OWASP Top 10 Compliance

Purpose & Scope

This document maps each of the OWASP Top 10:2021 risks to the controls Ekosistem App has in place. Coverage is reviewed when OWASP issues a new revision.

OWASP Top 10:2021 — Coverage

Each item below names the OWASP risk and how Ekosistem App mitigates it:

• A01 Broken Access Control — JWT auth + Redis blacklist, ecosystem-membership middleware on every endpoint, role hierarchy (system_admin → member), strict ownership checks on mutations to prevent IDOR.
• A02 Cryptographic Failures — TLS for all transit; refresh tokens in httpOnly secure sameSite cookies; bcrypt for passwordless artefacts; HMAC-signed email tracking tokens.
• A03 Injection — Drizzle ORM only (no raw SQL), Zod-validated inputs (.strict() rejects unknown fields), DOMPurify for rendered HTML.
• A04 Insecure Design — Defense-in-depth at every endpoint; documented threat model; explicit rate-limit and auth tiers; closed-by-default ecosystems.
• A05 Security Misconfiguration — Strict CORS allowlist, security headers (CSP, HSTS, X-Frame-Options), Zod-validated env at boot, no default secrets.
• A06 Vulnerable & Outdated Components — pnpm-locked dependencies, weekly dependency review, prompt patching for CVEs (see Vulnerability Management).
• A07 Identification & Authentication Failures — Magic-link login (no passwords stored), short-lived JWTs, single-use refresh rotation, blacklist on logout.
• A08 Software & Data Integrity Failures — Lockfile-pinned dependencies, signed Git commits where supported, immutable build artefacts on Railway and Vercel.
• A09 Logging & Monitoring Failures — Pino structured logs, PII scrubbing, retained moderation/audit trails (see Log Management).
• A10 Server-Side Request Forgery — Outbound URLs are validated; user-supplied URLs are never fetched server-side without an allowlist.

Verification

These mappings are revalidated using the following practices:

• Code reviews check for the corresponding controls when relevant code is touched.
• Dependency advisories are reviewed weekly and prioritised against this list.
• Penetration tests, when commissioned, must include explicit checks against each Top 10 risk.
• Major framework upgrades trigger a review of this mapping.

Roles & Responsibilities

OWASP Top 10 mapping is owned by the engineering team:

• Engineering — keeps this mapping current and produces evidence of each control.
• Operations — surfaces incident telemetry that signals weakness in any Top 10 area.
• External auditors — when engaged, validate the mapping against the live system.
• Plademy Oy — accountable for resolving any documented gap.

Review & Contact

This mapping is reviewed at least annually and after every OWASP Top 10 revision. Reports of weaknesses can be sent to developer@plademy.com.