andrewmusselman opened a new issue, #730: URL: https://github.com/apache/tooling-trusted-releases/issues/730
**ASVS Reference:** 6.1.1 (Findings 01–04) — Overall status: NON-COMPLIANT ### Description ASVS 6.1.1 (Level 1) requires documentation defining how rate limiting, anti-automation, and adaptive response controls defend against credential stuffing and brute force attacks. While rate limiting and other controls **are implemented**, the required documentation is entirely absent. Undocumented controls include: | Control | Status | Documentation | |---------|--------|--------------| | Global rate limiting (100/min, 1000/hr) | ✅ Implemented | ❌ Not documented | | Endpoint-specific rate limiting (10/hr) | ✅ Implemented | ❌ Not documented | | IP/user-based rate limiting keys | ✅ Implemented | ❌ Not documented | | OAuth delegation for anti-automation | ✅ Implemented | ❌ Not documented | | Adaptive response mechanisms | ❌ Not implemented | ❌ Not documented | | Account lockout prevention strategy | ✅ Implemented | ❌ Not documented | ### Recommendation Create a security documentation file (e.g., `docs/authentication-defenses.md`) covering: 1. All rate limiting configurations and their values 2. The dual-key strategy (IP for unauthenticated, user ID for authenticated) and how it prevents malicious account lockout 3. OAuth delegation to ASF and its capabilities 4. What happens when limits are exceeded (HTTP 429 + retry-after) 5. Configuration options for operators 6. That `ALLOW_TESTS=true` disables rate limiting and must never be used in production 7. That ASVS password-related requirements (6.2.x) are addressed at the ASF identity provider level Use LLM to write docs, publish to `tooling-runbooks`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
