| Layer | Check | Tool/Method |
|---|---|---|
| Event Store | No raw PII in event payloads | Grep for email/name/card patterns in JSONB |
| Event Store | Crypto-shredding tested | Trigger erasure request, verify decryption fails |
| Event Store | Field-level encryption | Inspect stored_events table — sensitive fields are encrypted blobs |
| Projections | Role-scoped projections | Different API keys return different field sets |
| Projections | Rate limiting active | Hammer an endpoint — should get 429 after threshold |
| API | Request signing enforced |
Krzysztof Słomka kisztof
🎯
kisztof
/ 14-securing-event-sourced-financial-systems-the-security-checklist.md
Created
March 16, 2026 20:43
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| vault secrets enable -path=secret_storage kv | |
| vault kv put secret_storage/test1 ke1="val1" | |
| vault policy write jenkins policy.hcl | |
| vault auth enable approle | |
| vault write auth/approle/role/jenkins \ | |
| secret_id_ttl=48h \ | |
| token_num_uses=10 \ | |
| token_ttl=96h \ |
kisztof
/ Jenkinsfile
Created
January 13, 2020 07:42
Jenkinsfile with depenedent stage on choosed agent from parameter
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def AGENT_LABEL = null | |
| node('master'){ | |
| stage('pre'){ | |
| AGENT_LABEL = env.SLOT | |
| } | |
| } | |
| pipeline { | |
| agent none |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| alias g='git' | |
| alias gm="git merge" | |
| alias grm='git rm' | |
| alias gs='git status' | |
| alias gss='git status -s' | |
| alias gl='git pull' | |
| alias ga='git add' | |
| alias grh='git reset HEAD' | |
| alias gp='git push' | |
| alias gcount='git shortlog -sn' |
kisztof
/ .gitignore
Last active
August 29, 2015 14:23
— forked from octocat/.gitignore
Added few new rules
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Compiled source # | |
| ################### | |
| *.com | |
| *.class | |
| *.dll | |
| *.exe | |
| *.o | |
| *.so | |
| *.pyc | |
| *.out |