Why Use This This skill provides specialized capabilities for groupzer0's codebase.
Use Cases Developing new features in the groupzer0 repository Refactoring existing code to follow groupzer0 standards Understanding and working with groupzer0's codebase structure
Install Guide 2 steps 1 2 Install inside Ananke
Click Install Skill, paste the link below, then press Install.
https://github.com/groupzer0/vs-code-agents/tree/main/vs-code-agents/skills/security-patterns Skill Snapshot Auto scan of skill assets. Informational only.
Valid SKILL.md Checks against SKILL.md specification
Source & Community
Updated At Jan 18, 2026, 01:41 PM
Skill Stats
SKILL.md 193 Lines
Total Files 1
Total Size 0 B
License MIT
---
name: security-patterns
description: Security vulnerability detection patterns including OWASP Top 10, language-specific vulnerabilities, and remediation guidance. Load when reviewing code for security issues, conducting audits, or implementing authentication/authorization.
license: MIT
metadata:
author: groupzer0
version: "1.0"
---
# Security Patterns
Systematic approach to identifying and remediating security vulnerabilities. Use this skill when:
- Reviewing code for security vulnerabilities
- Conducting security audits
- Implementing authentication, authorization, or data handling
- Assessing third-party dependencies
## OWASP Top 10 (2021) Quick Detection
### A01: Broken Access Control
**Detection patterns:**
- Missing authorization checks on endpoints
- Direct object references without ownership validation
- Path traversal: `../` in file paths
- CORS with `Access-Control-Allow-Origin: *`
- JWT without signature verification
**Remediation:**
- Implement RBAC/ABAC at controller/service layer
- Validate ownership on every resource access
- Use allowlists for file paths
- Configure CORS with specific origins
### A02: Cryptographic Failures
**Detection patterns:**
- MD5/SHA1 for passwords
- Hardcoded encryption keys
- HTTP for sensitive data
- Weak random: `Math.random()`, `rand()`
- Missing encryption at rest
**Remediation:**
- Use bcrypt/argon2 for passwords (cost ≥12)
- External key management (KMS, Vault)
- TLS 1.2+ everywhere
- Cryptographic RNG only
### A03: Injection
**Detection patterns:**
- String concatenation in SQL/NoSQL queries
- Template literals in HTML without escaping
- `eval()`, `exec()`, `Function()` with user input
- Shell commands with string interpolation
- LDAP/XPath queries with user input
**Remediation:**
- Parameterized queries always
- Context-aware output encoding
- Never eval untrusted input
- Use ORM/query builders
### A04: Insecure Design
**Detection patterns:**
- Business logic without rate limiting
- Missing account lockout
- No CAPTCHA on authentication
- Unbounded resource allocation
- Missing threat model documentation
**Remediation:**
- Rate limit all sensitive operations
- Implement progressive delays
- Bound all allocations
- Document trust boundaries
### A05: Security Misconfiguration
**Detection patterns:**
- Default credentials in config
- Verbose error messages to users
- Debug mode in production
- Unnecessary services enabled
- Missing security headers
**Remediation:**
- Automated hardening scripts
- Generic error messages externally
- Disable debug in production
- Minimize attack surface
### A06: Vulnerable Components
**Detection patterns:**
- Dependencies with known CVEs
- Outdated framework versions
- Abandoned packages (no updates >2 years)
- Single-maintainer critical deps
**Remediation:**
- Automated dependency scanning
- Regular update schedule
- Evaluate package health before adoption
- Pin specific versions with lockfiles
### A07: Authentication Failures
**Detection patterns:**
- Weak password requirements
- Missing brute force protection
- Session tokens in URL
- No session timeout
- Plain passwords in logs
**Remediation:**
- Strong password policy
- Account lockout/delays
- Secure cookie flags
- Session timeout <30 min idle
- Never log credentials
### A08: Data Integrity Failures
**Detection patterns:**
- Deserialization of untrusted data
- Missing integrity checks on downloads
- Unsigned software updates
- CI/CD without verification
**Remediation:**
- Avoid native deserialization
- Verify checksums/signatures
- Sign all releases
- Secure CI/CD pipeline
### A09: Logging Failures
**Detection patterns:**
- No logging on auth events
- Sensitive data in logs
- Logs without timestamps
- No centralized logging
- Missing alerting
**Remediation:**
- Log all security events
- Sanitize log data
- Structured logging with timestamps
- Centralize with retention policy
### A10: SSRF
**Detection patterns:**
- User-controlled URLs in server requests
- Internal service access without validation
- Cloud metadata endpoint accessible
- URL parsing inconsistencies
**Remediation:**
- Allowlist URLs/domains
- Block internal IP ranges
- Disable cloud metadata endpoint
- Use URL parser consistently
---
## Language-Specific Patterns
See detailed references:
- [references/javascript-vulnerabilities.md](references/javascript-vulnerabilities.md)
- [references/python-vulnerabilities.md](references/python-vulnerabilities.md)
- [references/java-vulnerabilities.md](references/java-vulnerabilities.md)
- [references/go-vulnerabilities.md](references/go-vulnerabilities.md)
---
## Security Headers Checklist
| Header | Value | Purpose |
|--------|-------|---------|
| `Content-Security-Policy` | `default-src 'self'` | Prevent XSS |
| `X-Content-Type-Options` | `nosniff` | Prevent MIME sniffing |
| `X-Frame-Options` | `DENY` | Prevent clickjacking |
| `Strict-Transport-Security` | `max-age=31536000; includeSubDomains` | Force HTTPS |
| `Referrer-Policy` | `strict-origin-when-cross-origin` | Limit referrer leakage |
| `Permissions-Policy` | `geolocation=(), camera=()` | Disable unused APIs |
---
## STRIDE Threat Modeling
| Threat | Question | Controls |
|--------|----------|----------|
| **Spoofing** | Can attacker impersonate? | Auth, MFA, certificates |
| **Tampering** | Can data be modified? | Integrity checks, MACs |
| **Repudiation** | Can actions be denied? | Audit logs, signing |
| **Information Disclosure** | Can data leak? | Encryption, access control |
| **Denial of Service** | Can service be disrupted? | Rate limits, redundancy |
| **Elevation of Privilege** | Can user gain access? | RBAC, input validation |