| Layer | Check | Tool/Method |
|---|---|---|
| Event Store | No raw PII in event payloads | Grep for email/name/card patterns in JSONB |
| Event Store | Crypto-shredding tested | Trigger erasure request, verify decryption fails |
| Event Store | Field-level encryption | Inspect stored_events table — sensitive fields are encrypted blobs |
| Projections | Role-scoped projections | Different API keys return different field sets |
| Projections | Rate limiting active | Hammer an endpoint — should get 429 after threshold |
| API | Request signing enforced | Send unsigned request — should get 401 |
| API | DTO whitelist validation | Send extra fields — should get 400 or fields stripped |
| API | IDOR protection | Access another merchant's resource — should get 403 |
| Developer Access | No production credentials in dev environments | Audit CI/CD secrets and .env files |
| Developer Access | Masked staging database | Query staging - verify no real PII |
| Monitoring | Anomaly alerts configured | Simulate high read rate — alert should fire |
| Monitoring | Audit trail active | Access a resource — verify audit entry exists |
| Monitoring | Distributed tracing | Follow a trace ID from command to projection update |
Created
March 16, 2026 20:43
-
-
Save kisztof/7fe44e510c7125094a6e893574bc90d6 to your computer and use it in GitHub Desktop.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment