Monthly Security Review Schedule
Purpose: Systematic security reviews to catch issues before they become problems.
Frequency: Weekly focus areas, rotating monthly.
Weekly Review Schedule
| Week of Month | Focus Area | Owner | Time Budget |
|---|---|---|---|
| 1st week | Auth & Authorization | Claude | 1 hour |
| 2nd week | Error Handling | Claude | 1 hour |
| 3rd week | Test Coverage | Claude | 1 hour |
| 4th week | Compliance | Claude | 1 hour |
Week 1: Auth & Authorization Review
Goal: Ensure all routes properly authenticate and authorize requests.
Checklist
- Run route wrapper check (when enabled):
grep -rL "createProtectedRoute\|createPublicRoute" app/api/**/route.ts
- Review any new routes added this month
- Verify organization checks on storage routes:
-
app/api/storage/upload/route.ts -
app/api/storage/download/route.ts -
app/api/storage/download-url/route.ts -
app/api/storage/delete/route.ts
-
- Check for hardcoded user IDs or org IDs in code
- Review Cognito user pool settings (no changes without approval)
Pass Criteria
- All protected routes use
createProtectedRoutewrapper - All storage routes verify org membership before access
- No routes expose data across organization boundaries
Week 2: Error Handling Review
Goal: Ensure failures are logged and don't expose sensitive information.
Checklist
- Check audit health endpoint:
GET /api/admin/audit-health - Review recent audit log failures:
SELECT * FROM audit_log WHERE success = falseORDER BY created_at DESC LIMIT 20;
- Search for silent catch blocks:
grep -r "catch.*{}" app/ lib/ --include="*.ts" --include="*.tsx"
- Verify error responses don't leak internal details
- Check console.error logs for unexpected patterns
Pass Criteria
- Audit failure count is 0 or investigated
- No silent catch blocks in production code
- Error responses use standardized format
Week 3: Test Coverage Review
Goal: Ensure test coverage is maintained and critical paths are tested.
Checklist
- Run test suite with coverage:
npm test -- --coverage
- Verify coverage meets threshold (70%+)
- Check critical path tests status:
npm test -- __tests__/integration/critical-paths/
- Review any skipped tests - document why
- Check for flaky tests (tests that sometimes fail)
Pass Criteria
- All tests pass
- Coverage >= 70%
- No unexplained skipped tests
- Critical path test stubs progressing to implementation
Week 4: Compliance Review
Goal: Ensure audit logging and GDPR features are functioning.
Checklist
- Verify audit log captures all required actions:
SELECT DISTINCT action FROM audit_logORDER BY action;
- Test GDPR data export flow manually
- Test GDPR deletion flow (on test account)
- Check S3 bucket encryption settings
- Review CloudWatch alarms (when configured)
- Check for PII in application logs
Pass Criteria
- All state changes logged in audit_log
- GDPR export produces complete data
- GDPR deletion removes all user data
- No PII in application logs
Quarterly Deep Dive (End of Q1, Q2, Q3, Q4)
In addition to weekly reviews, conduct a deeper review quarterly:
Security
- Review Semgrep scan results
- Check for new CVEs in dependencies:
npm audit - Review AWS IAM policies
- Check Cognito password policy compliance
Infrastructure
- Review RDS backup status
- Check S3 versioning and lifecycle policies
- Review CloudTrail logs for suspicious activity
- Verify Amplify deployment settings
Documentation
- Update
docs/compliance/compliance_controls.mdif needed - Review and update
docs/production-blockers.md - Update this security review schedule if needed
Review Log
Record completed reviews here:
| Date | Week | Reviewer | Findings | Actions Taken |
|---|---|---|---|---|
Escalation
If any review finds a HIGH severity issue:
- Document immediately in
docs/production-blockers.md - Create GitHub issue with
securitylabel - Do not deploy until resolved
- Consider whether incident response is needed
Notes
- Reviews should be done at the start of each Claude Code session if it's review week
- Findings should be addressed before starting feature work
- This schedule aligns with the security remediation plan