Initial commit

2025-11-29 18:50:24 +08:00
commit f172746dc6
52 changed files with 17406 additions and 0 deletions
--- a/skills/security-auditing/SKILL.md
+++ b/skills/security-auditing/SKILL.md
@@ -0,0 +1,182 @@
+---
+name: Security Auditing
+description: Audit security with vulnerability scanning, input validation checks, and auth/authz review against OWASP Top 10. Use when implementing authentication, reviewing security-sensitive code, or conducting security audits.
+---
+
+# Security Auditing
+
+## Purpose
+Provides security best practices, patterns, and checklists for ensuring secure code implementation.
+
+## When to Use
+- Implementing authentication or authorization systems
+- Reviewing code for security vulnerabilities
+- Validating input/output handling
+- Designing secure APIs
+- Conducting security audits
+- Analyzing data protection requirements
+
+## Security Checklist
+
+### Input Validation
+- ✅ Sanitize all external inputs
+- ✅ Validate data types and formats
+- ✅ Implement whitelist validation where possible
+- ✅ Prevent SQL injection via parameterized queries
+- ✅ Guard against XSS attacks
+- ✅ Validate file uploads (type, size, content)
+
+### Authentication & Authorization
+- ✅ Use strong password hashing (bcrypt, Argon2)
+- ✅ Implement proper session management
+- ✅ Use secure token generation (JWT with proper signing)
+- ✅ Implement token expiration and refresh strategies
+- ✅ Apply role-based access control (RBAC)
+- ✅ Verify permissions at every access point
+- ✅ Use multi-factor authentication for sensitive operations
+
+### Data Protection
+- ✅ Encrypt sensitive data at rest
+- ✅ Use TLS/HTTPS for data in transit
+- ✅ Implement proper key management
+- ✅ Avoid storing sensitive data in logs
+- ✅ Implement data retention policies
+- ✅ Comply with GDPR/HIPAA requirements if applicable
+
+### API Security
+- ✅ Implement rate limiting
+- ✅ Use API keys or OAuth for authentication
+- ✅ Validate and sanitize all API inputs
+- ✅ Implement proper CORS policies
+- ✅ Use security headers (CSP, HSTS, X-Frame-Options)
+- ✅ Version APIs to manage breaking changes safely
+
+### Audit Logging
+- ✅ Log all authentication attempts
+- ✅ Log authorization failures
+- ✅ Track sensitive data access
+- ✅ Log configuration changes
+- ✅ Implement secure log storage
+- ✅ Monitor logs for suspicious activity
+
+## Common Vulnerabilities
+
+### OWASP Top 10
+1. **Injection**: Use parameterized queries, input validation
+2. **Broken Authentication**: Implement secure session management
+3. **Sensitive Data Exposure**: Encrypt data, use HTTPS
+4. **XML External Entities (XXE)**: Disable XML external entity processing
+5. **Broken Access Control**: Verify permissions at every endpoint
+6. **Security Misconfiguration**: Follow security hardening guides
+7. **Cross-Site Scripting (XSS)**: Sanitize output, use CSP headers
+8. **Insecure Deserialization**: Validate serialized data
+9. **Using Components with Known Vulnerabilities**: Keep dependencies updated
+10. **Insufficient Logging & Monitoring**: Implement comprehensive logging
+
+## Security Patterns
+
+### Secure Configuration
+```yaml
+security_config:
+  session:
+    secure: true
+    httpOnly: true
+    sameSite: "strict"
+    maxAge: 3600
+
+  passwords:
+    minLength: 12
+    requireSpecialChars: true
+    hashAlgorithm: "argon2"
+
+  api:
+    rateLimit: 100/minute
+    corsOrigins: ["https://trusted-domain.com"]
+    requireApiKey: true
+```
+
+### Authentication Flow
+```
+1. User submits credentials
+2. Validate input format
+3. Check against secure hash in database
+4. Generate secure session token (JWT)
+5. Set secure, httpOnly cookie
+6. Return success with minimal user info
+7. Log authentication event
+```
+
+### Authorization Pattern
+```
+1. Receive request with token
+2. Validate token signature and expiration
+3. Extract user roles/permissions
+4. Check if user has required permission
+5. Execute action if authorized
+6. Log authorization decision
+7. Return 403 if unauthorized
+```
+
+## Security Commands
+
+### Dependency Scanning
+```bash
+# Python
+pip-audit
+
+# Node.js
+npm audit
+npm audit fix
+
+# General
+snyk test
+```
+
+### Static Analysis
+```bash
+# Python
+bandit -r src/
+
+# Node.js
+npm run lint:security
+```
+
+### Secrets Detection
+```bash
+# Detect secrets in code
+trufflehog filesystem .
+git-secrets --scan
+
+# Scan for API keys
+detect-secrets scan
+```
+
+## Best Practices
+
+### Code Review Security Checklist
+- [ ] All inputs validated and sanitized
+- [ ] Outputs properly encoded
+- [ ] Authentication required for sensitive operations
+- [ ] Authorization checked at every access point
+- [ ] Sensitive data encrypted
+- [ ] Error messages don't leak information
+- [ ] Dependencies up to date
+- [ ] Security headers implemented
+- [ ] Rate limiting in place
+- [ ] Audit logging configured
+
+### Secure Development Workflow
+1. **Design Phase**: Threat modeling, security requirements
+2. **Development**: Follow secure coding guidelines
+3. **Testing**: Security unit tests, penetration testing
+4. **Review**: Security-focused code review
+5. **Deployment**: Security configuration review
+6. **Monitoring**: Active security monitoring and alerts
+
+## Additional Resources
+- OWASP Top 10: https://owasp.org/www-project-top-ten/
+- CWE Top 25: https://cwe.mitre.org/top25/
+- Security Headers: https://securityheaders.com/
+
+---
+*Use this skill when implementing security features or conducting security reviews*