Security Testing Certificate
Continuous verification across penetration testing, static analysis, and dynamic application security testing.
Certificate of Security Testing
Continuous Security Verification
Abundera, Inc.
abundera.ai
This certifies that the Abundera platform undergoes continuous automated security testing comprising penetration testing, static security auditing, and dynamic application security testing (DAST) on every deployment and on a recurring schedule. All tests are executed against the production environment. Security is not a wrapper around the application — it is the fundamental architecture.
6,118
Unit & Integration Tests
65 test files · 100% pass
908
Penetration Tests
44 categories · 100% pass
Audit Checks
127 categories · 100% pass
DAST
ZAP Baseline Scans
Weekly · 0 high-risk alerts
Last Verified
February 18, 2026
Frequency
Every Deployment
Scan Schedule
Weekly DAST
CERT-ABND-2026-0218 · Abundera Security Program
Penetration Test Categories (44)
Authentication 13/13
Auth Flows 12/12
Authorization 7/7
BOLA / IDOR 7/7
Injection 9/9
JWT / Cryptography 11/11
SSRF 1/1
Race Conditions 3/3
CORS 5/5
HTTP Smuggling 12/12
Parameter Pollution 4/4
Rate Limiting 9/9
Security Headers 15/15
Info Disclosure 10/10
Session Management 4/4
Billing Security 9/9
Tier Bypass 7/7
Financial Boundary 7/7
Owner Authorization 7/7
Property Authorization 6/6
Token Revocation 7/7
Business Logic 4/4
Workflow Abuse 12/12
Webhook Security 8/8
Content Type 4/4
Method Override 4/4
Unicode Bypass 3/3
PUT Validation 4/4
Delete Authorization 2/2
Admin Write Auth 2/2
Platform Security 33/33
New Endpoints 28/28
Functional 15/15
Resource Limits 10/10
Lifecycle 6/6
Integrations 9/9
API Inventory 7/7
OpenAPI Spec 7/7
OpenAPI Fuzzing 7/7
E2E Flows 30/30
Static Audit Categories (55)
User Data Isolation
Secret Leakage
Auth & Authorization
Security Headers
XSS & Injection
Encryption
Structural Integrity
Input Validation
Audit Log Coverage
Sensitive Data in URLs
Open Redirect
Error Disclosure
Messaging Consistency
Logging Hygiene
Compliance & Consent
Client Trust Boundaries
Security Tooling
Dependency Security
API Inventory
File Upload Security
PII & Data Protection
Request Bounds
Deploy Configuration
Security Event Coverage
Client-Side Redirect Safety
KV Store Data Expiry
Email Template Injection
Pagination & Offset Safety
Worker Security Parity
API Key Scope Enforcement
Webhook Signature Verification
Content-Disposition Safety
Prototype Pollution
Response Cache Safety
Batch Operation Limits
Monetary Field Validation
Error Response Leakage
D1 Transaction Safety
R2 Object Access Control
Timing-Safe Comparison
Request Idempotency
OWASP ASVS 4.0
OWASP API Top 10
SANS / CWE Top 25
NIST SP 800-53
OWASP ZAP DAST
Authentication Architecture
Passwordless by Design
FIDO2 / WebAuthn passkeys are the sole authentication method. No passwords are stored, transmitted, or accepted — eliminating credential stuffing, phishing, and password reuse attacks entirely.
Mandatory Multi-Factor
TOTP-based MFA (RFC 6238) is required at registration — not optional. Single-use backup codes are generated and hashed with SHA-256 for offline recovery.
Secure Account Recovery
Multi-factor recovery requires combination of TOTP, backup code, or email verification. A mandatory cooling-off period prevents immediate account takeover after recovery initiation.
Re-Authentication for Sensitive Operations
High-risk actions (data export, account closure, API key creation, webhook configuration, backup code regeneration) require fresh passkey verification with short-lived tokens.
Session Management
JWT sessions with configurable expiry. Immediate session revocation via server-side blocklist — tokens are invalidated in real time, not on expiry. Logout-all capability for compromised accounts.
