills/pentest-team/SKILL.md +87 -0
- package/skills/pentest-web-api/SKILL.md +98 -0
- package/skills/privacy-flow-analyst/SKILL.md +234 -0
- package/skills/prompt-injection-specialist/SKILL.md +394 -0
- package/skills/quantum-migration-planner/SKILL.md +96 -0
- package/skills/rag-poisoning-specialist/SKILL.md +358 -0
- package/skills/registry-mirror-enforcer/SKILL.md +84 -0
- package/skills/rotation-validation-agent/SKILL.md +112 -0
- package/skills/samm-assessor/SKILL.md +85 -0
- package/skills/secrets-mask-bypass-tester/SKILL.md +100 -0
- package/skills/senior-security-engineer/SKILL.md +167 -0
- package/skills/serialization-memory-attacker/SKILL.md +332 -0
- package/skills/session-timeout-tester/SKILL.md +161 -0
- package/skills/slsa-level3-enforcer/SKILL.md +112 -0
- package/skills/slsa-provenance-enforcer/SKILL.md +102 -0
- package/skills/ssrf-detection-validator/SKILL.md +108 -0
- package/skills/step-up-auth-enforcer/SKILL.md +84 -0
- package/skills/stride-pasta-analyst/SKILL.md +420 -0
- package/skills/supply-chain-devsecops/SKILL.md +98 -0
- package/skills/threat-infrastructure-analyst/SKILL.md +84 -0
- package/skills/threat-modeler/SKILL.md +85 -0
- package/skills/tls-certificate-auditor/SKILL.md +573 -18
- package/skills/token-reuse-detector/SKILL.md +95 -0
- package/skills/trike-risk-modeler/SKILL.md +84 -0
- package/skills/unicode-homograph-tester/SKILL.md +84 -0
- package/skills/waf-rule-lifecycle-agent/SKILL.md +97 -0
- package/skills/webhook-security-tester/SKILL.md +102 -0
- package/skills/zero-trust-architect/SKILL.md +109 -0
|
@@ -75,3 +75,285 @@ Only activated if iOS or cross-platform mobile is detected.
|
|
|
75
75
|
- MASVS control ID violated
|
|
76
76
|
- Swift/ObjC code fix written inline
|
|
77
77
|
- CVSSv4, CWE
|
|
78
|
+
- `intelligenceForOtherAgents` block (see schema below)
|
|
79
|
+
- `coverageManifest` (see §ZERO-MISS-MANDATE)
|
|
80
|
+
|
|
81
|
+
Every findings JSON MUST include `intelligenceForOtherAgents`:
|
|
82
|
+
```json
|
|
83
|
+
{
|
|
84
|
+
"intelligenceForOtherAgents": {
|
|
85
|
+
"forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
|
|
86
|
+
"forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
|
|
87
|
+
"forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
|
|
88
|
+
"forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
|
|
89
|
+
}
|
|
90
|
+
}
|
|
91
|
+
```
|
|
92
|
+
|
|
93
|
+
---
|
|
94
|
+
|
|
95
|
+
## BEYOND SKILL.MD — MANDATORY EXPANSIONS
|
|
96
|
+
|
|
97
|
+
These expansions cover attack surfaces that OWASP MASVS alone does not fully address. Each
|
|
98
|
+
check is mandatory — do not skip without documented justification.
|
|
99
|
+
|
|
100
|
+
1. **CVE-2023-23530 / CVE-2023-23531 — NSPredicate Injection via SpringBoard:**
|
|
101
|
+
Any app that constructs `NSPredicate` strings from user input is vulnerable to sandbox
|
|
102
|
+
escape on unpatched iOS 16.3 and below. Test: grep codebase for `NSPredicate(format:` with
|
|
103
|
+
non-literal format strings. Finding: any variable interpolated into the format string without
|
|
104
|
+
`SELF == %@` substitution. Fix: only use `NSPredicate(format:)` with `%@`, `%d`, `%K`
|
|
105
|
+
substitution — never string concatenation.
|
|
106
|
+
|
|
107
|
+
2. **Frida / Objection Dynamic Instrumentation Bypass Detection:**
|
|
108
|
+
Attackers attach Frida to a running app via `frida-server` on jailbroken devices to hook
|
|
109
|
+
`LAContext.evaluatePolicy` and return `true` unconditionally. Test: check for
|
|
110
|
+
`MSHookFunction` / `fishhook` resistance and integrity checks around auth decision points.
