Auditing Security
Overview
Comprehensive security analysis to identify vulnerabilities, assess risk, and provide remediation guidance aligned with industry standards (OWASP Top 10, CVSS scoring).
Inputs:
- •Codebase to audit
- •
docs/system-design.md- Architecture context - •
docs/api-contracts.yaml- API specifications - •
docs/feature-spec/F-##-*.md- Feature implementations
Outputs:
- •Security findings organized by severity (CRITICAL, HIGH, MEDIUM, LOW)
- •CVSS scores and OWASP Top 10 mapping
- •Exploit scenarios and remediation code
- •Risk-prioritized remediation plan
Quick Start
Ask for security audit with context:
- •What to audit? Feature, component, or full application
- •Concerns? Injection, auth bypass, data leaks, access control, API security
- •Sensitive data? PII, credentials, financial data, health info, business secrets
- •Existing security? JWT/sessions, RBAC/ABAC, TLS, input validation, headers, rate limiting
Scope Discovery
Q1: Audit Scope
- •Specific feature or component
- •Entire application (full security audit)
- •Known vulnerability investigation
- •Compliance check (OWASP Top 10, PCI-DSS, GDPR)
- •Code review for security issues
- •Infrastructure and configuration
Q2: Threat Model
- •Data breaches and leaks
- •Authentication bypass
- •Injection attacks (SQL, XSS, command)
- •Access control failures
- •API security
- •Infrastructure vulnerabilities
- •Dependency vulnerabilities
Q3: Sensitivity Level
- •Personal identifiable information (PII)
- •Authentication credentials
- •Financial data (payment info, transactions)
- •Health information (HIPAA)
- •Business secrets or proprietary data
- •User-generated content
Q4: Existing Security (optional)
- •Authentication method (JWT, sessions, OAuth)
- •Authorization model (RBAC, ABAC)
- •Encryption (TLS, at-rest encryption)
- •Input validation and sanitization
- •Security headers (CSP, HSTS, etc.)
- •Rate limiting and throttling
- •Logging and monitoring
Security Review Strategy
Sequential Review (Targeted audits)
When to use: Small codebase, single vulnerability investigation, specific attack vector, <5 files
Review vulnerabilities one area at a time using direct tools:
Injection Vulnerabilities:
- •SQL injection: String concatenation in queries (
db.query("SELECT * FROM users WHERE id = '" + id + "'")) - •XSS:
dangerouslySetInnerHTML, unsanitized HTML (.innerHTML = userInput) - •Command injection: Shell command construction (
exec('rm ' + filename)) - •NoSQL injection, LDAP injection
- •Search for:
db.query(,eval(,exec(,.innerHTML
Authentication/Authorization:
- •Endpoints without auth checks
- •Weak password requirements
- •Missing rate limiting on auth endpoints
- •Session management issues
- •Broken access control, privilege escalation
- •Search for: route handlers, auth middleware, permission checks
Sensitive Data Exposure:
- •Hardcoded secrets: API keys, passwords, tokens
- •Excessive data in API responses
- •Logging sensitive information
- •Unencrypted transmission
- •Insecure storage
- •Search for:
apiKey,password,secret,tokenassignments
Security Misconfiguration:
- •Missing security headers (CSP, HSTS, X-Frame-Options)
- •CORS misconfiguration
- •Verbose error messages exposing internals
- •Default credentials
- •Debug mode in production
- •Search for: server config, error handlers, CORS setup
Dependency Vulnerabilities:
- •Run
npm auditor equivalent - •Check for outdated packages with CVEs
- •Unnecessary dependencies, supply chain risks
Parallel Scanning (Comprehensive audits)
When to use: Entire application, multiple OWASP categories, >1000 lines, multiple attack surfaces
Agent 1: Injection (OWASP A03) SQL, XSS, command, NoSQL, LDAP injection vulnerabilities
Agent 2: Authentication/Authorization (OWASP A01, A07) Missing auth, weak passwords, broken sessions, access control failures, privilege escalation
Agent 3: Data Exposure (OWASP A02) Hardcoded secrets, excessive API responses, logging sensitive data, unencrypted transmission, insecure storage
Agent 4: Configuration (OWASP A05) Missing security headers, CORS misconfiguration, verbose errors, default credentials, unnecessary services
Agent 5: Dependencies (OWASP A06) Vulnerable packages, outdated versions, supply chain risks
Finding Documentation Format
For each vulnerability:
