Security Patterns
Systematic approach to identifying and remediating security vulnerabilities. Use this skill when:
-
Reviewing code for security vulnerabilities
-
Conducting security audits
-
Implementing authentication, authorization, or data handling
-
Assessing third-party dependencies
OWASP Top 10 (2021) Quick Detection
A01: Broken Access Control
Detection patterns:
-
Missing authorization checks on endpoints
-
Direct object references without ownership validation
-
Path traversal: ../ in file paths
-
CORS with Access-Control-Allow-Origin: *
-
JWT without signature verification
Remediation:
-
Implement RBAC/ABAC at controller/service layer
-
Validate ownership on every resource access
-
Use allowlists for file paths
-
Configure CORS with specific origins
A02: Cryptographic Failures
Detection patterns:
-
MD5/SHA1 for passwords
-
Hardcoded encryption keys
-
HTTP for sensitive data
-
Weak random: Math.random() , rand()
-
Missing encryption at rest
Remediation:
-
Use bcrypt/argon2 for passwords (cost ≥12)
-
External key management (KMS, Vault)
-
TLS 1.2+ everywhere
-
Cryptographic RNG only
A03: Injection
Detection patterns:
-
String concatenation in SQL/NoSQL queries
-
Template literals in HTML without escaping
-
eval() , exec() , Function() with user input
-
Shell commands with string interpolation
-
LDAP/XPath queries with user input
Remediation:
-
Parameterized queries always
-
Context-aware output encoding
-
Never eval untrusted input
-
Use ORM/query builders
A04: Insecure Design
Detection patterns:
-
Business logic without rate limiting
-
Missing account lockout
-
No CAPTCHA on authentication
-
Unbounded resource allocation
-
Missing threat model documentation
Remediation:
-
Rate limit all sensitive operations
-
Implement progressive delays
-
Bound all allocations
-
Document trust boundaries
A05: Security Misconfiguration
Detection patterns:
-
Default credentials in config
-
Verbose error messages to users
-
Debug mode in production
-
Unnecessary services enabled
-
Missing security headers
Remediation:
-
Automated hardening scripts
-
Generic error messages externally
-
Disable debug in production
-
Minimize attack surface
A06: Vulnerable Components
Detection patterns:
-
Dependencies with known CVEs
-
Outdated framework versions
-
Abandoned packages (no updates >2 years)
-
Single-maintainer critical deps
Remediation:
-
Automated dependency scanning
-
Regular update schedule
-
Evaluate package health before adoption
-
Pin specific versions with lockfiles
A07: Authentication Failures
Detection patterns:
-
Weak password requirements
-
Missing brute force protection
-
Session tokens in URL
-
No session timeout
-
Plain passwords in logs
Remediation:
-
Strong password policy
-
Account lockout/delays
-
Secure cookie flags
-
Session timeout <30 min idle
-
Never log credentials
A08: Data Integrity Failures
Detection patterns:
-
Deserialization of untrusted data
-
Missing integrity checks on downloads
-
Unsigned software updates
-
CI/CD without verification
Remediation:
-
Avoid native deserialization
-
Verify checksums/signatures
-
Sign all releases
-
Secure CI/CD pipeline
A09: Logging Failures
Detection patterns:
-
No logging on auth events
-
Sensitive data in logs
-
Logs without timestamps
-
No centralized logging
-
Missing alerting
Remediation:
-
Log all security events
-
Sanitize log data
-
Structured logging with timestamps
-
Centralize with retention policy
A10: SSRF
Detection patterns:
-
User-controlled URLs in server requests
-
Internal service access without validation
-
Cloud metadata endpoint accessible
-
URL parsing inconsistencies
Remediation:
-
Allowlist URLs/domains
-
Block internal IP ranges
-
Disable cloud metadata endpoint
-
Use URL parser consistently
Language-Specific Patterns
See detailed references:
-
references/javascript-vulnerabilities.md
-
references/python-vulnerabilities.md
-
references/java-vulnerabilities.md
-
references/go-vulnerabilities.md
Security Headers Checklist
Header Value Purpose
Content-Security-Policy
default-src 'self'
Prevent XSS
X-Content-Type-Options
nosniff
Prevent MIME sniffing
X-Frame-Options
DENY
Prevent clickjacking
Strict-Transport-Security
max-age=31536000; includeSubDomains
Force HTTPS
Referrer-Policy
strict-origin-when-cross-origin
Limit referrer leakage
Permissions-Policy
geolocation=(), camera=()
Disable unused APIs
STRIDE Threat Modeling
Threat Question Controls
Spoofing Can attacker impersonate? Auth, MFA, certificates
Tampering Can data be modified? Integrity checks, MACs
Repudiation Can actions be denied? Audit logs, signing
Information Disclosure Can data leak? Encryption, access control
Denial of Service Can service be disrupted? Rate limits, redundancy
Elevation of Privilege Can user gain access? RBAC, input validation