Bot Protection
Cloudflare Turnstile invisible challenges on all authentication endpoints. Server-side verification with IP validation prevents automated credential attacks and account enumeration.
Encryption & Data Protection
TLS 1.3 Everywhere
All connections are encrypted in transit with TLS 1.3. HSTS with preloading and includeSubDomains is enforced — downgrade attacks are impossible.
Application-Layer Encryption
AES-GCM encryption applied at the application layer for sensitive fields including authentication secrets, financial integration tokens, and health-related data. Encryption keys are isolated from data storage.
Encryption at Rest
All databases and object storage are encrypted at rest by the infrastructure provider. Application-layer encryption provides an additional defense-in-depth layer for high-sensitivity fields.
One-Way Hashing
Backup codes and API keys are hashed with SHA-256 before storage — they cannot be retrieved or reversed. Constant-time comparison prevents timing attacks during verification.
Web Crypto API
All cryptographic operations use the platform-native Web Crypto API — no third-party cryptography libraries. Reduces supply chain risk and ensures FIPS-validated algorithm implementations.
Key Management
Encryption keys and JWT signing secrets are stored in Cloudflare Workers Secrets (encrypted at rest and in transit), never committed to code, and isolated from the application runtime until invocation. Key rotation procedures are documented with incident response playbooks.
Data Isolation & Multi-Tenancy
Per-Tier Database Sharding
Financial data is stored in isolated database shards assigned by subscription tier. Higher tiers receive progressively smaller shard populations, with top-tier accounts receiving a dedicated single-tenant database.
Row-Level Access Control
Every database query is scoped to the authenticated user at the application layer. Cross-user data access is architecturally prevented — there is no API surface that accepts arbitrary user identifiers for data retrieval.
Control Plane Separation
Authentication and billing data is stored in a separate database from financial data. A compromise of one system does not expose the other. Shard assignments are managed through the control plane only.
Account Deletion
Account closure initiates a grace period for user cancellation. Upon expiry, all financial data is permanently and irreversibly deleted — including shard data, integration tokens (revoked at the provider), and document storage.
Financial Safeguards
Idempotency Protection
All financial write operations support idempotency keys. Duplicate requests within the deduplication window return the original response without re-executing — preventing double-charges and duplicate entries.
Webhook Signature Verification
Inbound payment webhooks are verified using HMAC-SHA256 signatures with timestamp validation. Replayed, forged, or expired webhook events are rejected before processing.
Outbound Webhook Security
Customer webhook endpoints are validated against SSRF targets (private IPs, cloud metadata endpoints, non-HTTPS URLs). Outbound payloads are HMAC-signed for recipient verification.
Tier Enforcement
Billing tier checks are enforced server-side on every API request via middleware. Resource limits (connections, storage, API calls) cannot be bypassed through client-side manipulation.
Network & Infrastructure Defense
Serverless Architecture
The platform runs entirely on edge-compute with no persistent servers. There are no operating systems to patch, no SSH access to compromise, and no server processes to exploit.
Security Headers
Every response includes a comprehensive security header suite: strict Content Security Policy, HSTS with preloading, X-Frame-Options DENY, permissions policy blocking 20+ browser APIs, and cross-origin isolation headers.
Multi-Layer Rate Limiting
Rate limits are enforced per-IP and per-user at the application layer, with endpoint-specific thresholds for authentication, billing, and administrative operations. Rate limiting fails closed on backend errors.
Content-Type Enforcement
API write operations accept only application/json. XML, form-encoded, and other content types are rejected at the middleware layer. File uploads are restricted to specific endpoints with size and type validation.
Request Bounds
Request body size is enforced at the middleware layer. Oversized payloads are rejected before parsing. Input validation is applied server-side on all endpoints regardless of client-side checks.
IP Spoofing Protection
Client IP headers are stripped and re-written by the middleware layer using trusted proxy values. External requests cannot inject internal headers to bypass rate limiting or access controls.
Audit Logging & Incident Response
Comprehensive Audit Trail
Every API request is logged with method, path, status, duration, IP, user agent, and country. Authentication events (login, logout, recovery, MFA changes) and administrative actions are logged separately for compliance.
