Version: 1.0 Last Updated: 2025-11-11 Target Audience: Security Engineers, DevOps Teams, System Administrators
- Security Overview
- Security Architecture
- Authentication & Authorization
- Data Security
- Network Security
- Application Security
- Cloud Security
- Compliance & Audit
- Incident Response
- Security Checklist
Panoptic implements defense-in-depth security with multiple layers of protection. This guide covers security best practices for deployment, configuration, and operation.
- Least Privilege: Grant minimum necessary permissions
- Defense in Depth: Multiple layers of security controls
- Secure by Default: Secure configurations out of the box
- Fail Securely: Security failures result in deny, not allow
- Audit Everything: Comprehensive logging of security events
┌─────────────────────────────────────────────────────────┐
│ Layer 7: Compliance & Audit │
│ • Audit Logging • Compliance Checking • Reporting │
└─────────────────────┬───────────────────────────────────┘
│
┌─────────────────────▼───────────────────────────────────┐
│ Layer 6: Application Security │
│ • Input Validation • Output Encoding • Error Handling │
└─────────────────────┬───────────────────────────────────┘
│
┌─────────────────────▼───────────────────────────────────┐
│ Layer 5: Authentication & Authorization │
│ • User Auth • RBAC • API Keys • Session Management │
└─────────────────────┬───────────────────────────────────┘
│
┌─────────────────────▼───────────────────────────────────┐
│ Layer 4: Data Security │
│ • Encryption at Rest • Encryption in Transit • Hashing │
└─────────────────────┬───────────────────────────────────┘
│
┌─────────────────────▼───────────────────────────────────┐
│ Layer 3: Network Security │
│ • TLS/SSL • Firewall Rules • Network Segmentation │
└─────────────────────┬───────────────────────────────────┘
│
┌─────────────────────▼───────────────────────────────────┐
│ Layer 2: Infrastructure Security │
│ • OS Hardening • Patch Management • Access Control │
└─────────────────────┬───────────────────────────────────┘
│
┌─────────────────────▼───────────────────────────────────┐
│ Layer 1: Physical Security │
│ • Data Center Security • Hardware Security │
└─────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────┐
│ Internet │
└─────────────────────┬───────────────────────────────────┘
│
┌─────────────────────▼───────────────────────────────────┐
│ WAF / DDoS Protection │
└─────────────────────┬───────────────────────────────────┘
│
┌─────────────────────▼───────────────────────────────────┐
│ Load Balancer (TLS) │
└─────────────────────┬───────────────────────────────────┘
│
┌────────────┼────────────┐
│ │
┌────────▼────────┐ ┌────────▼────────┐
│ DMZ (Public) │ │ DMZ (Public) │
│ Panoptic Node │ │ Panoptic Node │
│ (Limited Access)│ │ (Limited Access)│
└────────┬────────┘ └────────┬────────┘
│ │
└────────────┬────────────┘
│
┌────────────▼────────────┐
│ Private Network │
│ ┌──────────────┐ │
│ │ Enterprise │ │
│ │ Backend │ │
│ └──────────────┘ │
│ ┌──────────────┐ │
│ │ Cloud │ │
│ │ Storage │ │
│ └──────────────┘ │
└─────────────────────────┘
Assets to Protect:
- Test configurations (may contain sensitive URLs/credentials)
- Test results and artifacts
- Enterprise data (users, projects, audit logs)
- API keys and credentials
- Cloud storage data
Threat Actors:
- External attackers (internet-based)
- Malicious insiders
- Accidental misconfiguration
- Supply chain attacks
Attack Vectors:
- Network attacks (MITM, eavesdropping)
- Injection attacks (command injection, XSS)
- Authentication bypass
- Privilege escalation
- Data exfiltration
- Denial of service
Requirements:
# enterprise_config.yaml
security:
password:
min_length: 12
require_uppercase: true
require_lowercase: true
require_numbers: true
require_special: true
max_age_days: 90
history_count: 5 # Prevent password reuseImplementation:
