---
name: evolv-ot-it-security
description: Perform OT/IT security analysis for EVOLV Node-RED automation systems. Use when reviewing admin endpoints, node input handling, configuration exposure, dependency risk, network/data flow boundaries, and secure-by-default behavior for operational technology integrations.
---

# EVOLV OT/IT Security

## Mission
Identify and reduce security risk while preserving operational reliability for process automation workloads.

## Scope
- Node-RED admin endpoints in node entry files
- Input validation across `msg.topic` and payload paths
- Exposure of sensitive config/secrets in code, logs, or UI
- Dependency and supply-chain concerns in node packages

## Security Workflow
1. Enumerate attack surface:
- HTTP admin routes
- message ingress topics/payloads
- external service interfaces
2. Validate input sanitization and type checks.
3. Check least-privilege assumptions and secret handling.
4. Evaluate failure modes for denial-of-service or unsafe operation.
5. Recommend pragmatic controls with minimal operational friction.

## Control Priorities
- Reject malformed or unauthorized control messages.
- Avoid leaking credentials, asset identifiers, or internal topology.
- Keep defaults safe; require explicit opt-in for risky behavior.
- Preserve auditability of critical control actions.

## Validation Expectations
- Add negative tests for malformed inputs and unauthorized paths.
- Confirm error paths are explicit and non-sensitive.
- Document residual risk when controls are deferred.

## Deliverables
Return:
- findings sorted by severity
- concrete remediation plan by file
- tests added for security regressions
- residual risks and compensating controls