|
|
111
|
+
Concrete detection: compute a runtime hash of `LAContext`'s method IMP; compare against a
|
|
112
|
+
compile-time constant. Finding: absence of any IMP integrity check near biometric evaluation.
|
|
113
|
+
|
|
114
|
+
3. **iOS Backup Keychain Extraction (CVE class: MASVS-STORAGE-2):**
|
|
115
|
+
Items stored with `kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly` are excluded from
|
|
116
|
+
iTunes/iCloud backup, but items with the non-`ThisDeviceOnly` variants ARE included in
|
|
117
|
+
unencrypted backups. Test: enumerate all `SecItemAdd`/`SecItemUpdate` calls; flag any
|
|
118
|
+
`kSecAttrAccessible` value without `ThisDeviceOnly` suffix for sensitive item classes
|
|
119
|
+
(`kSecClassGenericPassword`, `kSecClassInternetPassword`). Tool: `idevicebackup2` +
|
|
120
|
+
`KeychainDumper` on a backup image. Finding: auth tokens or PII in backup-eligible
|
|
121
|
+
Keychain slots.
|
|
122
|
+
|
|
123
|
+
4. **Universal Link Hijacking via Misconfigured AASA (apple-app-site-association):**
|
|
124
|
+
If `apple-app-site-association` specifies an overly broad path (`"paths": ["*"]`) or is
|
|
125
|
+
served from an HTTP endpoint, an attacker-controlled domain can intercept OAuth redirects.
|
|
126
|
+
Test: fetch `https://<domain>/.well-known/apple-app-site-association`; validate JSON
|
|
127
|
+
structure, HTTPS enforcement, and path specificity. Script: `curl -s
|
|
128
|
+
https://TARGET/.well-known/apple-app-site-association | jq '.applinks.details[].paths'`.
|
|
129
|
+
Finding: wildcard `*` path or missing HTTPS redirect.
|
|
130
|
+
|
|
131
|
+
5. **Swift Concurrency Race on Authentication State (`async`/`await` TOCTOU):**
|
|
132
|
+
Post-iOS 15 Swift async/await patterns introduce new TOCTOU windows: an `actor`-isolated
|
|
133
|
+
authentication state may be read by one task while a concurrent task is resetting it.
|
|
134
|
+
Test: search for `actor` definitions that guard auth state; verify that all mutations and
|
|
135
|
+
reads use the same actor isolation. Grep: `nonisolated` adjacent to auth-state-bearing
|
|
136
|
+
actors. Finding: `nonisolated` method on an auth actor that reads sensitive state without
|
|
137
|
+
re-entering the actor.
|
|
138
|
+
|
|
139
|
+
6. **AI-Assisted Reverse Engineering of Obfuscated Swift Binaries (Post-2024 Threat):**
|
|
140
|
+
LLM-powered tools (e.g., IDA + GPT-4 plugins, BinaryNinja Sidekick) can reconstruct
|
|
141
|
+
business logic from stripped Swift binaries in under an hour — vastly reducing the time
|
|
142
|
+
to extract hardcoded secrets or forge authentication tokens. Test: run `strings` + `nm` on
|
|
143
|
+
the release `.ipa`; confirm no API keys, JWT secrets, or internal hostnames appear in
|
|
144
|
+
plain text. Additionally, verify that certificate pinning logic is not trivially identified
|
|
145
|
+
by pattern-matching on `SecCertificateCopyData` call sites alone. Finding: any secret
|
|
146
|
+
detectable by automated string extraction from the binary.
|
|
147
|
+
|
|
148
|
+
7. **LLM Prompt-Injection via On-Device AI Features (Post-2024 Threat — Apple Intelligence):**
|
|
149
|
+
Apps integrating Apple Intelligence / Core ML LLM features that pass user-controlled text
|
|
150
|
+
directly to an on-device model without sanitisation are vulnerable to prompt injection
|
|
151
|
+
resulting in privilege escalation within the app's own data scope. Test: identify
|
|
152
|
+
`MLModel`, `NaturalLanguage`, or `CreateML` usage where user text is interpolated into a
|
|
153
|
+
system prompt. Finding: system prompt concatenation with unsanitised `UITextField` or
|
|
154
|
+
clipboard content that can redirect model output to exfiltrate in-app data.