### [SEVERITY] Issue Name **CVSS Score:** X.X | **Category:** OWASP A##:YEAR | **Location:** `src/path/file.js:123` **Vulnerable Code:** [Code snippet] **Exploit Scenario:** [Concrete example of how to abuse this] **Impact:** [What attacker can achieve: data access, auth bypass, system compromise, etc.] **Fix:** [Secure replacement code] **References:** - OWASP: [link] - CWE-##: [link]
Severity Mapping:
- •🔴 CRITICAL (CVSS 9.0-10.0): Fix immediately, authentication bypass, full database access, RCE
- •🔴 HIGH (CVSS 7.0-8.9): Fix within days, data exfiltration, significant privilege escalation
- •🟡 MEDIUM (CVSS 4.0-6.9): Fix within weeks, partial data access, limited auth bypass
- •🟢 LOW (CVSS 0.1-3.9): Fix within months, information disclosure, minor config issues
Security Audit Report
Generate comprehensive report with:
# Security Audit Report: [System Name] ## Executive Summary **Overall Security Posture:** [CRITICAL / POOR / FAIR / GOOD / EXCELLENT] **Vulnerability Summary:** - CRITICAL: [X] (CVSS 9.0-10.0) - HIGH: [Y] (CVSS 7.0-8.9) - MEDIUM: [Z] (CVSS 4.0-6.9) - LOW: [N] (CVSS 0.1-3.9) **Immediate Actions Required:** 1. [Most critical issue] 2. [Second priority] ## OWASP Top 10 Assessment | Category | Status | Findings | Priority | |----------|--------|----------|----------| | A01: Broken Access Control | ✅/⚠️/❌ | [count] | - | | A02: Cryptographic Failures | ✅/⚠️/❌ | [count] | - | | A03: Injection | ✅/⚠️/❌ | [count] | - | | [Continue for all 10] | | | | ## Findings by Severity [CRITICAL vulnerabilities] [HIGH vulnerabilities] [MEDIUM vulnerabilities] [LOW vulnerabilities] ## Remediation Plan ### Immediate (24 hours) [Critical and high-severity fixes] ### Short-term (1 week) [Medium-severity fixes] ### Medium-term (1 month) [Low-severity fixes, hardening] ## Verification Checklist - [ ] Re-run security scans on fixed code - [ ] Verify each vulnerability is closed - [ ] Run `npm audit` on dependencies - [ ] Test fixes don't break functionality - [ ] Add security regression tests
Security Check Reference
Injection:
- •SQL queries use parameterization (prepared statements, ORM)
- •HTML output is sanitized (DOMPurify, escaped)
- •No dynamic command execution (
exec,spawnwith user input) - •No
eval()or similar code execution
Authentication:
- •Password requirements adequate (12+ chars, complexity)
- •All sensitive endpoints have auth checks
- •Session management secure (httpOnly, secure cookies)
- •Rate limiting on auth endpoints (5 attempts/min max)
- •Credentials hashed with bcrypt/argon2, not plaintext
Data Exposure:
- •No hardcoded secrets (use environment variables)
- •API responses don't leak unnecessary data
- •Sensitive data not in logs
- •HTTPS/TLS enforced everywhere
- •Sensitive data encrypted at rest (AES-256)
Configuration:
- •Security headers present (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)
- •CORS properly configured (not
*, validate origins) - •Error messages don't expose internals
- •No default credentials
- •Debug mode disabled in production
Dependencies:
- •No known vulnerabilities (run
npm audit) - •Packages up to date
- •No unnecessary dependencies
Remediation Workflow
- •Fix each vulnerability following documented code examples
- •Verify immediately - re-run security scans, test functionality
- •Document resolution - mark findings as fixed with verification method
- •Run dependency audit -
npm audit, update packages - •Test regression - ensure fixes don't break features
- •Update docs - document security measures implemented
Examples
Example 1: SQL Injection Finding
### [CRITICAL] SQL Injection in User Login
**CVSS Score:** 9.8 | **Category:** OWASP A03:2021 | **Location:** `src/auth/login.js:45`
**Vulnerable Code:**
const query = `SELECT * FROM users WHERE email = '${email}'`;
const user = await db.query(query);
**Exploit Scenario:**
Attacker sends: email = "admin' OR '1'='1"
→ Returns all users, bypasses authentication, gains admin access
**Impact:**
- Complete authentication bypass
- Full database access
- Data exfiltration and manipulation
**Fix:**
const query = 'SELECT * FROM users WHERE email = ?';
const user = await db.query(query, [email]);
Example 2: Hardcoded Secrets Finding
### [CRITICAL] Hardcoded API Key **CVSS Score:** 9.6 | **Category:** OWASP A02:2021 | **Location:** `src/config.js:12` **Vulnerable Code:** const apiKey = "sk-1234567890abcdef"; **Impact:** - Unauthorized API access - Billing liability - Data access under victim's account **Fix:** const apiKey = process.env.API_KEY; // Store in .env: API_KEY=sk-1234567890abcdef