Skip to main content

Security & Penetration Testing Roadmap

This document outlines a plan for achieving maximum security during the production launch process, using open-source and autonomous tools without the need for expensive security consultancy engagements.

1. Autonomous AI Penetration Testing (Shannon)

Instead of traditional human penetration tests, autonomous AI agents that understand source code will be used to find business logic vulnerabilities.
  • Tool: KeygraphHQ/shannon
  • What it is: An open-source autonomous pentester that uses Claude’s infrastructure to attempt to manipulate the system like a real attacker.
  • Action: Will be deployed locally via Docker and pointed at the staging environment.
  • Important Note: A hard spending limit must be set on the API provider before running to prevent token waste.

2. Dynamic Application Security Testing — DAST (OWASP ZAP)

External scanning of the system against known classic web vulnerabilities will be automated.
  • Tool: OWASP ZAP (Zed Attack Proxy)
  • What it is: The industry-standard, fully free and open-source security testing tool.
  • Action: Will be run locally at regular intervals for standard SQL Injection, XSS, and open port scans. Vulnerabilities found in reports will be remediated.

3. Database Fortress (Data Security & Isolation)

Database security will not be left to the application (frontend/backend) layer; it will be enforced directly at the database engine level.
  • Tool: Supabase Security Advisor & RLS (Row Level Security)
  • Actions:
    • RLS will be enabled on all tables (especially export_ai_credit_wallets and export_ai_subscriptions). Clients will only be able to read/write data within their authorization scope.
    • The “Security Advisor” tool in the Supabase dashboard will be checked regularly and all security warnings will be resolved.

4. Dependency & Package Security (SCA)

Since the majority of breaches originate from third-party libraries rather than written code, this process will be automated.
  • Tool: GitHub Dependabot & Snyk
  • Actions:
    • Dependabot will be enabled on the GitHub repository. It will automatically open Pull Requests for outdated or vulnerable packages.
    • Free Snyk integration will be set up on the GitHub repository for code analysis and vulnerability scanning.

5. Front Shield (Web Application Firewall — WAF)

Malicious traffic and automated penetration bots will be blocked at the network edge before reaching the server.
  • Tool: Cloudflare WAF
  • Actions:
    • Domain management will be handled through Cloudflare.
    • “Bot Fight Mode” will be enabled on the free WAF tier to block known malicious IPs, DDoS attacks, and scanning scripts.