HSM Security Audit
Comprehensive security verification for HSM modules.
Usage
code
/hsm-security [module-number]
What You Do
- •
Dependency Audit:
bashcargo audit
Check for CVEs in dependencies.
- •
Clippy Security Lints:
bashcargo clippy --all -- -D warnings
Check for security anti-patterns, unsafe usage, potential panics.
- •
Constant-Time Operations: Search for crypto operations and verify they use constant-time:
- •✅ Uses
subtle::ConstantTimeEq - •❌ Uses
==for signature/password comparison
- •✅ Uses
- •
Memory Zeroization: Check sensitive types have
#[derive(Zeroize, ZeroizeOnDrop)]- •Private keys
- •Passwords/tokens
- •Temporary crypto buffers
- •
Secret Redaction: Verify secrets never in Debug impl or logs:
rust// ✅ Good impl fmt::Debug for Config { fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { f.debug_struct("Config") .field("master_key", &"<redacted>") .finish() } } - •
Input Validation: Check all external inputs validated (size limits, range checks, sanitization).
- •
Generate Report: Show findings with severity (Critical, High, Medium, Low) and recommendations.