Security Audit Skill
Proactive security assessment covering OWASP Top 10, dependency vulnerabilities, secrets detection, and security best practices.
When to Use
| Trigger | Priority | Description |
|---|---|---|
| Pre-Production | Critical | Before any production deployment |
| Monthly Review | High | Regular security hygiene |
| Auth Changes | Critical | After adding/modifying authentication |
| External Integration | High | When adding third-party services |
| Dependency Updates | Medium | After major dependency changes |
| Security Incident | Critical | Post-incident review |
Audit Scope
Full Audit
Complete security review across all categories. Time: 2-4 hours.
Focused Audit
Target specific area (e.g., authentication only). Time: 30-60 minutes.
Quick Scan
Automated checks only (dependencies, secrets). Time: 5-10 minutes.
Prerequisites
Before starting audit:
- • Access to codebase and dependencies
- • Access to environment configuration (sanitized)
- • List of external services/APIs used
- • Authentication flow documentation (if exists)
- • Previous audit reports (if available)
Audit Process
Phase 1: OWASP Top 10 Review
↓
Phase 2: Dependency Vulnerability Scan
↓
Phase 3: Secrets Detection
↓
Phase 4: Input Validation Audit
↓
Phase 5: Authentication & Authorization
↓
Phase 6: API Security
↓
Phase 7: Report & Remediation
Phase 1: OWASP Top 10 Review
Quick Reference
| ID | Category | Key Check |
|---|---|---|
| A01 | Broken Access Control | Authorization on all endpoints |
| A02 | Cryptographic Failures | TLS, password hashing, encryption |
| A03 | Injection | Parameterized queries, input escaping |
| A04 | Insecure Design | Defense in depth, trust boundaries |
| A05 | Security Misconfiguration | Headers, defaults, error messages |
| A06 | Vulnerable Components | Dependency scanning |
| A07 | Authentication Failures | Password policy, session security |
| A08 | Data Integrity | Checksums, secure CI/CD |
| A09 | Logging Failures | Security event logging |
| A10 | SSRF | URL validation, network restrictions |
For detailed patterns and examples: See references/process.md
Critical Checks
A01 - Broken Access Control:
- [ ] All endpoints have authorization checks - [ ] RBAC implemented - [ ] No direct object reference vulnerabilities - [ ] Privilege escalation prevented
A02 - Cryptographic Failures:
- [ ] Passwords hashed with bcrypt/argon2 (cost 10+) - [ ] TLS 1.2+ enforced - [ ] Sensitive data encrypted at rest - [ ] Cryptographically random tokens
A03 - Injection:
- [ ] SQL queries use parameterized statements - [ ] Template engines auto-escape output - [ ] No shell command execution with user input - [ ] NoSQL queries sanitized
A05 - Security Misconfiguration:
Required Headers: - X-Content-Type-Options: nosniff - X-Frame-Options: DENY - Content-Security-Policy: default-src 'self' - Strict-Transport-Security: max-age=31536000
Phase 2: Dependency Vulnerability Scan
Run Audit Commands
# Node.js npm audit npm audit --audit-level=moderate # Python pip-audit # Or: safety check --json > audit-report.json # Go govulncheck ./... # Rust cargo audit # Ruby bundle audit check
Severity Response
| Severity | Action | Timeline |
|---|---|---|
| Critical | Immediate fix or remove | Hours |
| High | Fix in current sprint | Days |
| Moderate | Schedule fix | Weeks |
| Low | Track for update | Next release |
Phase 3: Secrets Detection
Automated Scanning
# Using gitleaks (recommended) gitleaks detect --source . --verbose # Using git-secrets git secrets --scan git secrets --scan-history # Using truffleHog trufflehog filesystem .
Common Secret Patterns
| Pattern | Example | Risk |
|---|---|---|
| API Keys | sk_live_, AKIA | High |
| Passwords | password=, passwd | Critical |
| Tokens | token=, bearer | High |
| Private Keys | -----BEGIN RSA | Critical |
| AWS Credentials | aws_access_key_id | Critical |
Environment Variables
Checklist: - [ ] All secrets in environment variables (not code) - [ ] .env files in .gitignore - [ ] No .env files in git history - [ ] Secure defaults for all variables
Phase 4: Input Validation Audit
Input Sources by Risk
| Source | Examples | Risk |
|---|---|---|
| File uploads | Images, documents | Critical |
| Request body | JSON, form data | High |
| URL parameters | /users/:id | High |
| Query strings | ?search=term | High |
| Headers | Custom headers | Medium |
| Cookies | Session cookies | Medium |
Validation Checklist
For each input:
- • Schema validation (Zod, Pydantic, etc.)