// Passwords hashed with bcrypt (cost factor 10)
hashedPassword, err := bcrypt.GenerateFromPassword([]byte(password), 10)
// Verify password
err = bcrypt.CompareHashAndPassword(hashedPassword, []byte(password))Best Practices:
- ✅ Use bcrypt for password hashing (already implemented)
- ✅ Use cost factor 10-12
- ✅ Enforce strong password policies
- ✅ Implement account lockout after 5 failed attempts
- ✅ Log authentication attempts
- ❌ Never log passwords
- ❌ Never store passwords in plaintext
- ❌ Never transmit passwords without TLS
Recommendation: Implement TOTP-based MFA for admin users
# enterprise_config.yaml
security:
mfa:
enabled: true
required_for_admins: true
totp_issuer: "Panoptic"
backup_codes: 10Secure Session Configuration:
# enterprise_config.yaml
security:
sessions:
timeout_minutes: 60
absolute_timeout_minutes: 480 # 8 hours max
secure_cookie: true
http_only: true
same_site: "Strict"Session Security Checklist:
- Set secure cookie flag (HTTPS only)
- Set HttpOnly flag (prevent XSS)
- Set SameSite attribute (prevent CSRF)
- Implement session timeout
- Regenerate session ID after authentication
- Implement logout functionality
- Clear sessions on password change
Role Definitions:
# enterprise_config.yaml
roles:
admin:
permissions:
- user_management
- project_management
- system_configuration
- audit_access
- compliance_reports
operator:
permissions:
- run_tests
- view_results
- manage_own_projects
viewer:
permissions:
- view_results
- view_reportsRBAC Best Practices:
- ✅ Follow principle of least privilege
- ✅ Use groups for role assignment
- ✅ Regularly audit role assignments
- ✅ Implement separation of duties
- ✅ Log permission changes
- ❌ Don't use overly broad permissions
- ❌ Don't bypass RBAC checks in code
Secure API Key Generation:
// Generate cryptographically secure API key
apiKey := generateSecureAPIKey(32) // 32 bytes = 256 bits
func generateSecureAPIKey(length int) string {
b := make([]byte, length)
if _, err := rand.Read(b); err != nil {
panic(err)
}
return base64.URLEncoding.EncodeToString(b)
}API Key Configuration:
# API key with rate limiting
actions:
- name: "create_api_key"
type: "api_key_create"
parameters:
name: "production-key"
permissions:
- "run_tests"
- "view_results"
rate_limit:
requests_per_minute: 100
requests_per_day: 10000
expires_at: "2026-12-31T23:59:59Z"API Key Best Practices:
- ✅ Generate with crypto/rand (not math/rand)
- ✅ Use sufficient entropy (256+ bits)
- ✅ Implement rate limiting
- ✅ Set expiration dates
- ✅ Scope permissions (least privilege)
- ✅ Log API key usage
- ✅ Rotate keys regularly
- ❌ Never commit API keys to version control
- ❌ Never log API keys in plaintext
- ❌ Never reuse revoked keys
File System Encryption:
# Linux - LUKS encryption
cryptsetup luksFormat /dev/sdb
cryptsetup luksOpen /dev/sdb panoptic_data
mkfs.ext4 /dev/mapper/panoptic_data
mount /dev/mapper/panoptic_data /opt/panoptic/data
# Or use encrypted storage classes in Kubernetes
storageClassName: encrypted-ssdApplication-Level Encryption:
# enterprise_config.yaml
security:
encryption:
enabled: true
algorithm: "AES-256-GCM"
key_rotation_days: 90
storage:
encrypt_at_rest: true
encryption_key: "${PANOPTIC_ENCRYPTION_KEY}" # From environmentBest Practices:
- ✅ Use AES-256 for symmetric encryption
- ✅ Use secure key management (KMS, Vault)
- ✅ Rotate encryption keys regularly
- ✅ Encrypt all sensitive data at rest
- ✅ Use authenticated encryption (GCM mode)
- ❌ Never hardcode encryption keys
- ❌ Don't use weak algorithms (DES, RC4)
TLS Configuration:
# Kubernetes TLS
apiVersion: v1
kind: Secret
metadata:
name: panoptic-tls
namespace: panoptic
type: kubernetes.io/tls
data:
tls.crt: <base64-encoded-cert>
tls.key: <base64-encoded-key>
---
apiVersion: v1
kind: Service
metadata:
name: panoptic
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:...
