SCBE-AETHERMOORE Security Hardening Checklist
Purpose: Bank procurement readiness Standard: NIST 800-53, PCI-DSS, FFIEC, DORA Status: In Progress
1. Cryptography, Authentication & Data Protection
1.1 Cryptographic Primitives
| Requirement | Current State | Target | Priority |
| AES-256-GCM for symmetric encryption | ✅ Implemented | ✅ | - |
| TLS 1.3 only (no 1.2 fallback) | ⚠️ Not enforced | Required | HIGH |
| NIST PQC (ML-KEM-768, ML-DSA-65) | ⚠️ Fallback mode | Full implementation | HIGH |
| No custom/ad-hoc KDFs | ❌ Some custom code | Standard HKDF | HIGH |
| No XOR-based “encryption” | ❌ Demo code exists | Remove | CRITICAL |
| Secure random (CSPRNG only) | ✅ secrets module | ✅ | - |
Action Items:
1.2 Key Management
| Requirement | Current State | Target | Priority |
| No hardcoded keys/secrets | ❌ Demo key in code | Environment only | CRITICAL |
| HSM/KMS integration | ❌ Not implemented | AWS KMS / HashiCorp Vault | HIGH |
| Automated key rotation | ❌ Not implemented | 90-day rotation | MEDIUM |
| Separation of duties | ❌ Single admin | Role-based | MEDIUM |
| Key escrow/recovery | ❌ Not implemented | Documented process | MEDIUM |
Action Items:
1.3 Identity & Access Control
| Requirement | Current State | Target | Priority |
| API key authentication | ✅ Implemented | ✅ | - |
| mTLS for service-to-service | ❌ Not implemented | Required for prod | HIGH |
| OAuth2/OIDC integration | ❌ Not implemented | Enterprise SSO | MEDIUM |
| MFA for admin access | ❌ N/A (no admin UI) | Required | HIGH |
| RBAC for operators | ❌ Not implemented | Role-based | MEDIUM |
| Machine identity (certs) | ❌ Not implemented | X.509 certs | HIGH |
Action Items:
2. Software & Infrastructure Hardening
2.1 Secure SDLC
| Requirement | Current State | Target | Priority |
| Threat model documented | ⚠️ Partial | Full threat model | HIGH |
| Code review process | ⚠️ PR reviews | Mandatory 2-person | MEDIUM |
| Static analysis (SAST) | ❌ Not configured | Bandit, Semgrep | HIGH |
| Dynamic analysis (DAST) | ❌ Not configured | OWASP ZAP | MEDIUM |
| Dependency scanning | ⚠️ npm audit only | Snyk/Dependabot | HIGH |
| Secure coding guidelines | ❌ Not documented | OWASP ASVS | MEDIUM |
Action Items:
2.2 Hardened Defaults
| Requirement | Current State | Target | Priority |
| Minimal container image | ⚠️ python:slim | distroless | MEDIUM |
| Non-root container user | ❌ Runs as root | Non-root user | HIGH |
| Read-only filesystem | ❌ Not configured | Read-only where possible | MEDIUM |
| No debug mode in prod | ⚠️ Not enforced | Explicit prod mode | HIGH |
| Secure default config | ⚠️ Partial | Security-first defaults | HIGH |
| No demo secrets shipped | ❌ Demo key in code | No secrets in image | CRITICAL |
Action Items:
2.3 Patch & Vulnerability Management
| Requirement | Current State | Target | Priority |
| CVE tracking process | ❌ Not documented | Documented process | HIGH |
| Patch SLAs defined | ❌ Not defined | Critical: 24h, High: 7d | HIGH |
| Dependency update process | ⚠️ Manual | Automated PRs | MEDIUM |
| Security advisory process | ❌ Not defined | SECURITY.md + process | HIGH |
Action Items:
3. Logging, Monitoring & Audit
3.1 Comprehensive Logging
| Requirement | Current State | Target | Priority |
| Auth decisions logged | ✅ Implemented | ✅ | - |
| Policy changes logged | ❌ Not implemented | Required | HIGH |
| Key operations logged | ❌ Not implemented | Required | HIGH |
| Config changes logged | ❌ Not implemented | Required | MEDIUM |
| Admin actions logged | ❌ N/A (no admin) | Required | MEDIUM |
| Tamper-evident logs | ❌ Plain JSON | Signed/chained | HIGH |
Action Items:
3.2 SIEM Integration
| Requirement | Current State | Target | Priority |
| Structured log format | ✅ JSON | ✅ | - |
| Correlation IDs | ⚠️ Partial | All requests | HIGH |
| Severity levels | ✅ Standard levels | ✅ | - |
| Log schema documented | ❌ Not documented | Full schema doc | MEDIUM |
| Splunk HEC support | ❌ Not implemented | HTTP Event Collector | HIGH |
| Syslog support | ❌ Not implemented | RFC 5424 | MEDIUM |
Action Items:
3.3 Audit & Forensics
