Skip to main content

Embedded Security Certification System

Overview

When you deliver a system to clients, they need proof it’s secure - not promises. The Embedded Security Certification System runs automated security validation across 59 checks, tests your platform against adversarial AI scenarios, and generates professional certificates mapped to OWASP ASVS 5.0 and NIST CSF 2.0 standards. Ship with evidence-based security documentation that proves your platform protects sensitive data.

Step-by-Step Guide

Generate a Security Certificate (Admin Only)

  1. Access the certification endpoint - Navigate to your admin dashboard or call the certification API directly. Only admin users can generate security certificates.
  2. Choose synchronous or async mode - For quick validation (static analysis only), use the synchronous endpoint with skipAdversarial: true. This completes in under 10 seconds. For full certification including AI adversarial testing, queue an async job.
  3. Review the certificate - The system returns an overall grade (A/B/C/D/F) based on six security dimensions: Authentication, Access Control, Data Protection, Infrastructure, Compliance, and Audit. Each dimension shows a 0-100 score.
  4. Check OWASP ASVS mappings - Every finding in your certificate maps to a specific OWASP ASVS 5.0 requirement ID. Security consultants can independently verify these mappings against the OWASP standard.
  5. Download the markdown report - Export a professional security report with executive summary, traffic-light indicators, and detailed findings. Share this with clients or investors.
  6. Verify calibration status - Check the calibrationStatus field. If marked FAILED, the certificate requires human review because a known-insecure configuration incorrectly passed validation.

Monitor Async Certification Progress

  1. Submit the certification job - Call the async endpoint. You receive a 202 status with a job ID immediately.
  2. Poll for progress - Check the job status endpoint. The API returns progress percentage (0-100) and phase information (Static Analysis, Red Team, Blue Team, Auditor).
  3. Retrieve the completed certificate - When status shows COMPLETED, fetch both the JSON certificate and markdown report. The certificate includes an audit trail with ISO 8601 timestamps for each phase.
  4. Handle failures - If the job fails, the status endpoint shows the failure reason and attempt count. Common failures include timeout, dependency errors, or calibration canary violations.

Common Questions

Q: Why does my certificate show a CALIBRATION_FAILED status?
A: The system runs 10 calibration canaries with known security flaws. If any canary incorrectly passes (scores 60 or above), the certificate is flagged. This prevents the system from rubber-stamping insecure configurations. Contact support for human review. Q: What’s the difference between synchronous and async certification?
A: Synchronous certification runs static analysis only and completes in under 60 seconds. Async certification includes adversarial AI evaluation with three independent personas (Red Team, Blue Team, Auditor), which takes longer but provides comprehensive validation. Q: How does adversarial AI evaluation prevent bias?
A: Three AI personas evaluate your security independently. The Red Team attacks from an adversary’s perspective. The Blue Team defends. The Auditor resolves disagreements. The Red Team prevails in more than 50% of cases, structurally counteracting AI bias toward positive assessments. Q: Can I customize which checks run during certification?
A: No. All 59 checks across 6 dimensions run every time. This ensures consistency and prevents cherry-picking. Missing controls are penalized more heavily than present controls are rewarded (asymmetric scoring). Q: What happens if evidence can’t be collected for a check?
A: The evidence-or-zero rule applies. If the system can’t find specific evidence (file path, config value, header), that check scores 0 points rather than guessing. This prevents false positives.

Troubleshooting

Issue: Certificate shows lower grade than expected
Solution: Review the dimension scores in the JSON certificate. Each finding includes an asvsRef field showing which OWASP requirement failed. Common culprits: missing CSRF protection, weak cookie settings (sameSite: 'none'), or wildcard CORS (origin: '*'). The markdown report’s traffic-light indicators show which dimensions need attention. Issue: Async job stuck in progress
Solution: Check the audit trail in the certificate JSON. Each phase includes start time and duration. If a phase exceeds 5 minutes, it likely timed out. Retry the job. If timeout persists, verify your AI API credentials and rate limits. Issue: Certificate rejected by security consultant
Solution: Share the OWASP ASVS mappings section. Every finding maps to a specific OWASP ASVS 5.0 requirement ID that consultants can verify independently. The methodology section lists all 7 anti-bias controls used during evaluation. If the consultant disputes a finding, request human review via support. Issue: Can’t access certification endpoints
Solution: All certification endpoints require admin-only access. Non-admin requests return 403 Forbidden. Verify your role in the user profile or contact your account owner to grant admin privileges. Data Room - Store your security certificates in the Data Room alongside investor documents and compliance materials. The Data Room can automatically organize security certificates by date and version, making it easy to show security posture over time during due diligence. Delivery & Client Review - Attach security certificates to system deliveries. When clients receive their implementation, they get the certificate and markdown report automatically. This proves security controls were validated before handover, reducing client security review time. Audit Log - Every certification run generates audit trail entries showing who requested the certificate, when it ran, and which phases completed. Use this for compliance reporting and forensic analysis if security questions arise post-delivery.