52 lines
1020 B
YAML
52 lines
1020 B
YAML
|
spec_type: security
|
||
|
|
name: Security Specifications
|
||
|
|
version: "1.0"
|
||
|
|
|
||
|
|
encryption:
|
||
|
|
at_rest:
|
||
|
|
algorithm: AES-256-GCM
|
||
|
|
key_management: AWS KMS
|
||
|
|
in_transit:
|
||
|
|
protocol: TLS 1.3
|
||
|
|
certificate_authority: Let's Encrypt
|
||
|
|
|
||
|
|
data_protection:
|
||
|
|
pii_fields:
|
||
|
|
- email
|
||
|
|
- phone
|
||
|
|
- address
|
||
|
|
- payment_info
|
||
|
|
retention_policy:
|
||
|
|
active_data: 3 years
|
||
|
|
deleted_data: 30 days
|
||
|
|
anonymization:
|
||
|
|
enabled: true
|
||
|
|
method: k-anonymity
|
||
|
|
|
||
|
|
compliance:
|
||
|
|
standards:
|
||
|
|
- name: GDPR
|
||
|
|
regions: [EU]
|
||
|
|
requirements:
|
||
|
|
- Right to be forgotten
|
||
|
|
- Data portability
|
||
|
|
- Consent management
|
||
|
|
- name: PCI-DSS
|
||
|
|
level: 1
|
||
|
|
requirements:
|
||
|
|
- Secure cardholder data
|
||
|
|
- Access control
|
||
|
|
- Network monitoring
|
||
|
|
|
||
|
|
threat_model:
|
||
|
|
threats:
|
||
|
|
- name: SQL Injection
|
||
|
|
mitigation: Parameterized queries
|
||
|
|
severity: high
|
||
|
|
- name: XSS
|
||
|
|
mitigation: Output encoding, CSP headers
|
||
|
|
severity: high
|
||
|
|
- name: CSRF
|
||
|
|
mitigation: CSRF tokens
|
||
|
|
severity: medium
|