- • Type checking enforced
- • Length/size limits
- • Format validation (email, URL)
- • Allowlist when possible
- • Sanitized for output context
File Upload Requirements
- [ ] Magic bytes validation (not just extension) - [ ] Size limits enforced - [ ] Virus/malware scanning - [ ] Storage outside web root - [ ] Randomized filenames - [ ] No executable permissions
Phase 5: Authentication & Authorization
Password Security
- [ ] Min length: 12+ characters - [ ] Bcrypt (cost 10+) or argon2 - [ ] No passwords in logs/errors - [ ] Rate limiting on login - [ ] Account lockout policy
Session Security
- [ ] HttpOnly cookie flag - [ ] Secure cookie flag (HTTPS) - [ ] SameSite attribute - [ ] Session timeout - [ ] Invalidation on logout - [ ] Regenerate on privilege change
Authorization
- [ ] Check on every endpoint - [ ] RBAC implemented - [ ] Least privilege - [ ] Deny by default - [ ] Server-side validation
Token Security (JWT/OAuth)
- [ ] Strong algorithm (RS256, ES256) - [ ] Token expiration - [ ] Refresh mechanism - [ ] Revocation capability - [ ] No sensitive data in payload
Phase 6: API Security
Rate Limiting
- [ ] Enabled on all endpoints - [ ] Stricter on auth endpoints - [ ] Per-user and per-IP - [ ] Graduated response
CORS
// Secure configuration
{
origin: ['https://app.example.com'], // Not '*'
credentials: true,
methods: ['GET', 'POST', 'PUT', 'DELETE']
}
Error Handling
- [ ] Generic messages to clients - [ ] Details in logs only - [ ] No stack traces in production - [ ] Consistent format
Phase 7: Report & Remediation
Report Template
# Security Audit Report **Date**: YYYY-MM-DD **Auditor**: [Name] **Scope**: [Full/Focused/Quick] **Duration**: [Hours] ## Executive Summary | Severity | Count | Status | |----------|-------|--------| | Critical | N | [Status] | | High | N | [Status] | | Medium | N | [Status] | | Low | N | [Status] | **Overall Risk**: [Low/Medium/High/Critical] ## Findings ### [Severity]: [Issue Title] **Location**: [File:Line] **Description**: [Brief description] **Impact**: [Potential impact] **Remediation**: [How to fix] **Timeline**: [When to fix] ## Recommendations 1. [Recommendation 1] 2. [Recommendation 2] ## Tools Used - [Tool 1] - [Tool 2]
Priority Matrix
| Finding | Severity | Effort | Priority |
|---|---|---|---|
| SQL Injection | Critical | Low | Immediate |
| Missing Auth | High | Medium | Sprint 1 |
| Weak Hash | High | Low | Sprint 1 |
| Missing Headers | Medium | Low | Sprint 2 |
| Old Dependency | Low | Low | Backlog |
Follow-up
- • Create tickets for findings
- • Schedule remediation
- • Plan re-audit
- • Update documentation
- • Brief team
Quick Scan Commands
# Node.js npm audit && npx gitleaks detect # Python pip-audit && gitleaks detect # Go govulncheck ./... && gitleaks detect # Rust cargo audit && gitleaks detect
Summary Checklist
OWASP Top 10
- • A01: Broken Access Control
- • A02: Cryptographic Failures
- • A03: Injection
- • A04: Insecure Design
- • A05: Security Misconfiguration
- • A06: Vulnerable Components
- • A07: Authentication Failures
- • A08: Data Integrity Failures
- • A09: Logging Failures
- • A10: SSRF
Core Security
- • Dependencies scanned
- • Secrets detection run
- • Input validation checked
- • Auth/authz reviewed
- • API security validated
- • Security headers set
Additional Resources
Extended Content:
- •
references/process.md- Detailed vulnerability patterns, code examples, language-specific guidance
Related Workflows:
- •code-review.md - Includes security checks
- •dependency-update.md - Safe dependency updates
- •troubleshooting.md - Security incident response
Remember: Security is continuous. Integrate automated scanning into CI/CD, conduct regular reviews, and maintain security-first development practices.