|
|
155
|
+
|
|
156
|
+
8. **WebView JavaScript Bridge Exposure (`WKScriptMessageHandler`):**
|
|
157
|
+
`WKScriptMessageHandler` creates a named bridge callable from JavaScript inside a
|
|
158
|
+
`WKWebView`. If the WebView loads remote or user-controlled content, any registered message
|
|
159
|
+
handler becomes an RCE or data-exfiltration surface. Test: grep for
|
|
160
|
+
`add(_:name:)` on `userContentController`; for each handler, verify the loaded URL origin
|
|
161
|
+
is pinned to an allowlist. Script: `grep -rn "add.*name:" --include="*.swift"`. Finding:
|
|
162
|
+
handler registered without origin validation, or WebView loads `http://` or a
|
|
163
|
+
user-supplied URL.
|
|
164
|
+
|
|
165
|
+
---
|
|
166
|
+
|
|
167
|
+
## §IOS_SECURITY_AUDITOR-CHECKLIST
|
|
168
|
+
|
|
169
|
+
1. **Keychain accessibility class audit** — Search all `SecItemAdd` calls; verify
|
|
170
|
+
`kSecAttrAccessible` is `WhenUnlockedThisDeviceOnly` or `WhenPasscodeSetThisDeviceOnly`
|
|
171
|
+
for auth tokens and PII. Finding: any non-`ThisDeviceOnly` or `Always*` value for
|
|
172
|
+
sensitive data.
|
|
173
|
+
|
|
174
|
+
2. **ATS exception audit** — Parse `Info.plist`; flag `NSAllowsArbitraryLoads`, any
|
|
175
|
+
`NSExceptionDomains` entry with `NSExceptionAllowsInsecureHTTPLoads: true`, or
|
|
176
|
+
`NSAllowsLocalNetworking: true` in production builds. Finding: any ATS exception not
|
|
177
|
+
accompanied by a documented compliance reason.
|
|
178
|
+
|
|
179
|
+
3. **Certificate pinning implementation review** — Locate `URLSession` delegate
|
|
180
|
+
`urlSession(_:didReceive:completionHandler:)`; verify leaf or intermediate certificate
|
|
181
|
+
hash is pinned (not just hostname); verify backup pin exists. Finding: absent pinning,
|
|
182
|
+
hostname-only validation, or pinned only to a single certificate with no fallback.
|
|
183
|
+
|
|
184
|
+
4. **Biometric auth enrollment-change invalidation** — After `LAContext.evaluatePolicy`
|
|
185
|
+
success, check that `evaluatedPolicyDomainState` is compared against a stored baseline.
|
|
186
|
+
Finding: no `evaluatedPolicyDomainState` persistence between app launches — biometric
|
|
187
|
+
re-enrollment is not detected.
|
|
188
|
+
|
|
189
|
+
5. **Universal Link / AASA integrity check** — Fetch the AASA file over HTTPS; validate
|
|
190
|
+
the JSON schema against Apple's spec; confirm paths are not `*`; confirm the file is
|
|
191
|
+
served with `Content-Type: application/json`. Finding: any deviation from spec, wildcard
|
|
192
|
+
path, or HTTP delivery.
|
|
193
|
+
|
|
194
|
+
6. **Pasteboard sensitive-data leak** — Grep for `UIPasteboard.general.string =` and
|
|
195
|
+
`UIPasteboard.general.setValue`; verify no auth tokens, card numbers, or PII are written.
|
|
196
|
+
Finding: any sensitive value written to the general pasteboard (accessible by all apps).
|
|
197
|
+
|
|
198
|
+
7. **NSUserDefaults / UserDefaults PII audit** — Grep for `UserDefaults.standard.set` and
|
|
199
|
+
`UserDefaults.standard.setValue`; verify keys do not store credentials, tokens, or PII.
|
|
200
|
+
Finding: any token or PII key in `UserDefaults` (unencrypted, included in iCloud backup
|
|
201
|
+
by default).
|
|
202
|
+
|
|
203
|
+
8. **WKWebView JavaScript bridge origin validation** — For each `WKScriptMessageHandler`
|
|
204
|
+
registration, verify the WebView's navigation delegate `decidePolicyFor` restricts origins
|
|
205
|
+
to a hardcoded allowlist. Finding: handler accessible from arbitrary or remote URLs.
|
|
206
|
+
|
|
207
|
+
9. **Binary hardening flags** — Run `otool -hv <binary>` and `otool -l <binary> | grep
|
|
208
|
+
stack_chk`; verify PIE flag set, stack canaries present, ARC enabled. Finding: missing
|
|
209
|
+
PIE or stack canary in any framework or main binary.
