Files

defiQUG 903c03c65b Add full monorepo: virtual-banker, backend, frontend, docs, scripts, deployment

Co-authored-by: Cursor <cursoragent@cursor.com>

2026-02-10 11:32:49 -08:00

1.4 KiB

Raw Permalink Blame History

Security Architecture Specification

Overview

Security architecture including threat model, security boundaries, and security controls.

Threat Model

Threat Categories

1. External Threats:

DDoS attacks
SQL injection
XSS attacks
API abuse

2. Internal Threats:

Privileged user abuse
Data breaches
Insider threats

3. Infrastructure Threats:

Node compromise
Database breaches
Network attacks

Security Boundaries

DMZ: Public-facing services Internal Network: Backend services Data Layer: Database and storage (isolated) Blockchain Network: Node network (isolated)

KMS/HSM Integration

Key Management

Storage: Hardware Security Module (HSM) Usage: API keys, signing keys, encryption keys Access: Role-based, audit logged

Secrets Management

Secret Storage

Solution: Vault, AWS Secrets Manager, or similar Encryption: At rest and in transit Rotation: Regular key rotation Access: Least privilege principle

Signed Builds and SBOM

Build Signing

Process: Sign all builds Verification: Verify signatures before deployment Tooling: Code signing certificates

SBOM (Software Bill of Materials)

Generation: Generate SBOM for all dependencies Storage: Store SBOM for audit Vulnerability Scanning: Scan SBOM for known vulnerabilities

References

Authentication: See auth-spec.md
Privacy: See privacy-controls.md

1.4 KiB Raw Permalink Blame History