Methodology
We use a lightweight STRIDE-per-asset framework: every persisted-data asset gets walked through Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege threats. Each threat gets a likelihood (1-5) × impact (1-5) score; anything ≥ 12 requires a written mitigation.
Asset inventory
| Asset | Classification | Encryption | Access |
|---|---|---|---|
| Cloud provider credentials (AWS / Azure / GCP / Snowflake / Databricks / DO) | Confidential | Fernet AES-128 at rest | Per-tenant DB isolation; admin-only writes |
| Customer revenue data (Stripe-joined) | Confidential | TLS 1.3 in transit; MongoDB at rest | Tenant-scoped via JWT |
| LLM API keys (OpenAI / Claude / Gemini) | Confidential | Emergent universal key (rotated) | Server-side only; never exposed to client |
| Okta SSWS tokens | Confidential | Fernet AES-128 at rest | Admin-only; symmetric for SCIM inbound |
| Webhook signing secrets (Jira / Linear / PostHog / Mixpanel) | Confidential | Plain-stored, HMAC-only use | Operator-set; rotation endpoint exists |
| Trace events & cost events | Internal | MongoDB at rest | Tenant-scoped reads |
| Algorithm-correctness test results | Public | n/a | Public via /algorithm-correctness |
Top 10 risks (Feb 2026)
| # | Risk | L × I | Mitigation | Status |
|---|---|---|---|---|
| R1 | Tenant data leakage via shared MongoDB connection pool | 3 × 5 = 15 | Per-tenant DB names enforced in tenant_db_for_user(); admin-export endpoints require role check | Mitigated |
| R2 | Webhook signature forgery | 4 × 4 = 16 | HMAC-SHA256 constant-time compare on every receiver; tested in test_webhook_adapters_feb18.py | Mitigated |
| R3 | Cloud-cred vault key compromise | 2 × 5 = 10 | Fernet key in env (out-of-process); rotation playbook documented; per-tenant credentials make blast radius small | Mitigated |
| R4 | LLM prompt injection in customer-supplied prompts | 3 × 3 = 9 | System-prompt allow-list; output never used in privileged operations | Mitigated |
| R5 | Runaway AI agent costs ($$$$) | 3 × 4 = 12 | Agent Economics hard-cap pre-check API; rolling-median runaway detection | Mitigated |
| R6 | Stripe webhook replay attack | 2 × 4 = 8 | Stripe signature header verified; idempotency keys on event IDs | Mitigated |
| R7 | Brute-force password attacks | 4 × 3 = 12 | Lockout after 5 attempts / 15 min; bcrypt 12 rounds | Mitigated |
| R8 | Insider data exfiltration | 2 × 5 = 10 | All admin reads logged to admin_audit_export; Code of Conduct §4 | Mitigated |
| R9 | Outage of upstream (MongoDB, OpenAI, Stripe) | 3 × 3 = 9 | Graceful fallback in qa_failover.py; status page (planned, A1.3) | Partial — A1.3 planned May 2026 |
| R10 | Algorithmic bias in cost attribution (Shapley overcounts a tenant) | 2 × 4 = 8 | Castro-2009 Monte-Carlo: provably fair (Σ contributions = total); 230+ tests in algorithm manifest | Mitigated |
Review cadence
- Quarterly — full re-score by Founder + Tech advisor
- Monthly — incident-driven re-score for any risk that materialized
- On every major release — new asset added → new STRIDE walk-through required before merge
Sign-off
Document approved Feb 18, 2026. Next review: May 18, 2026.