|
|
210
|
+
|
|
211
|
+
10. **Info.plist secrets scan** — Search `Info.plist` for keys containing `key`, `secret`,
|
|
212
|
+
`token`, `password`, `apiKey` (case-insensitive). Run `plutil -convert json -o - Info.plist
|
|
213
|
+
| jq 'keys[] | ascii_downcase | select(contains("key","secret","token","password"))'`.
|
|
214
|
+
Finding: any non-empty value for a matched key.
|
|
215
|
+
|
|
216
|
+
11. **NSPredicate injection audit** — Grep for `NSPredicate(format:` with string interpolation
|
|
217
|
+
or concatenation (not solely `%@`/`%K`/`%d` substitution). Finding: user-controlled data
|
|
218
|
+
in predicate format string (arbitrary property access or sandbox escape on iOS < 16.3.2).
|
|
219
|
+
|
|
220
|
+
12. **Secure Enclave key usage for authentication** — Verify that private keys used in
|
|
221
|
+
authentication flows are generated with `kSecAttrTokenIDSecureEnclave`. Finding: auth
|
|
222
|
+
private key stored in software Keychain rather than Secure Enclave — extractable via
|
|
223
|
+
Keychain dump on jailbroken device.
|
|
224
|
+
|
|
225
|
+
---
|
|
226
|
+
|
|
227
|
+
## §POC-REQUIREMENT
|
|
228
|
+
|
|
229
|
+
Every CRITICAL or HIGH finding MUST follow this exact sequence before being recorded:
|
|
230
|
+
|
|
231
|
+
1. **Write working PoC FIRST** — exact payload, request sequence, or tool command that
|
|
232
|
+
reproduces the vulnerability. For iOS findings this means: the exact `security
|
|
233
|
+
dump-keychain` command, `frida` script, or `curl` invocation that demonstrates impact.
|
|
234
|
+
2. **Confirm reproduction** — execute the PoC and capture output proving the finding is real.
|
|
235
|
+
3. **Write fix** — provide inline Swift/ObjC code that remediates the root cause.
|
|
236
|
+
4. **Verify PoC fails against fix** — re-run the identical PoC against the fixed code; confirm
|
|
237
|
+
it no longer succeeds.
|
|
238
|
+
5. **Record in findings JSON** — include `exploitPoC` key with the exact reproduction steps
|
|
239
|
+
and the verification output showing the fix is effective.
|
|
240
|
+
|
|
241
|
+
**PoC skipping = severity automatically downgraded to MEDIUM.** If runtime access is
|
|
242
|
+
unavailable (e.g., CI-only environment), document the limitation in `exploitPoC` and flag
|
|
243
|
+
for manual validation before release.
|
|
244
|
+
|
|
245
|
+
---
|
|
246
|
+
|
|
247
|
+
## §PROJECT-ESCALATION
|
|
248
|
+
|
|
249
|
+
Immediately alert the CISO orchestrator and reprioritise the run if ANY of the following
|
|
250
|
+
conditions are detected:
|
|
251
|
+
|
|
252
|
+
1. **Keychain data accessible without device unlock** — any item found with
|
|
253
|
+
`kSecAttrAccessibleAlways` or `kSecAttrAccessibleAlwaysThisDeviceOnly` containing
|
|
254
|
+
authentication credentials or cryptographic key material.
|
|
255
|
+
|
|
256
|
+
2. **ATS fully disabled in production build** — `NSAllowsArbitraryLoads: true` confirmed
|
|
257
|
+
in a non-debug `Info.plist`; all network traffic is cleartext-eligible.
|
|
258
|
+
|
|
259
|
+
3. **Hardcoded private key or JWT secret in binary or plist** — `strings` / `grep` confirms
|
|
260
|
+
a PEM block, base64 key, or JWT `HS256`/`RS256` secret appears verbatim in a shipped
|
|
261
|
+
artifact.
|
|
262
|
+
|
|
263
|
+
4. **NSPredicate injection on iOS < 16.3.2 confirmed** — user-controlled input reaches
|
|
264
|
+
an `NSPredicate(format:)` call; SpringBoard sandbox escape is within attacker reach.
|
|
265
|
+
|
|
266
|
+
5. **WKWebView bridge with no origin check loading remote URL** — any `WKScriptMessageHandler`
|
|
267
|
+
accessible from a remotely loaded page; classified as RCE-class vulnerability on the
|
|
268
|
+
app's data scope.
