Learn by Directing AI
All materials

scope-document.md

Security Assessment Scope Document

Client: Kabylie Gold -- Samir Bouzid, Managing Director Engagement type: Container security and reconnaissance depth assessment Date: [Current date]

Engagement overview

Security assessment of the Kabylie Gold ordering platform, commissioned by the managing director to satisfy French food safety digital security requirements for EU export certification. The assessment covers the ordering platform, its container infrastructure, and the supporting monitoring stack.

Kabylie Gold exports olive oil from Bejaia, Algeria, to wholesale buyers in France, Germany, Canada, and the US. The ordering platform allows 40 wholesale buyers to log in, view inventory, place orders, and track shipments. It runs in Docker containers on a rented server, built by a development agency in Algiers.

Target system

  • Ordering platform: http://localhost:8080 -- the wholesale buyer-facing web application
  • Database: PostgreSQL (port 5432) -- stores buyer accounts, orders, products, shipments
  • Monitoring: Grafana at http://localhost:3000, Loki, Alloy -- log collection and visualization
  • Container infrastructure: Docker containers running the application, database, and monitoring services. The container configuration itself (Dockerfiles, compose file, runtime settings) is in scope.

In scope

  • The web application on port 8080: buyer login, order management, inventory view, shipment tracking, all API endpoints
  • Docker container configuration and security: Dockerfiles, runtime user, filesystem permissions, base image security, resource limits
  • The server's network services: all ports, all protocols (TCP and UDP)
  • The monitoring stack configuration: Grafana access controls, Loki data exposure, Alloy collection configuration
  • Passive reconnaissance of the domain: certificate transparency logs, Shodan/Censys results, Google-indexed information
  • Active reconnaissance: port scanning, OS detection, content discovery, service enumeration

Out of scope

  • The host operating system beyond container configuration
  • Social engineering of Kabylie Gold employees
  • Denial-of-service testing (the platform must remain operational for active buyer orders)
  • The brochure website (separate server, separate assessment)
  • The payment processing infrastructure (handled by a third-party wire transfer service)
  • Samir's internal business systems (accounting, inventory management outside the platform)
  • Any systems or domains discovered during passive reconnaissance that are not listed above

Authorized activities

  • Passive OSINT: certificate transparency (crt.sh), infrastructure discovery (Shodan, Censys), targeted search (Google dork operators)
  • Port scanning with multi-protocol support: TCP SYN/connect, UDP, OS detection, service version detection, script scanning
  • Content discovery: directory and file enumeration (ffuf)
  • Web application vulnerability testing: authentication testing, input validation, API security
  • Docker container security assessment: Dockerfile review, base image vulnerability scanning (Trivy), runtime configuration analysis
  • Packet capture: Wireshark/tshark for network-level analysis of scanning and exploitation activity
  • Log analysis via the monitoring stack: Grafana queries, Loki log analysis, Alloy configuration review

Constraints

  • Testing must not disrupt active buyer orders. The platform handles daily order activity from 40 wholesale accounts.
  • All findings must be documented with evidence, impact assessment, and compliance relevance.
  • Any out-of-scope discoveries during passive reconnaissance must be reported to the client, not investigated.
  • The assessment report must be suitable for presentation to French food safety inspectors as part of EU export certification review.