Security Review Skill
Defend before attackers find the gaps.
Core Principle
Security is not a feature—it's a property. Review code with adversarial thinking.
OWASP Top 10 Checklist
| # | Vulnerability | What to Check |
|---|---|---|
| 1 | Injection | SQL, NoSQL, LDAP, OS commands—parameterize everything |
| 2 | Broken Auth | Session management, credential storage, MFA |
| 3 | Sensitive Data | Encryption at rest/transit, PII exposure, logging secrets |
| 4 | XXE | XML parsers disabled external entities? |
| 5 | Broken Access | IDOR, privilege escalation, missing authZ checks |
| 6 | Misconfig | Default credentials, error messages, headers |
| 7 | XSS | Input sanitization, output encoding, CSP |
| 8 | Insecure Deserialization | Untrusted data → object creation |
| 9 | Vulnerable Dependencies | npm audit, Dependabot, known CVEs |
| 10 | Logging & Monitoring | Audit trails, alerting, incident detection |
Threat Modeling (STRIDE)
| Threat | Question | Mitigation |
|---|---|---|
| Spoofing | Can attacker impersonate? | Strong authentication |
| Tampering | Can data be modified? | Integrity checks, signatures |
| Repudiation | Can actions be denied? | Audit logging |
| Information Disclosure | Can secrets leak? | Encryption, access control |
| Denial of Service | Can system be overwhelmed? | Rate limiting, quotas |
| Elevation of Privilege | Can attacker gain access? | Least privilege, authZ |
Code Review Security Lens
Authentication
code
□ Passwords hashed with bcrypt/argon2 (not MD5/SHA1) □ No hardcoded credentials □ Session tokens are random, rotated, and expire □ Failed login attempts are rate-limited □ MFA supported where appropriate
Authorization
code
□ Every endpoint has explicit access control □ No security through obscurity (hidden URLs) □ Resource ownership verified before access □ Admin functions require elevated auth □ Deny by default, allow explicitly
Input Validation
code
□ All input validated on server (not just client) □ Allowlist validation preferred over blocklist □ File uploads restricted by type and size □ URL redirects validated against allowlist □ JSON/XML parsing has size limits
Data Protection
code
□ Sensitive data encrypted at rest □ TLS 1.2+ for data in transit □ API keys/secrets in env vars, not code □ PII minimized and retention limited □ Logs don't contain passwords/tokens/PII
Dependencies
code
□ npm audit / pip audit / cargo audit clean □ No deprecated or unmaintained packages □ Dependabot or Renovate enabled □ Lock files committed □ Known CVE check before release
Quick Security Questions
Before shipping, ask:
- •What's the worst thing an attacker could do?
- •What data could leak if this endpoint is exposed?
- •Who should NOT have access to this?
- •What happens if input is malicious?
- •Are we trusting anything we shouldn't?
Common Vulnerabilities by Language
| Language | Watch For |
|---|---|
| JavaScript | Prototype pollution, eval(), innerHTML |
| TypeScript | Type assertions bypassing validation |
| Python | pickle deserialization, format strings |
| SQL | String concatenation in queries |
| Shell | Command injection, unquoted variables |
Security Headers Checklist
code
Content-Security-Policy: default-src 'self' X-Content-Type-Options: nosniff X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 0 (deprecated, use CSP)
Incident Response Connection
When vulnerability found:
- •Assess: What's the blast radius?
- •Contain: Can we disable the feature?
- •Fix: Patch the vulnerability
- •Verify: Confirm fix works
- •Learn: Update review checklist
Synapses
See synapses.json for connections.