|
|
269
|
+
|
|
270
|
+
6. **Apple Wallet / PassKit credential stored outside Secure Enclave** — payment or transit
|
|
271
|
+
pass private key material found in software Keychain rather than Secure Enclave.
|
|
272
|
+
|
|
273
|
+
7. **LLM prompt injection confirmed in Apple Intelligence integration** — attacker-controlled
|
|
274
|
+
clipboard or text field content demonstrably redirects on-device model output to access
|
|
275
|
+
app-internal data or bypass app-level access controls.
|
|
276
|
+
|
|
277
|
+
8. **Certificate pinning absent on a financial or health data endpoint** — MitM is trivially
|
|
278
|
+
possible on endpoints transmitting PCI-DSS or HIPAA-regulated data.
|
|
279
|
+
|
|
280
|
+
---
|
|
281
|
+
|
|
282
|
+
## §EDGE-CASE-MATRIX
|
|
283
|
+
|
|
284
|
+
The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
|
|
285
|
+
|
|
286
|
+
| # | Edge Case | Why Scanners Miss It | Concrete Test |
|
|
287
|
+
|---|-----------|----------------------|---------------|
|
|
288
|
+
| 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
|
|
289
|
+
| 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
|
|
290
|
+
| 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
|
|
291
|
+
| 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
|
|
292
|
+
| 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
|
|
293
|
+
|
|
294
|
+
---
|
|
295
|
+
|
|
296
|
+
## §TEMPORAL-THREATS
|
|
297
|
+
|
|
298
|
+
Threats materialising in the 2025–2030 window that defences designed today must account for.
|
|
299
|
+
|
|
300
|
+
| Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
|
|
301
|
+
|--------|--------------|--------------------------|----------------|
|
|
302
|
+
| Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
|
|
303
|
+
| AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
|
|
304
|
+
| EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
|
|
305
|
+
| Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
|
|
306
|
+
| Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
|
|
307
|
+
|
|
308
|
+
---
|
|
309
|
+
|
|
310
|
+
## §DETECTION-GAP
|
|
311
|
+
|
|
312
|
+
What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
|
|
313
|
+
|
|
314
|
+
**Standard gaps that MUST be checked:**
|
|
315
|
+
|
|
316
|
+
- **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
|
|
317
|
+
- **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
|
|
318
|
+
- **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
|
|
319
|
+
- **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
|
|
320
|
+
- **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
|
|
321
|
+
|
|
322
|
+
---
|
|
323
|
+
|
|
324
|
+
## §ZERO-MISS-MANDATE
|
|
325
|
+
|
|
326
|
+
This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
|
|
327
|
+
- `CHECKED: [N files] | [patterns used] | CLEAN`
|
|
328
|
+
- `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
|
|
329
|
+
- `SKIPPED: [reason — must be "not applicable: [evidence]"]`
|
|
330
|
+
|
|
331
|
+
**Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
|
|
332
|
+
|
|
333
|
+
The output findings JSON MUST include a `coverageManifest` key:
|
|
334
|
+
```json
|
|
335
|
+
{
|
|
336
|
+
"coverageManifest": {
|
|
337
|
+
"attackClassesCovered": [{ "class": "SQL Injection", "filesReviewed": 47, "patterns": ["queryRaw", "string concat"], "result": "CLEAN" }],
|
|
338
|
+
"filesReviewed": 47,
|
|
339
|
+
"negativeAssertions": ["SQL Injection: queryRaw pattern searched across 47 files — 0 matches"],
|
|
340
|
+
"uncoveredReason": {}
|
|
341
|
+
}
|
|
342
|
+
}
|
|
343
|
+
```
|
|
344
|
+
|
|
345
|
+
---
|
|
346
|
+
|
|
347
|
+
## LEARNING SIGNAL
|
|
348
|
+
|
|
349
|
+
On every finding resolved, emit:
|
|
350
|
+
```json
|
|
351
|
+
{
|
|
352
|
+
"findingId": "FINDING_ID",
|
|
353
|
+
"agentName": "ios-security-auditor",
|
|
354
|
+
"resolved": true,
|
|
355
|
+
"remediationTemplate": "one-line description of what was done",
|
|
356
|
+
"falsePositive": false
|
|
357
|
+
}
|
|
358
|
+
```
|
|
359
|
+
Call `security.record_outcome` with this payload so the routing engine learns which agent resolves each finding class most successfully. If a finding is a false positive, set `falsePositive: true` — this prevents the false-positive pattern from being routed here again.
|
|
Binary file
|