Security Auditing
Purpose
Provides security best practices, patterns, and checklists for ensuring secure code implementation.
When to Use
- Implementing authentication or authorization systems
- Reviewing code for security vulnerabilities
- Validating input/output handling
- Designing secure APIs
- Conducting security audits
- Analyzing data protection requirements
Security Checklist
Input Validation
- ✅ Sanitize all external inputs
- ✅ Validate data types and formats
- ✅ Implement whitelist validation where possible
- ✅ Prevent SQL injection via parameterized queries
- ✅ Guard against XSS attacks
- ✅ Validate file uploads (type, size, content)
Authentication & Authorization
- ✅ Use strong password hashing (bcrypt, Argon2)
- ✅ Implement proper session management
- ✅ Use secure token generation (JWT with proper signing)
- ✅ Implement token expiration and refresh strategies
- ✅ Apply role-based access control (RBAC)
- ✅ Verify permissions at every access point
- ✅ Use multi-factor authentication for sensitive operations
Data Protection
- ✅ Encrypt sensitive data at rest
- ✅ Use TLS/HTTPS for data in transit
- ✅ Implement proper key management
- ✅ Avoid storing sensitive data in logs
- ✅ Implement data retention policies
- ✅ Comply with GDPR/HIPAA requirements if applicable
API Security
- ✅ Implement rate limiting
- ✅ Use API keys or OAuth for authentication
- ✅ Validate and sanitize all API inputs
- ✅ Implement proper CORS policies
- ✅ Use security headers (CSP, HSTS, X-Frame-Options)
- ✅ Version APIs to manage breaking changes safely
Audit Logging
- ✅ Log all authentication attempts
- ✅ Log authorization failures
- ✅ Track sensitive data access
- ✅ Log configuration changes
- ✅ Implement secure log storage
- ✅ Monitor logs for suspicious activity
Common Vulnerabilities
OWASP Top 10
- Injection: Use parameterized queries, input validation
- Broken Authentication: Implement secure session management
- Sensitive Data Exposure: Encrypt data, use HTTPS
- XML External Entities (XXE): Disable XML external entity processing
- Broken Access Control: Verify permissions at every endpoint
- Security Misconfiguration: Follow security hardening guides
- Cross-Site Scripting (XSS): Sanitize output, use CSP headers
- Insecure Deserialization: Validate serialized data
- Using Components with Known Vulnerabilities: Keep dependencies updated
- Insufficient Logging & Monitoring: Implement comprehensive logging
Security Patterns
Secure Configuration
security_config:
session:
secure: true
httpOnly: true
sameSite: "strict"
maxAge: 3600
passwords:
minLength: 12
requireSpecialChars: true
hashAlgorithm: "argon2"
api:
rateLimit: 100/minute
corsOrigins: ["https://trusted-domain.com"]
requireApiKey: true
Authentication Flow
1. User submits credentials
2. Validate input format
3. Check against secure hash in database
4. Generate secure session token (JWT)
5. Set secure, httpOnly cookie
6. Return success with minimal user info
7. Log authentication event
Authorization Pattern
1. Receive request with token
2. Validate token signature and expiration
3. Extract user roles/permissions
4. Check if user has required permission
5. Execute action if authorized
6. Log authorization decision
7. Return 403 if unauthorized
Security Commands
Dependency Scanning
# Python
pip-audit
# Node.js
npm audit
npm audit fix
# General
snyk test
Static Analysis
# Python
bandit -r src/
# Node.js
npm run lint:security
Secrets Detection
# Detect secrets in code
trufflehog filesystem .
git-secrets --scan
# Scan for API keys
detect-secrets scan
Best Practices
Code Review Security Checklist
Secure Development Workflow
- Design Phase: Threat modeling, security requirements
- Development: Follow secure coding guidelines
- Testing: Security unit tests, penetration testing
- Review: Security-focused code review
- Deployment: Security configuration review
- Monitoring: Active security monitoring and alerts
Additional Resources
Use this skill when implementing security features or conducting security reviews
