Security Auditing

Purpose

Provides security best practices, patterns, and checklists for ensuring secure code implementation.

When to Use

• Implementing authentication or authorization systems
• Reviewing code for security vulnerabilities
• Validating input/output handling
• Designing secure APIs
• Conducting security audits
• Analyzing data protection requirements

Security Checklist

Input Validation

• ✅ Sanitize all external inputs
• ✅ Validate data types and formats
• ✅ Implement whitelist validation where possible
• ✅ Prevent SQL injection via parameterized queries
• ✅ Guard against XSS attacks
• ✅ Validate file uploads (type, size, content)

Authentication & Authorization

• ✅ Use strong password hashing (bcrypt, Argon2)
• ✅ Implement proper session management
• ✅ Use secure token generation (JWT with proper signing)
• ✅ Implement token expiration and refresh strategies
• ✅ Apply role-based access control (RBAC)
• ✅ Verify permissions at every access point
• ✅ Use multi-factor authentication for sensitive operations

Data Protection

• ✅ Encrypt sensitive data at rest
• ✅ Use TLS/HTTPS for data in transit
• ✅ Implement proper key management
• ✅ Avoid storing sensitive data in logs
• ✅ Implement data retention policies
• ✅ Comply with GDPR/HIPAA requirements if applicable

API Security

• ✅ Implement rate limiting
• ✅ Use API keys or OAuth for authentication
• ✅ Validate and sanitize all API inputs
• ✅ Implement proper CORS policies
• ✅ Use security headers (CSP, HSTS, X-Frame-Options)
• ✅ Version APIs to manage breaking changes safely

Audit Logging

• ✅ Log all authentication attempts
• ✅ Log authorization failures
• ✅ Track sensitive data access
• ✅ Log configuration changes
• ✅ Implement secure log storage
• ✅ Monitor logs for suspicious activity

Common Vulnerabilities

OWASP Top 10

1. Injection: Use parameterized queries, input validation
2. Broken Authentication: Implement secure session management
3. Sensitive Data Exposure: Encrypt data, use HTTPS
4. XML External Entities (XXE): Disable XML external entity processing
5. Broken Access Control: Verify permissions at every endpoint
6. Security Misconfiguration: Follow security hardening guides
7. Cross-Site Scripting (XSS): Sanitize output, use CSP headers
8. Insecure Deserialization: Validate serialized data
9. Using Components with Known Vulnerabilities: Keep dependencies updated
10. Insufficient Logging & Monitoring: Implement comprehensive logging

Security Patterns

Secure Configuration

security_config:
  session:
    secure: true
    httpOnly: true
    sameSite: "strict"
    maxAge: 3600

  passwords:
    minLength: 12
    requireSpecialChars: true
    hashAlgorithm: "argon2"

  api:
    rateLimit: 100/minute
    corsOrigins: ["https://trusted-domain.com"]
    requireApiKey: true

Authentication Flow

1. User submits credentials
2. Validate input format
3. Check against secure hash in database
4. Generate secure session token (JWT)
5. Set secure, httpOnly cookie
6. Return success with minimal user info
7. Log authentication event

Authorization Pattern

1. Receive request with token
2. Validate token signature and expiration
3. Extract user roles/permissions
4. Check if user has required permission
5. Execute action if authorized
6. Log authorization decision
7. Return 403 if unauthorized

Security Commands

Dependency Scanning

# Python
pip-audit

# Node.js
npm audit
npm audit fix

# General
snyk test

Static Analysis

# Python
bandit -r src/

# Node.js
npm run lint:security

Secrets Detection

# Detect secrets in code
trufflehog filesystem .
git-secrets --scan

# Scan for API keys
detect-secrets scan

Best Practices

Code Review Security Checklist

• All inputs validated and sanitized
• Outputs properly encoded
• Authentication required for sensitive operations
• Authorization checked at every access point
• Sensitive data encrypted
• Error messages don't leak information
• Dependencies up to date
• Security headers implemented
• Rate limiting in place
• Audit logging configured

Secure Development Workflow

1. Design Phase: Threat modeling, security requirements
2. Development: Follow secure coding guidelines
3. Testing: Security unit tests, penetration testing
4. Review: Security-focused code review
5. Deployment: Security configuration review
6. Monitoring: Active security monitoring and alerts

Additional Resources

• OWASP Top 10: https://owasp.org/www-project-top-ten/
• CWE Top 25: https://cwe.mitre.org/top25/
• Security Headers: https://securityheaders.com/

---

Use this skill when implementing security features or conducting security reviews