AgentSkillsCN

application-security

保护应用程序免受常见漏洞侵害。在审查代码安全性、实施安全控制或加固应用程序时使用。涵盖OWASP Top 10。

SKILL.md
--- frontmatter
name: application-security
description: Secure applications against common vulnerabilities. Use when reviewing code for security, implementing security controls, or hardening applications. Covers OWASP Top 10.
allowed-tools: Read, Glob, Grep

Application Security

OWASP Top 10 (2021)

1. Broken Access Control

Risk: Users accessing unauthorized resources.

Prevention:

  • Deny by default
  • Implement RBAC/ABAC
  • Validate permissions server-side
  • Log access failures

2. Cryptographic Failures

Risk: Sensitive data exposure.

Prevention:

  • Encrypt data at rest and in transit
  • Use strong algorithms (AES-256, RSA-2048+)
  • Never store passwords in plaintext
  • Use secure key management

3. Injection

Risk: Malicious input executed as code.

Prevention:

typescript
// BAD - SQL injection
const query = `SELECT * FROM users WHERE id = ${userId}`;

// GOOD - Parameterized query
const query = 'SELECT * FROM users WHERE id = $1';
db.query(query, [userId]);

4. Insecure Design

Risk: Missing security controls by design.

Prevention:

  • Threat modeling
  • Security requirements
  • Defense in depth

5. Security Misconfiguration

Risk: Default or weak configuration.

Prevention:

  • Disable unnecessary features
  • Remove default credentials
  • Keep software updated
  • Harden server configuration

6. Vulnerable Components

Risk: Using libraries with known vulnerabilities.

Prevention:

  • Regular dependency audits
  • Keep dependencies updated
  • Monitor CVE databases

7. Authentication Failures

Risk: Weak or broken authentication.

Prevention:

  • Multi-factor authentication
  • Strong password policies
  • Secure session management
  • Rate limiting on login

8. Software & Data Integrity

Risk: Untrusted sources for updates.

Prevention:

  • Verify code signatures
  • Use SRI for CDN resources
  • Secure CI/CD pipeline

9. Logging & Monitoring Failures

Risk: Attacks go undetected.

Prevention:

  • Log security events
  • Monitor for anomalies
  • Alert on suspicious activity

10. Server-Side Request Forgery

Risk: Server makes requests to unintended destinations.

Prevention:

  • Validate URLs
  • Use allowlists
  • Block internal IPs