application-security

1. Broken Access Control

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "application-security" with this command: npx skills add nguyenhuuca/assessment/nguyenhuuca-assessment-application-security

Application Security

OWASP Top 10 (2021)

  1. Broken Access Control

Risk: Users accessing unauthorized resources.

Prevention:

  • Deny by default

  • Implement RBAC/ABAC

  • Validate permissions server-side

  • Log access failures

  1. Cryptographic Failures

Risk: Sensitive data exposure.

Prevention:

  • Encrypt data at rest and in transit

  • Use strong algorithms (AES-256, RSA-2048+)

  • Never store passwords in plaintext

  • Use secure key management

  1. Injection

Risk: Malicious input executed as code.

Prevention:

// ❌ BAD - SQL injection vulnerability @GetMapping("/users/{id}") public User getUser(@PathVariable String id) { String query = "SELECT * FROM users WHERE id = " + id; return jdbcTemplate.queryForObject(query, User.class); }

// ✅ GOOD - Use JPA/Spring Data (parameterized by default) @Repository public interface UserRepository extends JpaRepository<User, Long> { Optional<User> findById(Long id); }

// ✅ GOOD - JPQL with named parameters @Query("SELECT u FROM User u WHERE u.email = :email AND u.status = :status") Optional<User> findByEmailAndStatus( @Param("email") String email, @Param("status") UserStatus status );

// ❌ BAD - Command injection Runtime.getRuntime().exec("ls " + userInput);

// ✅ GOOD - Use ProcessBuilder with separate arguments ProcessBuilder pb = new ProcessBuilder("ls", userInput); Process p = pb.start();

  1. Insecure Design

Risk: Missing security controls by design.

Prevention:

  • Threat modeling

  • Security requirements

  • Defense in depth

  1. Security Misconfiguration

Risk: Default or weak configuration.

Prevention:

  • Disable unnecessary features

  • Remove default credentials

  • Keep software updated

  • Harden server configuration

  1. Vulnerable Components

Risk: Using libraries with known vulnerabilities.

Prevention:

  • Regular dependency audits

  • Keep dependencies updated

  • Monitor CVE databases

  1. Authentication Failures

Risk: Weak or broken authentication.

Prevention:

  • Multi-factor authentication

  • Strong password policies

  • Secure session management

  • Rate limiting on login

  1. Software & Data Integrity

Risk: Untrusted sources for updates.

Prevention:

  • Verify code signatures

  • Use SRI for CDN resources

  • Secure CI/CD pipeline

  1. Logging & Monitoring Failures

Risk: Attacks go undetected.

Prevention:

  • Log security events

  • Monitor for anomalies

  • Alert on suspicious activity

  1. Server-Side Request Forgery

Risk: Server makes requests to unintended destinations.

Prevention:

  • Validate URLs

  • Use allowlists

  • Block internal IPs

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

security-review

No summary provided by upstream source.

Repository SourceNeeds Review
9-nguyenhuuca
Security

threat-modeling

No summary provided by upstream source.

Repository SourceNeeds Review
9-nguyenhuuca
General

agile-methodology

No summary provided by upstream source.

Repository SourceNeeds Review
11-nguyenhuuca
General

execution-roadmaps

No summary provided by upstream source.

Repository SourceNeeds Review
11-nguyenhuuca