Skip to main content

Risk Register

:::info Source Sourced from services/identity-service/SERVICE_RISK_REGISTER.md in the documentation repo. :::

Severity scale: S1 Critical · S2 High · S3 Medium · S4 Low

1. Risks

R-ID-01 — Credential Stuffing / Spray Attack

  • Severity: S1
  • Impact: Mass account takeover; tenant data leak; regulatory exposure.
  • Likelihood: High (identity-service is the primary attack surface).
  • Mitigation:
    • argon2id with tuned cost params; per-account + per-IP lockout.
    • Adaptive MFA triggered by anomaly classifier (new device, atypical IP, behavior).
    • Edge WAF with known credential-stuffing signatures.
    • HaveIBeenPwned integration — reject known-breached passwords at registration + reset.
    • Daily report on lockout spikes.
  • Verification: Red-team exercise per release; attack simulator in CI.
  • Owner: Security Lead
  • Status: Mitigated (continuous monitoring)

R-ID-02 — Session Hijack via Refresh Token Reuse

  • Severity: S1
  • Impact: Persistent account takeover; undetectable without detection.
  • Mitigation:
    • Rotating refresh tokens (single-use); family revoke on reuse detection.
    • Device binding tied to session; mismatch → revoke.
    • Short access-JWT TTL (15 min) minimizes damage window.
  • Verification: Integration test injects replayed refresh token; asserts family-revoke + session-revoked event.
  • Owner: Identity Eng Lead

R-ID-03 — KMS Misconfiguration → JWT Forgery

  • Severity: S1
  • Impact: Attacker mints valid JWTs for any user/tenant → catastrophic.
  • Mitigation:
    • Hierarchical KMS (HSM root → per-tenant DEK).
    • kid rotation annual + emergency rotation procedure tested.
    • KMS IAM: only identity-service principals can sign; JWKS is read-only from replicas.
    • Pre-deploy KMS config drift detector.
  • Verification: Quarterly DR drill includes JWT-forgery attempt with rotated key.
  • Owner: Security Lead + SRE Lead

R-ID-04 — SAML Assertion Tampering / XSW

  • Severity: S1
  • Impact: Cross-tenant impersonation via XML signature wrapping.
  • Mitigation:
    • Certified SAML library (not hand-rolled XML parsing).
    • Signature verification before attribute extraction; strict schema.
    • NotOnOrAfter + NotBefore windows enforced (5-min clock skew max).
    • InResponseTo checked against session state.
  • Verification: SAML penetration test in CI using samltest.id; XSW test vectors.
  • Owner: Security Lead
  • Status: Critical to address by M3.

R-ID-05 — OIDC State / Nonce Replay

  • Severity: S2
  • Mitigation: State tied to HMAC of session-id + tenant-id; nonce stored in Redis; both validated on callback.
  • Verification: Integration test: replay state → expect auth.invalid_token.

R-ID-06 — Password Reset Account Enumeration

  • Severity: S3
  • Impact: Attacker can enumerate valid email addresses.
  • Mitigation: Identical response for "user exists" vs "user does not" on password reset; 2xx always within same timing envelope.
  • Verification: Timing-attack test in CI (response time stddev ≤ 30ms across both cases).

R-ID-07 — Device Fingerprint Collision / Spoofing

  • Severity: S2
  • Impact: Attacker spoofs fingerprint → receives offline bundles for a different device.
  • Mitigation:
    • Fingerprint = HMAC(secret, deviceAttributes); secret per-tenant.
    • Fingerprint + public-key pair — attacker needs both.
    • Offline bundle encrypted with key derived from public key → attacker without private key cannot decrypt.
  • Verification: Fingerprint-collision test with adversarial attribute fuzzer.

R-ID-08 — MFA Bypass via Recovery Codes

  • Severity: S2
  • Mitigation: Recovery codes are single-use; regenerate on any use; rate-limited to 3 attempts.
  • Verification: Integration test + pen-test item.

R-ID-09 — Account-Lockout DoS

  • Severity: S2
  • Impact: Attacker locks out legitimate user by spamming wrong passwords.
  • Mitigation:
    • Lockout is IP-scoped when IP is new; account-scoped only after risk classifier escalation.
    • Legitimate user can self-recover via email magic-link.
    • Lockout lift endpoint for admins (audit-logged).

R-ID-10 — Webhook HMAC Replay (Incoming)

  • Severity: S3
  • Mitigation: HMAC-SHA256 with nonce + 5-min timestamp window; nonce cache in Redis.

R-ID-11 — API Key Leak in Logs

  • Severity: S1
  • Mitigation:
    • API keys stored hashed (argon2id); only the prefix (first 8 chars) is logged.
    • Key is shown once at creation, then never again.
    • Redaction library scrubs X-API-Key header from logs.
    • Secret-scanning CI blocks commits containing live keys.

R-ID-12 — OIDC JWKS Cache Poisoning

  • Severity: S2
  • Mitigation: JWKS fetched only over HTTPS with pinned cert; response signature verified; retry on parse error.

R-ID-13 — JWT Replay After Logout

  • Severity: S2
  • Impact: Stolen JWT still valid for remaining TTL after logout.
  • Mitigation:
    • Access JWT TTL 15 min — short replay window.
    • Refresh revoked immediately on logout.
    • For sensitive ops, step-up MFA + server-side session check.
  • Accepted risk: No full JWT denylist (would defeat stateless JWT).

R-ID-14 — GDPR Erasure Incomplete

  • Severity: S1
  • Impact: Regulator fines; reputation damage.
  • Mitigation:
    • Participate in GDPR erasure saga; ACK within SLA.
    • Delete credentials, sessions, devices, API keys, MFA factors, external identities, outbox entries.
    • Audit log retained (legal hold allowed).
    • Replay test: user erasure → run all projections → assert no trace.
  • Verification: Replay test in CI every release.

R-ID-15 — Multi-Region Clock Skew

  • Severity: S3
  • Impact: JWT iat/exp and SAML windows misaligned → spurious auth failures.
  • Mitigation: NTP + chronyd; alert on skew > 100ms; 60s clock-skew tolerance in validators.

2. Risk Summary Table

IDSeverityStatusOwnerDue
R-ID-01S1MitigatedSecurity Lead
R-ID-02S1MitigatedIdentity Eng Lead
R-ID-03S1MitigatedSecurity + SRE
R-ID-04S1In ProgressSecurity LeadM3
R-ID-05S2MitigatedIdentity Eng
R-ID-06S3MitigatedIdentity Eng
R-ID-07S2MitigatedIdentity + Security
R-ID-08S2MitigatedIdentity Eng
R-ID-09S2MitigatedIdentity Eng
R-ID-10S3MitigatedPlatform
R-ID-11S1MitigatedSecurity + Platform
R-ID-12S2MitigatedIdentity Eng
R-ID-13S2AcceptedIdentity Eng + Security
R-ID-14S1In ProgressCompliance + IdentityM3
R-ID-15S3MitigatedSRE

3. Governance

  • Weekly risk review with Security + Identity Eng leads.
  • Quarterly architecture risk review (top 5 platform-wide).
  • Every S1 risk has named owner, verification plan, due date.
  • Risks that move to "Accepted" require CTO sign-off.