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https
spec:
type: LoadBalancer
ports:
- port: 443
targetPort: 8443TLS Best Practices:
- ✅ Use TLS 1.2 or later (TLS 1.3 preferred)
- ✅ Use strong cipher suites
- ✅ Verify certificate chains
- ✅ Use certificate pinning for critical connections
- ✅ Implement HSTS headers
- ✅ Regularly renew certificates (automate with cert-manager)
- ❌ Don't use self-signed certs in production
- ❌ Don't disable certificate validation
- ❌ Don't support SSL 3.0 or TLS 1.0
Recommended Cipher Suites:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Data Classification:
- Public: Test results, reports (non-sensitive)
- Internal: Configuration files, logs
- Confidential: Credentials, API keys
- Restricted: Enterprise data, audit logs, personal data
Handling Guidelines:
# Mark sensitive data in configuration
settings:
# SENSITIVE: Database credentials
database:
password: "${DB_PASSWORD}" # From environment, not file
# SENSITIVE: Cloud credentials
cloud:
credentials:
access_key: "${AWS_ACCESS_KEY_ID}"
secret_key: "${AWS_SECRET_ACCESS_KEY}"
# SENSITIVE: Enterprise encryption key
enterprise:
encryption_key: "${PANOPTIC_ENCRYPTION_KEY}"Sensitive Data Checklist:
- Identify all sensitive data
- Classify data by sensitivity
- Encrypt sensitive data at rest
- Encrypt sensitive data in transit
- Implement access controls
- Log access to sensitive data
- Redact sensitive data from logs
- Implement data retention policies
- Securely delete sensitive data
- Regular security audits
Use Secret Management Systems:
AWS Secrets Manager:
# Store secret
aws secretsmanager create-secret \
--name panoptic/prod/db-password \
--secret-string "MySecurePassword123!"
# Retrieve in application
export DB_PASSWORD=$(aws secretsmanager get-secret-value \
--secret-id panoptic/prod/db-password \
--query SecretString \
--output text)HashiCorp Vault:
# Store secret
vault kv put secret/panoptic/prod db_password="MySecurePassword123!"
# Retrieve in application
export DB_PASSWORD=$(vault kv get -field=db_password secret/panoptic/prod)Kubernetes Secrets:
apiVersion: v1
kind: Secret
metadata:
name: panoptic-secrets
namespace: panoptic
type: Opaque
stringData:
aws-access-key: "AKIAIOSFODNN7EXAMPLE"
aws-secret-key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
---
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: panoptic
env:
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: panoptic-secrets
key: aws-access-key
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: panoptic-secrets
key: aws-secret-keyNever:
- ❌ Commit secrets to version control
- ❌ Store secrets in configuration files
- ❌ Log secrets in application logs
- ❌ Include secrets in error messages
- ❌ Transmit secrets over unencrypted channels
- ❌ Use weak or default passwords
- ❌ Share secrets via email or chat
Inbound Rules (Restrictive):
# Ubuntu/Debian (ufw)
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH from specific IP (if needed)
sudo ufw allow from 10.0.0.0/8 to any port 22
# Allow HTTPS from load balancer
sudo ufw allow from 10.0.1.0/24 to any port 8443
# Enable firewall
sudo ufw enableOutbound Rules:
# Allow HTTPS for cloud storage
sudo ufw allow out 443/tcp
# Allow HTTP for certain APIs (if needed)
sudo ufw allow out 80/tcp
# Allow DNS
sudo ufw allow out 53AWS Security Groups:
resource "aws_security_group" "panoptic" {
name = "panoptic-sg"
# Inbound from ALB only
ingress {
from_port = 8443
to_port = 8443
protocol = "tcp"
security_groups = [aws_security_group.alb.id]
}
# Outbound to S3 (via VPC endpoint)
egress {
from_port = 443
to_port = 443
protocol = "tcp"
prefix_list_ids = [aws_vpc_endpoint.s3.prefix_list_id]
}
}VPC Architecture (AWS):
┌─────────────────────────────────────────────────────┐
│ VPC (10.0.0.0/16) │
│ │
│ ┌──────────────────────────────────────────────┐ │
│ │ Public Subnet (10.0.1.0/24) │ │
│ │ • NAT Gateway │ │
│ │ • Application Load Balancer │ │
│ └──────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────┐ │
│ │ Private Subnet (10.0.10.0/24) │ │
│ │ • Panoptic Nodes │ │
│ │ • No direct internet access │ │
│ └──────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────┐ │
│ │ VPC Endpoints │ │
│ │ • S3 Endpoint │ │
│ │ • Secrets Manager Endpoint │ │
│ └──────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────┘
AWS Shield / CloudFlare:
# AWS Shield Standard (automatic)
# AWS Shield Advanced (for enhanced protection)
resource "aws_shield_protection" "panoptic_alb" {
name = "panoptic-alb-protection"
resource_arn = aws_lb.panoptic.arn
}Rate Limiting:
# Application-level rate limiting
settings:
rate_limiting:
enabled: true
requests_per_minute: 100
requests_per_hour: 5000
burst: 20All inputs must be validated:
// Example: Validate URL
func validateURL(urlStr string) error {
if urlStr == "" {
