Challenge
Enterprise security teams need a unified platform to manage compliance assessments, track vulnerabilities, handle incidents, and maintain asset inventories — all with proper multi-tenant isolation for managed service providers. Off-the-shelf GRC tools are expensive, inflexible, and don’t integrate well with cloud-native infrastructure.
Build a production-ready compliance platform with:
- Multi-tenant architecture with Row-Level Security
- Real-time alerts via WebSocket
- Comprehensive REST API for automation
- Multiple compliance framework support
Solution Architecture
Overview
┌─────────────────────────────────────────────────────────────────┐
│ Frontend (React) │
│ Dashboard · Assessments · Incidents · Assets │
└────────────────────────┬────────────────────────────────────────┘
│ HTTPS / WSS
▼
┌─────────────────────────────────────────────────────────────────┐
│ FastAPI Backend │
│ 34+ Endpoints · JWT Auth · RBAC · Multi-tenant Middleware │
└────────────────────────┬────────────────────────────────────────┘
│
┌───────────────┼───────────────┐
▼ ▼ ▼
┌────────────────┐ ┌──────────┐ ┌─────────────────┐
│ PostgreSQL │ │ WebSocket│ │ Audit Logging │
│ + RLS Policies│ │ Manager │ │ (Immutable) │
└────────────────┘ └──────────┘ └─────────────────┘
API Endpoints (34+)
| Domain | Count | Key Operations |
|---|
| Authentication | 6 | Login, register, refresh, password change, MFA |
| Compliance | 7 | Framework list, assessments, reports, gap analysis |
| Threats | 4 | Catalog, risk matrix, statistics, trends |
| Vulnerabilities | 6 | List, scan, remediate, severity trends |
| Assets | 5 | Inventory, topology, tagging, relationships |
| Incidents | 5 | Lifecycle, actions, timeline, metrics |
| WebSocket | 1 | Real-time security alerts |
Compliance Frameworks
| Framework | Controls | Use Case |
|---|
| PCI-DSS 4.0 | 270+ | Payment card processing |
| NIST CSF 2.0 | 6 functions | General cybersecurity |
| ISO 27001:2022 | 93 controls | Information security |
| SOC 2 Type II | 5 trust criteria | Service organization |
Key Features
1. Multi-Tenant Architecture
# Row-Level Security enforced at database level
class TenantMiddleware:
async def __call__(self, request, call_next):
tenant_id = extract_tenant(request)
# All queries automatically filtered by tenant
set_tenant_context(tenant_id)
return await call_next(request)
- Automatic tenant isolation on every query
- No cross-tenant data leakage possible
- Efficient index usage with RLS policies
2. Real-Time Alerts
// WebSocket connection for live security events
const ws = new WebSocket('wss://api.example.com/ws/alerts');
ws.onmessage = (event) => {
const alert = JSON.parse(event.data);
// Severity: critical, high, medium, low
if (alert.severity === 'critical') {
showNotification(alert);
}
};
3. Compliance Assessment Workflow
Assessment Lifecycle:
├── Draft → Configure scope, select controls
├── In Progress → Evidence collection, control testing
├── Review → Findings validation, risk rating
├── Complete → Report generation, remediation tracking
└── Archived → Historical reference
4. Vulnerability Management
# Comprehensive vulnerability tracking
class Vulnerability(Base):
cve_id: str # CVE-2024-XXXXX
severity: SeverityEnum # CRITICAL, HIGH, MEDIUM, LOW
cvss_score: float # 0.0 - 10.0
affected_assets: List[Asset]
remediation_status: RemediationStatus
due_date: datetime
sla_breach: bool # Computed from severity + age
Tech Stack
| Component | Technology | Purpose |
|---|
| API Framework | FastAPI 0.109 | Async REST API |
| ORM | SQLAlchemy (async) | Database abstraction |
| Validation | Pydantic | Request/response schemas |
| Auth | JWT + RBAC | Authentication & authorization |
| Database | PostgreSQL | Primary data store + RLS |
| Real-time | WebSocket | Live alert streaming |
| Testing | pytest + coverage | Quality assurance |
Security Features
OWASP Top 10 Protections
| Threat | Mitigation |
|---|
| Injection | Parameterized queries via SQLAlchemy |
| Broken Auth | JWT with short TTL, refresh tokens |
| Sensitive Data | AES-256 encryption at rest |
| XXE | JSON-only APIs, no XML parsing |
| Broken Access | RLS + RBAC enforcement |
| Security Misconfig | Security headers middleware |
| XSS | Output encoding, CSP headers |
| Insecure Deserialization | Pydantic schema validation |
| Vulnerable Components | Dependabot, SBOM tracking |
| Insufficient Logging | Comprehensive audit trail |
Audit Logging
# Every state-changing operation logged
@audit_log
async def create_finding(finding: FindingCreate):
# Automatically captures:
# - User ID, tenant ID
# - Timestamp, IP address
# - Before/after state
# - Operation type
return await finding_service.create(finding)
Project Structure
src/api/
├── main.py # FastAPI app factory
├── config.py # Environment config
├── middleware/ # Auth, tenant, security
├── routers/ # 34+ endpoint handlers
│ ├── auth.py
│ ├── compliance.py
│ ├── threats.py
│ ├── vulnerabilities.py
│ ├── assets.py
│ └── incidents.py
├── models/ # 15+ SQLAlchemy models
├── services/ # Business logic layer
├── schemas/ # Pydantic validation
└── websocket/ # Real-time alerts
Results & Benefits
Technical Achievements
- Zero SQL injection risk: ORM-only queries with parameterization
- Complete tenant isolation: RLS policies at database level
- Sub-100ms API latency: Async throughout, optimized queries
- 100% type coverage: Pydantic schemas + Python type hints
Business Value
- MSP-Ready: Multi-tenant architecture for managed services
- Automation-First: Every operation accessible via API
- Compliance-Mapped: Built-in framework alignment
- Audit-Ready: Immutable logging for regulators