AI Skill Report Card
Reviewing Security
YAML--- name: reviewing-security description: Conducts comprehensive security reviews of fullstack applications, identifying vulnerabilities and providing remediation guidance. Use when reviewing code for security issues, preparing for security audits, or implementing security best practices. --- # Security Review
Quick Start10 / 15
Bash# Security review checklist - start here echo "๐ SECURITY REVIEW STARTING" echo "Target: [application/component name]" echo "Scope: [frontend/backend/infrastructure/all]"
Recommendationโพ
Quick Start section needs immediate actionable value - provide a concrete security review command or tool execution instead of just echo statements
Workflow15 / 15
Progress:
- Input Validation & Sanitization
- Authentication & Authorization
- Data Protection
- Infrastructure Security
- Dependencies & Supply Chain
- Error Handling & Logging
- Business Logic Vulnerabilities
1. Input Validation & Sanitization
- SQL injection prevention (parameterized queries)
- XSS protection (output encoding, CSP headers)
- File upload restrictions (type, size, location)
- API input validation schemas
- CSRF tokens on state-changing operations
2. Authentication & Authorization
- Password policies and hashing (bcrypt/Argon2)
- JWT implementation (secure storage, expiration)
- Session management (secure flags, timeout)
- Multi-factor authentication
- Role-based access control (RBAC)
- Principle of least privilege
3. Data Protection
- Encryption at rest and in transit (TLS 1.3+)
- Sensitive data handling (PII, secrets)
- Database security (encrypted connections)
- Backup encryption
- Data retention policies
4. Infrastructure Security
- HTTPS enforcement (HSTS headers)
- Security headers (CSP, X-Frame-Options, etc.)
- Environment variable protection
- Container security (non-root users)
- Network segmentation
5. Dependencies & Supply Chain
- Dependency vulnerability scanning
- Package lock files committed
- Automated security updates
- Third-party service security review
Recommendationโพ
Examples could include more attack vectors like LDAP injection, XXE, or deserialization vulnerabilities to show broader security knowledge
Examples18 / 20
Example 1: Input: Node.js API with user registration Output:
JavaScript// โ VULNERABLE app.post('/register', (req, res) => { const query = `INSERT INTO users (email, password) VALUES ('${req.body.email}', '${req.body.password}')`; // Issues: SQL injection, plain text password, no validation }); // โ SECURE const bcrypt = require('bcrypt'); const { body, validationResult } = require('express-validator'); app.post('/register', [ body('email').isEmail().normalizeEmail(), body('password').isLength({ min: 8 }).matches(/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)/), ], async (req, res) => { const errors = validationResult(req); if (!errors.isEmpty()) { return res.status(400).json({ errors: errors.array() }); } const hashedPassword = await bcrypt.hash(req.body.password, 12); const query = 'INSERT INTO users (email, password_hash) VALUES (?, ?)'; // Parameterized query, hashed password, validation });
Example 2: Input: React component displaying user data Output:
JavaScript// โ VULNERABLE function UserProfile({ userData }) { return <div dangerouslySetInnerHTML={{__html: userData.bio}} />; // XSS vulnerability } // โ SECURE import DOMPurify from 'dompurify'; function UserProfile({ userData }) { const sanitizedBio = DOMPurify.sanitize(userData.bio); return <div dangerouslySetInnerHTML={{__html: sanitizedBio}} />; // XSS protection with sanitization }
Recommendationโพ
Add specific security testing tools and commands (e.g., npm audit, OWASP ZAP, Burp Suite) with usage examples
Best Practices
- Threat modeling: Consider STRIDE framework (Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation)
- Defense in depth: Multiple security layers
- Fail securely: Default to denying access
- Security by design: Build security in, don't bolt it on
- Regular security testing: SAST, DAST, dependency scans
- Security headers: Use tools like securityheaders.com to verify
- Rate limiting: Implement on APIs and auth endpoints
- Audit logging: Log security events for monitoring
Common Pitfalls
- Client-side validation only - Always validate server-side
- Storing secrets in code - Use environment variables/secret managers
- Using default credentials - Change all defaults immediately
- Insufficient logging - Log security events but not sensitive data
- Ignoring dependency updates - Automated scanning and updates essential
- Weak session management - Secure cookies, proper expiration
- Trusting user input - Validate and sanitize everything
- Missing security headers - Easy wins often overlooked
- Inadequate error handling - Don't leak system information in errors