Purpose limitation
Define the defensive purpose before collecting data. Stop when the purpose is met.
OBSERVA
Safe
System/Authorized defensive workspace
Compliance & Governance
Control coverage across OWASP, ISO, SOC 2, GDPR, NIS2 and governance.
Governance Modules
OWASP Top 10 mappingISO 27001 control evidenceSOC 2 trust service criteriaGDPR security principlesNIS2 awarenessData minimizationLogging hygieneAccess control governanceVendor risk checklistIncident retention policy
Compliance Readiness
73/100
Based on mock control coverage and status.
Legal-by-design Controls
Written scope and authorization
Data classification and minimization
Evidence retention policy
Access control for case files
Export approval workflow
Review of cross-border data transfer
Bias and human-rights review for sensitive research
Incident audit trail
Legal-by-design guardrails
Authorization
Assess only systems, accounts and data you own or have explicit permission to review.
Data minimization
Collect the least sensitive evidence that can answer the question.
Proportionality
Match collection and response actions to risk, urgency and legal basis.
Auditability
Log who did what, when, why and with what evidence.
Human review
Keep human approval for sensitive, irreversible or legally significant actions.
OWASP Top 10
Access control checks are server-side and logged
Role tests exist; object-level checks need broader negative coverage.
Owner: Application Security
Next: Add deny-by-default policy tests for sensitive objects.
ISO 27001
Incident handling responsibilities are defined
Incident runbooks and escalation owners are documented.
Owner: Security Governance
Next: Schedule next tabletop exercise.
SOC 2
Logical access is reviewed periodically
Quarterly review in place; service account inventory needs cleanup.
Owner: IT Operations
Next: Reconcile service accounts with business owners.
GDPR
Data minimization is reflected in logging
PII logging patterns reduced; export logs need retention review.
Owner: Privacy
Next: Validate retention and masking for export workflows.
NIS2
Security incident awareness and reporting path
Draft policy exists but training completion is incomplete.
Owner: Governance
Next: Complete awareness rollout and evidence capture.
Governance
Vendor risk checklist for security-critical providers
Identity and payment vendors reviewed; telemetry vendors pending.
Owner: Procurement Security
Next: Complete evidence requests for telemetry vendors.
OWASP Risk Intelligence
a01 / critical
Broken Access Control
Users can act outside intended permissions when server-side authorization is incomplete.
Business risk: Data exposure, unauthorized changes and privilege abuse.
Safe scenario: A local demo app verifies that user A cannot fetch user B's invoice.
Related: SameSite cookies, CSRF protection, Audit logging
a02 / high
Cryptographic Failures
Sensitive data is insufficiently protected in transit, at rest or during processing.
Business risk: Confidential data disclosure and regulatory impact.
Safe scenario: Review certificate expiry and HSTS on an owned website.
Related: Strict-Transport-Security, Secure cookies
a03 / critical
Injection
Untrusted input is interpreted as commands, queries or executable content.
Business risk: Data manipulation, unauthorized access and system compromise.
Safe scenario: Unit-test a local repository function to confirm parameters are bound, not concatenated.
Related: Content-Security-Policy, Input schemas
a04 / high
Insecure Design
The design lacks controls needed to resist expected abuse cases.
Business risk: Systemic weaknesses that patches alone cannot fix.
Safe scenario: Run a tabletop exercise for password reset abuse on a mock flow.
Related: Rate limiting, Step-up authentication
a05 / high
Security Misconfiguration
Unsafe defaults, missing headers, verbose errors or exposed admin surfaces increase risk.
Business risk: Avoidable exposure and easier abuse of other weaknesses.
Safe scenario: Run the OBSERVA header analyzer against an owned staging domain.
Related: CSP, HSTS, X-Frame-Options, Permissions-Policy
a06 / high
Vulnerable and Outdated Components
Known vulnerable dependencies or unsupported platforms remain in use.
Business risk: Known vulnerabilities become practical paths to compromise.
Safe scenario: Review dependency advisories in CI for a private repository.
Related: SBOM, Dependency lockfile review
a07 / critical
Identification and Authentication Failures
Authentication or identity lifecycle controls are weak or inconsistent.
Business risk: Account takeover and unauthorized access.
Safe scenario: Map a mock account recovery flow and identify abuse paths.
Related: HttpOnly cookies, Secure cookies, SameSite
a08 / high
Software and Data Integrity Failures
Code, updates or data can be modified without sufficient integrity controls.
Business risk: Supply chain compromise and unauthorized changes.
Safe scenario: Review a toy CI workflow for overbroad permissions.
Related: Subresource Integrity, Protected branch rules
a09 / medium
Security Logging and Monitoring Failures
Security-relevant events are missing, incomplete or not reviewed.
Business risk: Incidents remain undetected or hard to investigate.
Safe scenario: Create mock detection rules for suspicious login and recovery changes.
Related: Audit logs, SIEM routing, Retention policy
a10 / high
Server-Side Request Forgery
A server is tricked into making unintended outbound requests.
Business risk: Internal metadata exposure or unexpected network access.
Safe scenario: Review code paths that fetch user-provided URLs without sending requests to real third-party systems.
Related: Egress firewall, URL allowlists