Security
Purpose: Language-agnostic security practices to protect against common vulnerabilities.
Focus: Input validation, injection prevention, authentication, secrets management.
Note: For language-specific implementations, see C# Development or Python Development.
When to Use This Skill
- •Hardening applications against OWASP Top 10
- •Implementing authentication and authorization
- •Managing secrets and credentials securely
- •Configuring HTTPS/TLS
- •Conducting security audits
Prerequisites
- •OWASP Top 10 awareness
- •Understanding of HTTP security headers
Decision Tree
code
Security concern?
├─ User input? → VALIDATE + SANITIZE (see Input Validation)
│ ├─ Goes into SQL? → Parameterized queries ONLY
│ ├─ Goes into HTML? → Encode output (XSS prevention)
│ └─ Goes into shell? → Avoid; use SDK/API instead
├─ Authentication?
│ ├─ New system? → Use established provider (OAuth2/OIDC)
│ └─ Existing? → Verify token validation, session management
├─ Secrets/credentials?
│ ├─ In code? → REMOVE → use env vars or vault
│ └─ In config? → Move to secrets manager
│ └─ Run: scripts/scan-secrets.ps1 to verify
├─ Dependencies?
│ └─ Run: scripts/scan-security.ps1 → update vulnerable packages
└─ Deployment?
└─ HTTPS only, security headers, CORS configured
OWASP Top 10 (2025)
- •Broken Access Control - Authorization failures, privilege escalation
- •Cryptographic Failures - Weak encryption, exposed secrets
- •Injection - SQL, NoSQL, command, LDAP injection
- •Insecure Design - Missing security controls in architecture
- •Security Misconfiguration - Default configs, unnecessary features enabled
- •Vulnerable Components - Outdated dependencies with known CVEs
- •Authentication Failures - Weak passwords, broken session management
- •Software/Data Integrity - Unsigned updates, insecure CI/CD
- •Logging/Monitoring Failures - Missing audit logs, delayed detection
- •Server-Side Request Forgery (SSRF) - Unvalidated URLs, internal network access
Security Checklist
Before Production:
- • All user input validated and sanitized
- • SQL queries use parameterized statements
- • Passwords hashed with bcrypt/Argon2
- • Secrets in environment variables or vault
- • HTTPS enforced with HSTS
- • Security headers configured
- • Authentication and authorization implemented
- • Rate limiting on authentication endpoints
- • CORS configured restrictively
- • Dependencies scanned for vulnerabilities
- • Sensitive data encrypted at rest
- • Security audit logs enabled
- • Error messages don't leak sensitive info
- • File uploads validated and scanned
- • API endpoints have input size limits
Resources
Security Standards:
Tools:
- •Dependency Scanning: Snyk, Dependabot, OWASP Dependency-Check
- •SAST: SonarQube, CodeQL, Semgrep
- •DAST: OWASP ZAP, Burp Suite
- •Secrets Scanning: GitGuardian, TruffleHog, git-secrets
See Also: Skills.md • AGENTS.md
Last Updated: January 27, 2026
Scripts
| Script | Purpose | Usage |
|---|---|---|
scan-secrets.ps1 | Scan repo for hardcoded secrets, API keys, credentials | ./scripts/scan-secrets.ps1 [-Path ./src] |
scan-secrets.sh | Cross-platform secrets scanner (bash) | ./scripts/scan-secrets.sh --path ./src |
scan-security.ps1 | Scan dependencies for known vulnerabilities | ./scripts/scan-security.ps1 [-FailOn critical] |
Troubleshooting
| Issue | Solution |
|---|---|
| SQL injection detected | Use parameterized queries, never concatenate user input into SQL |
| JWT token expired errors | Implement token refresh flow, check clock skew between services |
| Secrets exposed in logs | Use structured logging with secret redaction, never log request bodies with credentials |