Security Patterns

Systematic approach to identifying and remediating security vulnerabilities. Use this skill when:

• Reviewing code for security vulnerabilities
• Conducting security audits
• Implementing authentication, authorization, or data handling
• Assessing third-party dependencies

OWASP Top 10 (2021) Quick Detection

A01: Broken Access Control

Detection patterns:

• Missing authorization checks on endpoints
• Direct object references without ownership validation
• Path traversal: ../ in file paths
• CORS with Access-Control-Allow-Origin: *
• JWT without signature verification

Remediation:

• Implement RBAC/ABAC at controller/service layer
• Validate ownership on every resource access
• Use allowlists for file paths
• Configure CORS with specific origins

A02: Cryptographic Failures

Detection patterns:

• MD5/SHA1 for passwords
• Hardcoded encryption keys
• HTTP for sensitive data
• Weak random: Math.random(), rand()
• Missing encryption at rest

Remediation:

• Use bcrypt/argon2 for passwords (cost ≥12)
• External key management (KMS, Vault)
• TLS 1.2+ everywhere
• Cryptographic RNG only

A03: Injection

Detection patterns:

• String concatenation in SQL/NoSQL queries
• Template literals in HTML without escaping
• eval(), exec(), Function() with user input
• Shell commands with string interpolation
• LDAP/XPath queries with user input

Remediation:

• Parameterized queries always
• Context-aware output encoding
• Never eval untrusted input
• Use ORM/query builders

A04: Insecure Design

Detection patterns:

• Business logic without rate limiting
• Missing account lockout
• No CAPTCHA on authentication
• Unbounded resource allocation
• Missing threat model documentation

Remediation:

• Rate limit all sensitive operations
• Implement progressive delays
• Bound all allocations
• Document trust boundaries

A05: Security Misconfiguration

Detection patterns:

• Default credentials in config
• Verbose error messages to users
• Debug mode in production
• Unnecessary services enabled
• Missing security headers

Remediation:

• Automated hardening scripts
• Generic error messages externally
• Disable debug in production
• Minimize attack surface

A06: Vulnerable Components

Detection patterns:

• Dependencies with known CVEs
• Outdated framework versions
• Abandoned packages (no updates >2 years)
• Single-maintainer critical deps

Remediation:

• Automated dependency scanning
• Regular update schedule
• Evaluate package health before adoption
• Pin specific versions with lockfiles

A07: Authentication Failures

Detection patterns:

• Weak password requirements
• Missing brute force protection
• Session tokens in URL
• No session timeout
• Plain passwords in logs

Remediation:

• Strong password policy
• Account lockout/delays
• Secure cookie flags
• Session timeout <30 min idle
• Never log credentials

A08: Data Integrity Failures

Detection patterns:

• Deserialization of untrusted data
• Missing integrity checks on downloads
• Unsigned software updates
• CI/CD without verification

Remediation:

• Avoid native deserialization
• Verify checksums/signatures
• Sign all releases
• Secure CI/CD pipeline

A09: Logging Failures

Detection patterns:

• No logging on auth events
• Sensitive data in logs
• Logs without timestamps
• No centralized logging
• Missing alerting

Remediation:

• Log all security events
• Sanitize log data
• Structured logging with timestamps
• Centralize with retention policy

A10: SSRF

Detection patterns:

• User-controlled URLs in server requests
• Internal service access without validation
• Cloud metadata endpoint accessible
• URL parsing inconsistencies

Remediation:

• Allowlist URLs/domains
• Block internal IP ranges
• Disable cloud metadata endpoint
• Use URL parser consistently

Language-Specific Patterns

See detailed references:

• references/javascript-vulnerabilities.md
• references/python-vulnerabilities.md
• references/java-vulnerabilities.md
• references/go-vulnerabilities.md

Security Headers Checklist

STRIDE Threat Modeling