Security Audit
Decision Tree
code
Security concern → What type?
├─ Reviewing code changes → OWASP checklist below
├─ Handling user input → Where does it go?
│ ├─ Database query → Parameterized queries (see references/injection-patterns.md)
│ ├─ HTML output → Framework escaping (see references/injection-patterns.md)
│ ├─ Shell command → Array arguments (see references/injection-patterns.md)
│ ├─ File path → Resolve + verify within allowed dir
│ └─ URL redirect → Allowlist or relative paths only
├─ Auditing dependencies → Run scanning commands below
└─ Full security audit → All phases below
Phases
code
Phase 1: Scan → Phase 2: Analyze → Phase 3: Report
OWASP Top 10 Checklist
| # | Vulnerability | Check |
|---|---|---|
| A01 | Broken Access Control | Auth on every endpoint, RBAC server-side, no IDOR |
| A02 | Cryptographic Failures | TLS everywhere, no MD5/SHA1 for passwords, secrets in env not code |
| A03 | Injection | Parameterized queries, no string concat for SQL/shell/HTML |
| A04 | Insecure Design | Rate limiting, account lockout, input size limits |
| A05 | Security Misconfiguration | No default creds, errors don't leak internals, CORS restricted |
| A06 | Vulnerable Components | Deps updated, no known CVEs, lockfile committed |
| A07 | Auth Failures | Strong passwords, MFA available, session timeout |
| A08 | Data Integrity | Signed updates, CI/CD secured, no untrusted deserialization |
| A09 | Logging Failures | Auth events logged, no sensitive data in logs |
| A10 | SSRF | URL validation, allowlists for external calls |
Scanning Commands
bash
# Dependency vulnerabilities npm audit # Node pip-audit # Python (pip install pip-audit) # Secret detection gitleaks detect --source . # Static analysis semgrep --config auto . # Multi-language bandit -r . # Python
Input Validation Checklist
| Input | Validate |
|---|---|
| Strings | Max length, allowed characters, trim whitespace |
| Numbers | Min/max range, integer vs float, NaN check |
| Format + domain check (not just regex) | |
| URLs | Protocol allowlist (http/https only), no internal IPs |
| File uploads | Extension allowlist, MIME check, size limit |
| JSON body | Schema validation (zod, joi, pydantic) |
| IDs | Format check (UUID format, positive integer) |
Response Headers
code
Content-Security-Policy: default-src 'self' X-Content-Type-Options: nosniff X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; includeSubDomains
Output Format
code
[CRITICAL|HIGH|MEDIUM|LOW] Category - Finding Location: file:line Impact: What an attacker could do Fix: Specific remediation