Request Correlation
Every request receives a unique correlation ID that propagates through all layers. Error responses include the correlation ID for support investigations without exposing internal details.
Non-Blocking Writes
Audit log writes are performed asynchronously and never delay API responses. Logging failures are isolated — they cannot cause application errors or data loss.
Real-Time Alerting
Severity-tiered notifications are triggered in real time for security events, system anomalies, and operational incidents. Alerts are routed by severity level to enable immediate remediation — critical alerts trigger instant notification to on-call engineers.
Incident Response
Documented incident response plan with severity classification, escalation procedures, and regulatory notification timelines. Key rotation and session invalidation procedures are tested and documented.
Regulatory Compliance
GLBA Safeguards Rule
Written Information Security Program (WISP) aligned to 16 CFR 314 requirements for financial institutions. Risk assessments, access controls, and incident response documented.
GDPR Alignment
Data Protection Impact Assessments, Records of Processing Activities, and Data Processing Agreements with all sub-processors. Right to erasure and data portability supported.
CCPA / CPRA
California consumer rights supported including data access, deletion, and opt-out. CCPA notice at registration. Data retention schedules documented and enforced.
HIPAA-Aligned Controls
Health-related financial data receives application-layer encryption, access logging, and minimum necessary access controls aligned to HIPAA Security Rule requirements. Abundera is not a HIPAA covered entity or business associate.
SOC 2 Aligned
Security controls mapped to SOC 2 Trust Services Criteria. Access control, change management, monitoring, and risk assessment procedures documented for Type II readiness.
DORA Compliance
Digital Operational Resilience Act controls including ICT risk management, incident reporting, resilience testing, and third-party risk management for financial sector operations.
Continuous Compliance Monitoring
Abundera monitors security controls hourly against SOC 2 and HIPAA frameworks. Configuration drift (e.g., a header removed, rate limiting disabled) triggers an immediate P1 alert. Last scan timestamp and results are displayed in real time.
Loading compliance status...
Supply Chain Security
4 Production Dependencies
The entire platform runs on exactly 4 npm packages in production (@simplewebauthn/server, qrcode-generator, stripe) — no frameworks, no ORMs, zero-build-step frontend. All dependencies are pinned to exact versions (no ^ or ~ ranges). The package-lock.json (lockfileVersion 3) is committed to git and used in CI via npm ci for reproducible, deterministic builds. Integrity hashes in the lockfile provide checksum validation for every installed package. Vanilla HTML/CSS/JS on the frontend eliminates entire categories of supply chain risk.
Continuous Dependency Scanning
All 4 production libraries are scanned multiple times daily for zero-day vulnerabilities through automated Dependabot alerts, SBOM analysis via Anchore Grype, and Socket.dev supply chain monitoring. npm audit runs on every push and blocks builds on HIGH severity or above.
Sub-Processor Oversight
All third-party processors operate under Data Processing Agreements with breach notification clauses, data return/deletion on termination, and SOC 2 Type II verification requirements.
Source Control Security
Secrets in source control are encrypted at rest using git-crypt. Full git history is scanned for credential leaks on every commit. Branch protection enforces code review before merge.
CI/CD Security Pipeline
Every push and pull request triggers 16 automated security jobs. All must pass before code can merge.
Unit & Integration Tests
6,118 Vitest tests across 65 files covering auth, validation, billing, recovery flows, registration, admin middleware, webhooks, CRUD endpoints, cryptography, document encryption, token versioning, security events, SSO/SAML, and JWT key management.
ESLint
Static analysis and code quality enforcement across all functions and workers.
Security Audit
Semgrep SAST
Static application security testing with OWASP Top 10 and JavaScript-specific rulesets.
Gitleaks
Full git history scanned for leaked secrets, API keys, and credentials on every commit.
SBOM + Grype
CycloneDX software bill of materials generated and scanned for HIGH+ vulnerabilities via Anchore.
GitHub CodeQL
Semantic code analysis detecting injection flaws, data flow issues, and security anti-patterns.