return errors.New("URL cannot be empty")
}
parsedURL, err := url.Parse(urlStr)
if err != nil {
return fmt.Errorf("invalid URL: %w", err)
}
// Only allow http/https
if parsedURL.Scheme != "http" && parsedURL.Scheme != "https" {
return fmt.Errorf("invalid URL scheme: %s", parsedURL.Scheme)
}
return nil
}
// Example: Validate file path (prevent path traversal)
func validateFilePath(path string) error {
if path == "" {
return errors.New("path cannot be empty")
}
// Check for path traversal
if strings.Contains(path, "..") {
return errors.New("path traversal detected")
}
// Ensure path is within allowed directory
absPath, err := filepath.Abs(path)
if err != nil {
return err
}
if !strings.HasPrefix(absPath, allowedDir) {
return errors.New("path outside allowed directory")
}
return nil
}Input Validation Checklist:
- Validate all user inputs
- Whitelist allowed values
- Reject unexpected input formats
- Limit input length
- Escape special characters
- Validate file paths (prevent traversal)
- Validate URLs (prevent SSRF)
- Validate selectors (prevent injection)
Current Risk Areas:
- Desktop platform: OS commands
- Mobile platform: ADB/Xcode commands
Secure Implementation:
// UNSAFE: Command injection vulnerability
cmd := exec.Command("sh", "-c", "adb shell input text " + userInput)
// SAFE: Proper argument passing
cmd := exec.Command("adb", "shell", "input", "text", userInput)
// SAFER: Input validation first
func executeADBCommand(args ...string) error {
// Validate all arguments
for _, arg := range args {
if containsShellMetacharacters(arg) {
return errors.New("invalid characters in argument")
}
}
cmd := exec.Command("adb", args...)
return cmd.Run()
}
func containsShellMetacharacters(s string) bool {
dangerous := []string{";", "&", "|", "`", "$", "(", ")", "<", ">", "\n"}
for _, char := range dangerous {
if strings.Contains(s, char) {
return true
}
}
return false
}HTML Reports: Must escape user-controlled data
import "html/template"
// Use html/template for automatic escaping
tmpl := template.Must(template.ParseFiles("report.html"))
tmpl.Execute(w, data) // Automatic XSS protection
// Manual escaping when needed
safeString := template.HTMLEscapeString(userInput)Secure Error Messages:
// DON'T: Expose sensitive information
return fmt.Errorf("failed to connect to database: password=%s, host=%s", dbPass, dbHost)
// DO: Generic error message to user, detailed log internally
logger.Errorf("Database connection failed: %v", err)
return errors.New("database connection failed, please contact support")
// DON'T: Expose file system paths
return fmt.Errorf("failed to read file: /opt/panoptic/secrets/api_keys.json")
// DO: Generic error
logger.Errorf("Failed to read configuration file: %v", err)
return errors.New("configuration error")Scan Dependencies:
# Scan for known vulnerabilities
go list -json -m all | nancy sleuth
# Or use govulncheck
govulncheck ./...
# Keep dependencies updated
go get -u ./...
go mod tidyDependency Best Practices:
- ✅ Regular dependency updates
- ✅ Security scanning in CI/CD
- ✅ Pin dependency versions
- ✅ Review dependency licenses
- ✅ Minimal dependencies
- ❌ Don't use unmaintained packages
- ❌ Don't ignore security advisories
Bucket Policy (Restrictive):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyUnencryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::panoptic-artifacts/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Sid": "DenyInsecureTransport",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::panoptic-artifacts",
"arn:aws:s3:::panoptic-artifacts/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}S3 Security Checklist:
- Enable bucket encryption (AES-256 or KMS)
- Block public access
- Enable versioning
- Enable access logging
- Implement lifecycle policies
- Use IAM roles (not access keys)
- Implement bucket policies
- Enable MFA delete for critical buckets
Least Privilege IAM Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::panoptic-artifacts/*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::panoptic-artifacts"
}
]
}IAM Role for ECS/EKS:
# Use IAM roles instead of access keys
apiVersion: v1
kind: ServiceAccount
metadata:
name: panoptic
namespace: panoptic
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT:role/panoptic-roleComprehensive Audit Logs:
# enterprise_config.yaml
audit:
enabled: true
log_location: "/opt/panoptic/data/audit.json"
events:
- user_login
- user_logout
- user_creation
- user_deletion
- permission_change
- configuration_change
- test_execution
- data_access
- api_key_creation
- compliance_checkAudit Log Format:
{
"timestamp": "2025-11-11T13:45:00Z",
"event_type": "user_login",
"user_id": "admin@example.com",
"source_ip": "10.0.1.50",
"user_agent": "Mozilla/5.0...",
"success": true,
"details": {
"mfa_used": true,
"session_id": "abc123..."
