security-patterns by groupzer0

---
name: security-patterns
description: Security vulnerability detection patterns including OWASP Top 10, language-specific vulnerabilities, and remediation guidance. Load when reviewing code for security issues, conducting audits, or implementing authentication/authorization.
license: MIT
metadata:
  author: groupzer0
  version: "1.0"
---

# Security Patterns

Systematic approach to identifying and remediating security vulnerabilities. Use this skill when:
- Reviewing code for security vulnerabilities
- Conducting security audits
- Implementing authentication, authorization, or data handling
- Assessing third-party dependencies

## OWASP Top 10 (2021) Quick Detection

### A01: Broken Access Control
**Detection patterns:**
- Missing authorization checks on endpoints
- Direct object references without ownership validation
- Path traversal: `../` in file paths
- CORS with `Access-Control-Allow-Origin: *`
- JWT without signature verification

**Remediation:**
- Implement RBAC/ABAC at controller/service layer
- Validate ownership on every resource access
- Use allowlists for file paths
- Configure CORS with specific origins

### A02: Cryptographic Failures
**Detection patterns:**
- MD5/SHA1 for passwords
- Hardcoded encryption keys
- HTTP for sensitive data
- Weak random: `Math.random()`, `rand()`
- Missing encryption at rest

**Remediation:**
- Use bcrypt/argon2 for passwords (cost ≥12)
- External key management (KMS, Vault)
- TLS 1.2+ everywhere
- Cryptographic RNG only

### A03: Injection
**Detection patterns:**
- String concatenation in SQL/NoSQL queries
- Template literals in HTML without escaping
- `eval()`, `exec()`, `Function()` with user input
- Shell commands with string interpolation
- LDAP/XPath queries with user input

**Remediation:**
- Parameterized queries always
- Context-aware output encoding
- Never eval untrusted input
- Use ORM/query builders

### A04: Insecure Design
**Detection patterns:**
- Business logic without rate limiting
- Missing account lockout
- No CAPTCHA on authentication
- Unbounded resource allocation
- Missing threat model documentation

**Remediation:**
- Rate limit all sensitive operations
- Implement progressive delays
- Bound all allocations
- Document trust boundaries

### A05: Security Misconfiguration
**Detection patterns:**
- Default credentials in config
- Verbose error messages to users
- Debug mode in production
- Unnecessary services enabled
- Missing security headers

**Remediation:**
- Automated hardening scripts
- Generic error messages externally
- Disable debug in production
- Minimize attack surface

### A06: Vulnerable Components
**Detection patterns:**
- Dependencies with known CVEs
- Outdated framework versions
- Abandoned packages (no updates >2 years)
- Single-maintainer critical deps

**Remediation:**
- Automated dependency scanning
- Regular update schedule
- Evaluate package health before adoption
- Pin specific versions with lockfiles

### A07: Authentication Failures
**Detection patterns:**
- Weak password requirements
- Missing brute force protection
- Session tokens in URL
- No session timeout
- Plain passwords in logs

**Remediation:**
- Strong password policy
- Account lockout/delays
- Secure cookie flags
- Session timeout <30 min idle
- Never log credentials

### A08: Data Integrity Failures
**Detection patterns:**
- Deserialization of untrusted data
- Missing integrity checks on downloads
- Unsigned software updates
- CI/CD without verification

**Remediation:**
- Avoid native deserialization
- Verify checksums/signatures
- Sign all releases
- Secure CI/CD pipeline

### A09: Logging Failures
**Detection patterns:**
- No logging on auth events
- Sensitive data in logs
- Logs without timestamps
- No centralized logging
- Missing alerting

**Remediation:**
- Log all security events
- Sanitize log data
- Structured logging with timestamps
- Centralize with retention policy

### A10: SSRF
**Detection patterns:**
- User-controlled URLs in server requests
- Internal service access without validation
- Cloud metadata endpoint accessible
- URL parsing inconsistencies

**Remediation:**
- Allowlist URLs/domains
- Block internal IP ranges
- Disable cloud metadata endpoint
- Use URL parser consistently

---

## Language-Specific Patterns

See detailed references:
- [references/javascript-vulnerabilities.md](references/javascript-vulnerabilities.md)
- [references/python-vulnerabilities.md](references/python-vulnerabilities.md)
- [references/java-vulnerabilities.md](references/java-vulnerabilities.md)
- [references/go-vulnerabilities.md](references/go-vulnerabilities.md)

---

## Security Headers Checklist

| Header | Value | Purpose |
|--------|-------|---------|
| `Content-Security-Policy` | `default-src 'self'` | Prevent XSS |
| `X-Content-Type-Options` | `nosniff` | Prevent MIME sniffing |
| `X-Frame-Options` | `DENY` | Prevent clickjacking |
| `Strict-Transport-Security` | `max-age=31536000; includeSubDomains` | Force HTTPS |
| `Referrer-Policy` | `strict-origin-when-cross-origin` | Limit referrer leakage |
| `Permissions-Policy` | `geolocation=(), camera=()` | Disable unused APIs |

---

## STRIDE Threat Modeling

| Threat | Question | Controls |
|--------|----------|----------|
| **Spoofing** | Can attacker impersonate? | Auth, MFA, certificates |
| **Tampering** | Can data be modified? | Integrity checks, MACs |
| **Repudiation** | Can actions be denied? | Audit logs, signing |
| **Information Disclosure** | Can data leak? | Encryption, access control |
| **Denial of Service** | Can service be disrupted? | Rate limits, redundancy |
| **Elevation of Privilege** | Can user gain access? | RBAC, input validation |