Cooperativa Nubes del Tachira -- Security Assessment

Client

Andres Ramirez, General Manager, Cooperativa Nubes del Tachira. A specialty coffee cooperative in San Cristobal, Tachira, Venezuela. 100 farmer members, 8 staff. Exports high-altitude Arabica to the US, Japan, and Europe.

The Problem

The cooperative's biggest buyer (Portland, Oregon) requires all origin partners to demonstrate cybersecurity due diligence after a competitor's supply chain breach. Andres needs to understand what systems the cooperative has, whether they are secure, and produce evidence for the buyer.

What You're Building

A multi-target security assessment covering the cooperative's digital infrastructure: export tracking system, farmer member portal, fermentation monitoring API, payment processing, and third-party integrations. The assessment produces: attack surface map, STRIDE threat model, exploitation evidence, detection rules, risk-assessed remediation plan, and a compliance evidence report for the Portland buyer.

Tools

• Nmap -- multi-target scanning and custom NSE scripts
• ZAP -- web application scanning scoped to threat model priorities
• Nuclei -- template-based vulnerability scanning
• Semgrep -- SAST for code-level and supply chain vulnerabilities
• Trivy -- container and dependency vulnerability scanning
• Metasploit -- multi-layer exploitation
• Docker -- lab environment running cooperative infrastructure
• Grafana/Loki/Alloy -- logging, monitoring, and detection
• Sigma -- detection rule authoring and testing
• Claude Code -- AI-directed assessment

Environment

Docker Compose environment with services:

• export-tracker (port 3000) -- Node.js/Express, buyer dashboard, shipment tracking
• member-portal (port 5000) -- Python/Flask, farmer data, harvest reporting
• fermentation-api (port 8080) -- Python/Flask, temperature/humidity sensors, no auth
• shipping-api (port 4000) -- Node.js, third-party shipping mock, pricing in URL params
• payment-processor (port 6000) -- Python, farmer payments, vulnerable dependency
• grafana (port 3001) -- monitoring dashboards
• loki (port 3100) -- log aggregation
• alloy -- log collection from export-tracker, member-portal, fermentation-api

Work Breakdown

1. Client discovery -- discover engagement scope through conversation with Andres
2. Attack surface mapping -- DNS enumeration, network topology, third-party integrations
3. Threat modelling -- STRIDE analysis driven by reconnaissance findings
4. TTP-scoped scanning -- Nmap, ZAP, Nuclei targeted by threat model
5. Custom checks -- NSE scripts for conditions default scanning misses
6. Multi-layer exploitation -- web, network, API, container, supply chain
7. Detection engineering -- Sigma rules for multi-layer attack patterns
8. Remediation -- risk-assessed fixes, compensating controls, rollback procedures
9. Assessment report -- executive summary, compliance evidence, technical findings
10. Project close -- README, clean commit history, push to GitHub

Verification Targets

• Cross-tool correlation verified (Nmap + ZAP + Nuclei findings matched)
• False positives documented and excluded from report
• At least one custom NSE script producing verified findings
• Semgrep findings assessed for runtime reachability
• Detection rules tuned against both attack and normal traffic
• Remediation risk assessed for complex fixes
• Compensating controls documented for unfixable findings
• Rollback procedures written for risky changes
• Report contains executive summary, compliance evidence, and technical findings
• Compliance evidence satisfies Portland buyer's supply chain requirements

Commit Convention

Commit after each significant engagement phase. Descriptive messages that reflect assessment progression: "map cooperative attack surface including third-party integrations," "correlate Nuclei and ZAP findings for export-tracker," "write detection rules for SQL injection and lateral movement patterns," "risk-assess remediation plan with rollback procedures."