zhongwei/gh-jeanluciano-quaestor-src-quaestor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f172746dc6e0e06add40bb895173865c4caf6fbd
gh-jeanluciano-quaestor-src…/skills/security-auditing/SKILL.md
Zhongwei Li f172746dc6 Initial commit
2025-11-29 18:50:24 +08:00

183 lines
5.0 KiB
Markdown
Raw Blame History

---
name: Security Auditing
description: Audit security with vulnerability scanning, input validation checks, and auth/authz review against OWASP Top 10. Use when implementing authentication, reviewing security-sensitive code, or conducting security audits.
---
# Security Auditing
## Purpose
Provides security best practices, patterns, and checklists for ensuring secure code implementation.
## When to Use
- Implementing authentication or authorization systems
- Reviewing code for security vulnerabilities
- Validating input/output handling
- Designing secure APIs
- Conducting security audits
- Analyzing data protection requirements
## Security Checklist
### Input Validation
- ✅ Sanitize all external inputs
- ✅ Validate data types and formats
- ✅ Implement whitelist validation where possible
- ✅ Prevent SQL injection via parameterized queries
- ✅ Guard against XSS attacks
- ✅ Validate file uploads (type, size, content)
### Authentication & Authorization
- ✅ Use strong password hashing (bcrypt, Argon2)
- ✅ Implement proper session management
- ✅ Use secure token generation (JWT with proper signing)
- ✅ Implement token expiration and refresh strategies
- ✅ Apply role-based access control (RBAC)
- ✅ Verify permissions at every access point
- ✅ Use multi-factor authentication for sensitive operations
### Data Protection
- ✅ Encrypt sensitive data at rest
- ✅ Use TLS/HTTPS for data in transit
- ✅ Implement proper key management
- ✅ Avoid storing sensitive data in logs
- ✅ Implement data retention policies
- ✅ Comply with GDPR/HIPAA requirements if applicable
### API Security
- ✅ Implement rate limiting
- ✅ Use API keys or OAuth for authentication
- ✅ Validate and sanitize all API inputs
- ✅ Implement proper CORS policies
- ✅ Use security headers (CSP, HSTS, X-Frame-Options)
- ✅ Version APIs to manage breaking changes safely
### Audit Logging
- ✅ Log all authentication attempts
- ✅ Log authorization failures
- ✅ Track sensitive data access
- ✅ Log configuration changes
- ✅ Implement secure log storage
- ✅ Monitor logs for suspicious activity
## Common Vulnerabilities
### OWASP Top 10
1. **Injection**: Use parameterized queries, input validation
2. **Broken Authentication**: Implement secure session management
3. **Sensitive Data Exposure**: Encrypt data, use HTTPS
4. **XML External Entities (XXE)**: Disable XML external entity processing
5. **Broken Access Control**: Verify permissions at every endpoint
6. **Security Misconfiguration**: Follow security hardening guides
7. **Cross-Site Scripting (XSS)**: Sanitize output, use CSP headers
8. **Insecure Deserialization**: Validate serialized data
9. **Using Components with Known Vulnerabilities**: Keep dependencies updated
10. **Insufficient Logging & Monitoring**: Implement comprehensive logging
## Security Patterns
### Secure Configuration
```yaml
security_config:
session:
secure: true
httpOnly: true
sameSite: "strict"
maxAge: 3600
passwords:
minLength: 12
requireSpecialChars: true
hashAlgorithm: "argon2"
api:
rateLimit: 100/minute
corsOrigins: ["https://trusted-domain.com"]
requireApiKey: true
```
### Authentication Flow
```
1. User submits credentials
2. Validate input format
3. Check against secure hash in database
4. Generate secure session token (JWT)
5. Set secure, httpOnly cookie
6. Return success with minimal user info
7. Log authentication event
```
### Authorization Pattern
```
1. Receive request with token
2. Validate token signature and expiration
3. Extract user roles/permissions
4. Check if user has required permission
5. Execute action if authorized
6. Log authorization decision
7. Return 403 if unauthorized
```
## Security Commands
### Dependency Scanning
```bash
# Python
pip-audit
# Node.js
npm audit
npm audit fix
# General
snyk test
```
### Static Analysis
```bash
# Python
bandit -r src/
# Node.js
npm run lint:security
```
### Secrets Detection
```bash
# Detect secrets in code
trufflehog filesystem .
git-secrets --scan
# Scan for API keys
detect-secrets scan
```
## Best Practices
### Code Review Security Checklist
- [ ] All inputs validated and sanitized
- [ ] Outputs properly encoded
- [ ] Authentication required for sensitive operations
- [ ] Authorization checked at every access point
- [ ] Sensitive data encrypted
- [ ] Error messages don't leak information
- [ ] Dependencies up to date
- [ ] Security headers implemented
- [ ] Rate limiting in place
- [ ] Audit logging configured
### Secure Development Workflow
1. **Design Phase**: Threat modeling, security requirements
2. **Development**: Follow secure coding guidelines
3. **Testing**: Security unit tests, penetration testing
4. **Review**: Security-focused code review
5. **Deployment**: Security configuration review
6. **Monitoring**: Active security monitoring and alerts
## Additional Resources
- OWASP Top 10: https://owasp.org/www-project-top-ten/
- CWE Top 25: https://cwe.mitre.org/top25/
- Security Headers: https://securityheaders.com/
---
*Use this skill when implementing security features or conducting security reviews*
Reference in New Issue View Git Blame Copy Permalink