OWASP Dependency Check is a software composition analysis (SCA) tool that detects publicly disclosed vulnerabilities (CVEs) in project dependencies. It cross-references all Maven JARs against the National Vulnerability Database (NVD) and generates an HTML/JSON report.
OWASP ZAP (Zed Attack Proxy) is an open-source Dynamic Application Security Testing (DAST) tool. It acts as an automated penetration tester — it crawls the application, sends malformed and adversarial requests, and reports security vulnerabilities it finds at runtime.
This section documents the security hardening and quality assurance practices introduced in Story 018 — QA Security Hardening & Launch. It covers every layer of the RCB platform: HTTP security headers, automated vulnerability scanning, load testing, end-to-end browser testing, and the operational runbook for migrating the database from MySQL to PostgreSQL.
The RCB platform sets HTTP security headers at two distinct layers: the Spring Security filter chain (for all /api/ responses) and nginx (for the React SPA and static assets). Each layer is tuned independently because their content requirements differ — the SPA needs unsafe-inline for MUI's emotion CSS engine while the API never serves inline scripts.
The RCB platform runs a comprehensive security scan every Saturday at 02:00 UTC. This automated workflow catches newly disclosed CVEs in dependencies, verifies security headers are present, and runs a DAST scan against the staging environment.