OpenSSF Scorecard
Supply chain security scoring — branch protection, dependency pinning, SAST, code review practices.
npm audit
Dependency vulnerability scan. Builds fail on HIGH severity or above.
Continuous Security Monitoring
Pre-Deploy Gate
Penetration Testing
908 live attack simulations run against production across 44 categories. Platform-aware testing built by the engineering team.
DAST Scanning
Weekly OWASP ZAP baseline scans against production. Passive crawl and analysis — no active attacks against live data.
API Shield
OpenAPI schema validation enforced at the edge. Invalid methods and paths blocked before reaching application code.
Rate Limiting
KV-backed rate limiting on every API endpoint with automatic lockout on abuse detection.
R2 Document Encryption
All uploaded documents are encrypted with AES-GCM 256-bit using per-user HKDF-derived keys before storage in R2. Ciphertext includes a versioned header for forward compatibility.
IMAP SSRF Protection
Email integration blocks connections to private IP ranges (RFC 1918, loopback, link-local, cloud metadata endpoints) with an 11-pattern blocklist covering IPv4 and IPv6.
Stripe Event Allowlist
Webhook handler rejects any Stripe event type not in a 5-event allowlist before processing. Prevents abuse from unexpected or spoofed event types.
TOTP Brute-Force Lockout
Per-user KV-backed lockout after 5 failed TOTP attempts. 15-minute cooldown with automatic counter expiry. Prevents MFA code brute-forcing.
__Secure- Cookie Prefix
Session cookie uses the __Secure- prefix, requiring HTTPS transmission. Combined with HttpOnly, SameSite=Strict, and domain scoping.
SHA-Pinned CI Actions
All third-party GitHub Actions are pinned to full SHA-256 commit hashes instead of version tags. Prevents supply chain attacks via compromised action releases.
DDoS Protection
Always-on Layer 3/4/7 mitigation through Cloudflare's global anycast network across 300+ cities.
Operational Security Metrics
Open Critical/High Findings
0 open critical or high-severity findings. All findings from internal penetration testing and security audits have been remediated.
Dependency Patch Time
HIGH+ CVEs patched within 48 hours. Automated Dependabot alerts, npm audit in CI, and Socket.dev monitoring ensure rapid detection and remediation.
Access Review Cadence
Quarterly access reviews across 8 systems (Jan/Apr/Jul/Oct). Baseline review completed February 2026. All tokens scoped with IP restrictions.
Key Rotation Readiness
11 platform secrets with documented rotation procedures. Rotation executable without downtime via rolling deployment. Procedures tested and documented in incident response plan.
Control Deficiencies
10 control deficiencies identified since launch. 10 remediated. 0 open. All deficiencies tracked with severity, remediation date, and verification in the risk register.
Deploy-to-Fix Time
Same-day remediation for critical findings. Serverless architecture enables instant deployment — no server restarts, no maintenance windows, no rollback complexity.
Tabletop Exercises
Semi-annual tabletop exercises validating incident response procedures. Last conducted February 2026 (secret compromise + supply chain scenarios). Findings documented with remediation tracking.
Security Metrics Dashboard
Live metrics derived from the continuous security testing pipeline. Counts update with every deployment.
Loading metrics…
Third-Party Verification
An independent, human-led penetration test by a CREST-accredited vendor is planned as part of our SOC 2 readiness program. Certificate will be linked here upon completion.
Accepted Security Trade-offs
Transparency is core to our security program. The following items are flagged by automated scanners but represent deliberate, documented decisions — not oversights.
Subresource Integrity (SRI) on CDN Scripts
Cloudflare-managed scripts (Web Analytics and Turnstile CAPTCHA) are loaded without SRI integrity attributes. These scripts are auto-updated by Cloudflare — pinning a hash would break functionality on every update cycle. Both scripts are served from Cloudflare's own infrastructure under the same trust boundary as our hosting.
Uptime Monitoring
Platform availability is monitored every 60 seconds from multiple global locations. Real-time status, response times, and incident history are available on our status page. Independent third-party verification is also available: