39 lines
3.0 KiB
JSON
Executable File
39 lines
3.0 KiB
JSON
Executable File
{
|
|
"owasp_top10_2025": {
|
|
"A01": {"name": "Broken Access Control", "desc": "Contrôle d'accès défaillant", "fix": "RBAC, principes du moindre privilège, validation côté serveur"},
|
|
"A02": {"name": "Cryptographic Failures", "desc": "Failles cryptographiques", "fix": "TLS 1.3, AES-256, bcrypt/argon2 pour passwords"},
|
|
"A03": {"name": "Injection", "desc": "SQL, NoSQL, LDAP, OS injection", "fix": "Requêtes paramétrées, ORM, validation d'entrée, WAF"},
|
|
"A04": {"name": "Insecure Design", "desc": "Conception non sécurisée", "fix": "Threat modeling, secure design patterns, security requirements"},
|
|
"A05": {"name": "Security Misconfiguration", "desc": "Mauvaise configuration sécurité", "fix": "Hardening, minimal install, automated config review"},
|
|
"A06": {"name": "Vulnerable Components", "desc": "Composants vulnérables", "fix": "SCA tools, patch management, SBOM"},
|
|
"A07": {"name": "Auth Failures", "desc": "Authentification/identification défaillante", "fix": "MFA, rate limiting, secure session management"},
|
|
"A08": {"name": "Data Integrity", "desc": "Défauts d'intégrité logicielle/données", "fix": "CI/CD security, signed packages, SRI"},
|
|
"A09": {"name": "Logging Failures", "desc": "Manque de logging/monitoring", "fix": "Centralized logging, SIEM, alerting, audit trails"},
|
|
"A10": {"name": "SSRF", "desc": "Server-Side Request Forgery", "fix": "Allowlists, network segmentation, disable redirects"}
|
|
},
|
|
"pentest_methodology": {
|
|
"phases": ["Reconnaissance", "Scanning", "Vulnerability Assessment", "Exploitation", "Post-Exploitation", "Reporting"],
|
|
"tools": {
|
|
"recon": ["Shodan", "Censys", "theHarvester", "Maltego", "Amass"],
|
|
"scanning": ["Nmap", "Masscan", "Nikto", "WPScan", "SQLmap"],
|
|
"exploitation": ["Metasploit", "Burp Suite", "OWASP ZAP", "Hydra"],
|
|
"post_exploit": ["Mimikatz", "BloodHound", "Cobalt Strike", "Empire"]
|
|
}
|
|
},
|
|
"incident_response": {
|
|
"phases": ["Preparation", "Detection", "Containment", "Eradication", "Recovery", "Lessons Learned"],
|
|
"playbooks": {
|
|
"ransomware": "Isoler → préserver evidence → restaurer backups → communiquer",
|
|
"data_breach": "Contenir → évaluer scope → notifier CNDP (72h) → remédier",
|
|
"ddos": "Activer CDN/WAF → rate limiting → null routing → ISP contact",
|
|
"phishing": "Identifier → bloquer sender → reset credentials → awareness"
|
|
}
|
|
},
|
|
"compliance_frameworks": {
|
|
"iso27001": {"desc": "Système de management de la sécurité de l'information", "domains": 14, "controls": 114},
|
|
"pci_dss": {"desc": "Payment Card Industry Data Security Standard", "requirements": 12},
|
|
"soc2": {"desc": "Service Organization Control 2", "criteria": ["Security", "Availability", "Processing Integrity", "Confidentiality", "Privacy"]},
|
|
"rgpd": {"desc": "Règlement Général sur la Protection des Données", "principles": ["Licéité", "Finalité", "Minimisation", "Exactitude", "Limitation conservation", "Intégrité", "Responsabilité"]}
|
|
}
|
|
}
|