}
}Audit Best Practices:
- ✅ Log all security-relevant events
- ✅ Include timestamp, user, action, result
- ✅ Store logs in tamper-evident format
- ✅ Implement log rotation
- ✅ Forward logs to SIEM
- ✅ Regular log reviews
- ✅ Alert on suspicious patterns
- ❌ Don't log sensitive data (passwords, keys)
- ❌ Don't allow log deletion by regular users
Supported Standards:
- SOC 2 Type II
- GDPR
- HIPAA
- PCI-DSS Level 1
Compliance Configuration:
# enterprise_config.yaml
compliance:
standards:
- name: "SOC2"
enabled: true
controls:
- "CC6.1" # Logical and Physical Access Controls
- "CC6.6" # Encryption
- "CC7.2" # System Monitoring
- name: "GDPR"
enabled: true
data_retention_days: 90
right_to_erasure: true
data_portability: true
- name: "HIPAA"
enabled: true
encryption_required: true
audit_logging: true
access_controls: true
- name: "PCI_DSS"
enabled: true
cardholder_data_encryption: true
access_restriction: true
vulnerability_scans: trueCompliance Checklist:
- Identify applicable standards
- Document security controls
- Implement required controls
- Regular compliance audits
- Maintain audit logs
- Incident response procedures
- Security training for staff
- Vendor risk management
- Data protection impact assessments
- Regular penetration testing
1. Detection & Analysis:
1. Identify security event
2. Categorize severity (P1/P2/P3/P4)
3. Analyze scope and impact
4. Document findings
2. Containment:
1. Isolate affected systems
2. Prevent further damage
3. Preserve evidence
4. Notify stakeholders
3. Eradication:
1. Remove threat
2. Patch vulnerabilities
3. Update security controls
4. Verify remediation
4. Recovery:
1. Restore from clean backups
2. Verify system integrity
3. Monitor for re-infection
4. Resume operations
5. Lessons Learned:
1. Document incident
2. Analyze root cause
3. Improve security controls
4. Update procedures
5. Conduct training
# security-contacts.yaml
security:
soc_email: "soc@example.com"
incident_email: "security-incident@example.com"
emergency_phone: "+1-555-0100"
escalation:
p1: # Critical
response_time: "15 minutes"
contact: "security-oncall@example.com"
p2: # High
response_time: "2 hours"
contact: "security@example.com"
p3: # Medium
response_time: "24 hours"
contact: "security@example.com"Alerts to Configure:
# monitoring/alerts.yaml
alerts:
- name: "Multiple Failed Logins"
condition: "failed_logins > 5 in 5 minutes"
severity: "high"
action: "block_ip"
- name: "Unusual API Activity"
condition: "api_requests > 1000 per minute"
severity: "medium"
action: "rate_limit"
- name: "Unauthorized Access Attempt"
condition: "403_errors > 10 in 1 minute"
severity: "high"
action: "alert_security_team"
- name: "Suspicious File Access"
condition: "access to /etc/shadow or similar"
severity: "critical"
action: "block_and_alert"- Code review for security issues
- Input validation on all inputs
- Output encoding where needed
- Secure error handling
- Dependency vulnerability scanning
- Static code analysis (gosec)
- Secret scanning (git-secrets, trufflehog)
- Security configuration review
- TLS/SSL certificates obtained
- Secrets in secret management system
- Firewall rules configured
- IAM roles and policies reviewed
- Penetration testing completed
- Security documentation updated
- Deploy with least privilege
- Enable audit logging
- Configure monitoring and alerting
- Test backup and restore
- Verify encryption at rest and in transit
- Document architecture and data flows
- Security training for operators
- Regular security updates
- Log review and analysis
- Vulnerability scanning
- Penetration testing (quarterly)
- Access review (monthly)
- Incident response drills
- Compliance audits
- Security training (annual)
- Monitor security advisories
- Update dependencies regularly
- Review and update security policies
- Conduct security assessments
- Maintain incident response plan
- Track security metrics
- Continuous security testing
Tools:
- gosec: Go security checker
- nancy: Dependency vulnerability scanner
- govulncheck: Go vulnerability checker
- git-secrets: Prevent committing secrets
- trufflehog: Find secrets in git history
Documentation:
- OWASP Top 10: https://owasp.org/Top10/
- CWE Top 25: https://cwe.mitre.org/top25/
- Go Security: https://go.dev/doc/security/
- NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
Compliance:
- SOC 2: https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome
- GDPR: https://gdpr.eu/
- HIPAA: https://www.hhs.gov/hipaa/
- PCI DSS: https://www.pcisecuritystandards.org/
Document Version: 1.0 Next Review: 2026-02-11 Security Contact: security@yourcompany.com
Found a security issue? Report to: security@yourcompany.com (PGP key available)