revive vulnerability tests

[strantalis]

We need to revive the old vulnerability testing that was originally implemented. This time we should be running scans against our http and grpc endpoints looking for any potential holes.

Also with this testing we should run a suite of tests that send

• invalid access tokens
• clients with improper roles to validate out casbin policy is enforcing the proper policy

[cassandrabailey293]

removing from sprint - getting feedback from security team about general approach for ZAP / vuln testing

[jentfoo]

@jade-virtru and myself met to discuss next steps with Zap. Over the next two weeks we will be exploring paths to make Zap fully automated and ensure we have good API coverage. Following that work we will focus on centralizing and reporting these automated results.

In addition we are exploring SAST options. CodeQL has been turned on for our open source projects in opentdf, and we are continuing to explore options for our private code.

TL:DR; stay tuned, we are focusing on expanding our automated security validation