| Requirement | Current State | Target | Priority |
| Decision audit trail | ✅ In-memory | Persistent storage | HIGH |
| Who/what/when/why | ✅ Captured | ✅ | - |
| Export capability | ⚠️ API only | Bulk export | MEDIUM |
| Retention policy | ❌ Not defined | 7 years minimum | HIGH |
Action Items:
4. Zero Trust & Network Posture
4.1 Zero Trust Principles
| Requirement | Current State | Target | Priority |
| Per-request authorization | ✅ Every call checked | ✅ | - |
| No implicit trust | ✅ All agents scored | ✅ | - |
| Continuous verification | ⚠️ Per-request only | + periodic re-auth | MEDIUM |
| Micro-segmentation ready | ⚠️ Single service | Network policies | MEDIUM |
4.2 Compromise Handling
| Requirement | Current State | Target | Priority |
| Agent compromise response | ✅ Trust decay | ✅ | - |
| Relay compromise isolation | ⚠️ Theoretical | Documented procedure | HIGH |
| Lateral movement constraints | ⚠️ Not documented | Network isolation | MEDIUM |
| Fail-secure behavior | ✅ Fail to DENY | ✅ | - |
Action Items:
4.3 Network Integration
| Requirement | Current State | Target | Priority |
| TLS 1.3 support | ✅ Python default | Enforce only | HIGH |
| mTLS support | ❌ Not implemented | Required | HIGH |
| Proxy/firewall compatible | ✅ HTTP/HTTPS | ✅ | - |
| VPN/ZTNA compatible | ✅ Standard ports | ✅ | - |
5. Supply Chain & Vendor Risk
5.1 SBOM & Dependencies
| Requirement | Current State | Target | Priority |
| SBOM generated | ❌ Not generated | CycloneDX/SPDX | HIGH |
| Signed builds | ❌ Not implemented | Sigstore/cosign | HIGH |
| License compliance | ⚠️ Apache 2.0 | Full audit | MEDIUM |
| Dependency pinning | ⚠️ Partial | Full lockfiles | HIGH |
Action Items:
5.2 Attestations & Certifications
| Requirement | Current State | Target | Priority |
| SOC 2 Type I | ❌ Not started | Roadmap | HIGH |
| ISO 27001 | ❌ Not started | Roadmap | MEDIUM |
| Penetration test | ❌ Not done | Third-party required | HIGH |
| NIST 800-53 mapping | ⚠️ Partial | Full mapping | MEDIUM |
Action Items:
6. Documentation for Procurement
6.1 Security Whitepaper
| Section | Status | Priority |
| Threat model | ⚠️ Partial | HIGH |
| Protocol details | ✅ Documented | - |
| Crypto choices | ✅ Documented | - |
| Failure modes | ⚠️ Partial | HIGH |
| Attack resistance | ⚠️ Partial | HIGH |
6.2 Policy Documentation
| Document | Status | Priority |
| Incident response plan | ❌ Not created | HIGH |
| Data retention policy | ❌ Not created | HIGH |
| Backup/restore procedure | ❌ Not created | MEDIUM |
| Business continuity | ❌ Not created | MEDIUM |
6.3 Regulatory Mapping
| Regulation | Status | Priority |
| PCI-DSS mapping | ⚠️ Partial | HIGH |
| GLBA mapping | ⚠️ Partial | HIGH |
| FFIEC mapping | ❌ Not started | MEDIUM |
| DORA mapping | ⚠️ Partial | MEDIUM |
Priority Summary
CRITICAL (Block deployment)
- Remove hardcoded demo API key
- Remove XOR cipher code
- Add non-root container user
HIGH (Required for pilot)
- Implement mTLS
- Add Bandit/SAST to CI
- Generate SBOM
- Document threat model
- Schedule penetration test
- Add tamper-evident logging
- Integrate real PQC library
MEDIUM (Required for production)
- HSM/KMS integration
- OAuth2/OIDC support
- SOC 2 Type I audit
- Full regulatory mapping
- Incident response plan
Quick Wins (Can do today)
# 1. Remove hardcoded key (use environment)
export SCBE_API_KEY=$(openssl rand -hex 32)
# 2. Add Bandit to CI
pip install bandit
bandit -r src/ -f json -o bandit-report.json
# 3. Generate SBOM
pip install cyclonedx-bom
cyclonedx-py -r -o sbom.json
# 4. Pin dependencies
pip freeze > requirements.lock
# 5. Run container as non-root
# Add to Dockerfile: USER 1000:1000
Deployment Mode Recommendation
For bank procurement, recommend on-premise or private cloud deployment:
| Mode | Pros | Cons |
| On-Prem | Full control, no data leaves bank | Bank manages infrastructure |
| Private Cloud | Bank’s cloud account, isolated | Still cloud |
| SaaS | Easiest | Requires SOC 2, data concerns |
Recommendation: Start with on-prem/private cloud for pilots, then consider managed service after SOC 2.