Skip to main content

Embedded Security Certification System

Overview

When you ship a system to a client, you need proof it’s secure - not just promises. The Embedded Security Certification System runs 59 static analysis checks and adversarial AI evaluation to generate professional security certificates mapped to OWASP ASVS 5.0 and NIST CSF 2.0. Your clients get evidence-based documentation that passes independent review, and you build systems with verifiable security controls from day one.

Step-by-Step Guide

Generate a Security Certificate

  1. Navigate to the security certification API - Only admins can generate certificates. Authenticate with your admin credentials before proceeding.
  2. Choose sync or async certification - For quick checks (static analysis only), use the sync endpoint and get results in under 10 seconds. For full certification with adversarial AI evaluation, queue an async job to avoid blocking your session.
  3. Submit the certification request - Call POST /api/v1/security-certification/certify for async or POST /api/v1/security-certification/certify/sync for synchronous. Include skipAdversarial: true if you only need static analysis.
  4. Track progress (async only) - Use GET /api/v1/security-certification/status/:jobId to poll job progress. You’ll see a percentage from 0-100 as the system collects evidence, runs AI evaluation, and verifies calibration canaries.
  5. Download your certificate - Once complete, retrieve both JSON certificate data and a professional markdown report. The report includes an executive summary, grade (A/B/C/D/F), dimension scores across six categories, and OWASP ASVS mappings for every finding.
  6. Review the security report - The markdown report shows all 59 checks, adversarial AI findings from Red Team, Blue Team, and Auditor personas, and a complete audit trail with timestamps. Share this with clients or security consultants for independent verification.
  7. Check calibration status - Every certificate runs 10 calibration canaries (known-insecure configs) through the scoring system. If any canary incorrectly passes, the certificate is flagged CALIBRATION_FAILED and requires human review.

Common Questions

Q: What’s the difference between sync and async certification?
Sync returns results in under 60 seconds but only if you skip adversarial AI evaluation. Async queues a background job and takes longer (full pipeline with AI evaluation) but doesn’t block your session. Use sync for quick spot-checks during development, async for final client-facing certificates. Q: What happens if my system fails certification?
You’ll receive a grade below 60 (F) and a detailed report showing which security controls are missing. Each finding maps to specific OWASP ASVS requirements and includes file paths or config values. Fix the issues and regenerate the certificate - there’s no limit on attempts. Q: Why does the Red Team prevail in disagreements?
The adversarial AI evaluation uses three personas: Red Team (attacker perspective), Blue Team (defender perspective), and Auditor (resolves conflicts). Red Team prevails in over 50% of disagreements to structurally counteract AI bias toward positive assessments. This prevents sycophancy and rubber-stamping. Q: Can clients verify the certificate independently?
Yes. Every finding maps to a specific OWASP ASVS 5.0 requirement ID or GDPR article reference. Clients can look up these requirements in the public OWASP ASVS standard and verify that your system meets them. The methodology section lists all seven anti-bias controls used during evaluation. Q: What are calibration canaries and why do they matter?
Calibration canaries are 10 known-insecure configurations (like sameSite: 'none' cookies or wildcard CORS) that must always fail. If any canary incorrectly passes, it means the scoring system has drifted and the certificate can’t be trusted. This guards against scoring decay over time.

Troubleshooting

Issue: Non-admin user receives 403 Forbidden
All certification endpoints require admin access. Verify you’re authenticated as an admin using GET /api/v1/auth/me. If you need certification access, request admin privileges from your platform administrator. Issue: Async job stuck at same percentage
Check the job status with GET /api/v1/security-certification/status/:jobId. If it shows a failure reason, the job hit an error during evidence collection or AI evaluation. Review the failure message and retry. Jobs automatically track attempt counts. Issue: Certificate marked CALIBRATION_FAILED
One or more calibration canaries incorrectly passed, indicating scoring drift. Do not share this certificate with clients. Escalate to platform engineering to investigate why known-insecure configurations passed scoring. The certificate will require human review and recalibration before release. Issue: Adversarial AI evaluation produces conflicting findings
This is expected. The Red Team, Blue Team, and Auditor personas are designed to disagree. The certificate includes a summary of disagreements with the Auditor’s final resolution. If findings seem incorrect, review the evidence-or-zero rule - checks without specific evidence (file paths, config values, headers) automatically score 0 points. Quality Certification System - Runs code quality checks and generates certificates for technical excellence. Use this alongside security certification to provide clients with complete system verification covering both quality and security dimensions. Data Room Detail - Store your security certificates in the data room alongside other deliverables. Clients can access certificates, reports, and supporting documentation in one organized location during handover. Implementation Quality Checks - Automated quality gates that run during system implementation. Security certification complements these checks by validating controls after build is complete, proving the shipped system meets security standards.