Security Analysis
Comprehensive security assessment framework.
Frameworks Included
STRIDE Threat Modeling
Categorize threats by type:
| Threat | Description | Example |
|---|---|---|
| Spoofing | Impersonating something/someone | Fake login page |
| Tampering | Modifying data/code | SQL injection |
| Repudiation | Denying actions | Missing audit logs |
| Information Disclosure | Exposing data | Error message leaks |
| Denial of Service | Disrupting availability | Resource exhaustion |
| Elevation of Privilege | Gaining unauthorized access | Broken access control |
OWASP Top 10 (2021)
Check for common vulnerabilities:
- •A01: Broken Access Control
- •A02: Cryptographic Failures
- •A03: Injection
- •A04: Insecure Design
- •A05: Security Misconfiguration
- •A06: Vulnerable Components
- •A07: Auth Failures
- •A08: Integrity Failures
- •A09: Logging Failures
- •A10: SSRF
CVSS Scoring
Rate vulnerability severity:
| Score | Severity | Action |
|---|---|---|
| 9.0-10.0 | Critical | Fix immediately |
| 7.0-8.9 | High | Fix within days |
| 4.0-6.9 | Medium | Fix within weeks |
| 0.1-3.9 | Low | Fix when convenient |
Security Review Process
Phase 1: Attack Surface Mapping
Identify all entry points:
- •API endpoints
- •User inputs
- •File uploads
- •External integrations
- •Authentication flows
Phase 2: STRIDE Analysis
For each entry point, check all STRIDE categories.
Phase 3: OWASP Checklist
Verify protection against Top 10.
Phase 4: Risk Scoring
Apply CVSS to findings.
Phase 5: Remediation Plan
Prioritize fixes by severity.
Output Template
markdown
## Security Analysis: [Component/Feature] ### Attack Surface | Entry Point | Type | Trust Level | |-------------|------|-------------| | [endpoint] | API | Untrusted | | [input] | User | Untrusted | ### STRIDE Assessment #### Spoofing - Risk: [description] - Mitigation: [control] - Status: [Mitigated/Open] #### Tampering ... ### OWASP Top 10 Check | Category | Status | Notes | |----------|--------|-------| | A01 Broken Access Control | ✓/✗ | | | A02 Crypto Failures | ✓/✗ | | | A03 Injection | ✓/✗ | | ... ### Vulnerabilities Found | ID | Description | CVSS | Severity | |----|-------------|------|----------| | V1 | [description] | X.X | High | | V2 | [description] | X.X | Medium | ### Remediation Plan 1. **[V1]**: [fix] - Priority: Immediate 2. **[V2]**: [fix] - Priority: This sprint ### Security Posture **Overall Risk: [Low/Medium/High/Critical]**
Quick Security Checklist
For rapid review:
- • Input validation on all user data
- • Output encoding to prevent XSS
- • Parameterized queries (no SQL concatenation)
- • Authentication on sensitive endpoints
- • Authorization checks (not just auth)
- • HTTPS everywhere
- • Secrets not in code
- • Error messages don't leak info
- • Logging without sensitive data
- • Dependencies updated
Secure Coding Patterns
Input Validation
python
# Always validate and sanitize
def process_input(user_input):
if not isinstance(user_input, str):
raise ValueError("Invalid input type")
if len(user_input) > MAX_LENGTH:
raise ValueError("Input too long")
sanitized = escape_html(user_input)
return sanitized
SQL Injection Prevention
python
# NEVER concatenate
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}") # BAD
# ALWAYS parameterize
cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,)) # GOOD