Software Security & AppSec — Quick Reference

Production-grade security patterns for building secure applications in 2024-2025. Covers OWASP Top 10:2025 (including new Supply Chain Failures category), zero trust architecture, modern authentication, and defensive coding.

When to Use This Skill

Activate this skill when:

• Implementing authentication or authorization systems
• Handling user input that could lead to injection attacks (SQL, XSS, command injection)
• Designing secure APIs or web applications
• Working with cryptographic operations or sensitive data storage
• Conducting security reviews, threat modeling, or vulnerability assessments
• Responding to security incidents or compliance audit requirements
• Building systems that must comply with OWASP, NIST, PCI DSS, GDPR, HIPAA, or SOC 2
• Integrating third-party dependencies (supply chain security review)
• Implementing zero trust architecture or modern cloud-native security patterns

Quick Reference Table

Decision Tree: Security Implementation

Security requirement: [Feature Type]
    ├─ User Authentication?
    │   ├─ Session-based? → Cookie sessions + CSRF tokens
    │   ├─ Token-based? → JWT with refresh tokens (resources/authentication-authorization.md)
    │   └─ Third-party? → OAuth2/OIDC integration
    │
    ├─ User Input?
    │   ├─ Database query? → Parameterized queries (NEVER string concatenation)
    │   ├─ HTML output? → DOMPurify sanitization + CSP headers
    │   ├─ File upload? → Content validation, size limits, virus scanning
    │   └─ API parameters? → Allowlist validation (resources/input-validation.md)
    │
    ├─ Sensitive Data?
    │   ├─ Passwords? → bcrypt/Argon2 (cost factor 12+)
    │   ├─ PII/financial? → AES-256-GCM encryption + key rotation
    │   ├─ API keys/tokens? → Environment variables + secrets manager
    │   └─ In transit? → TLS 1.3 only
    │
    ├─ Access Control?
    │   ├─ Simple roles? → RBAC (templates/web-application/template-authorization.md)
    │   ├─ Complex rules? → ABAC with policy engine
    │   └─ Relationship-based? → ReBAC (owner, collaborator, viewer)
    │
    └─ API Security?
        ├─ Public API? → Rate limiting + API keys
        ├─ CORS needed? → Strict origin allowlist (never *)
        └─ Headers? → Helmet.js (CSP, HSTS, X-Frame-Options)

.NET/EF Core Crypto Integration Security

For C#/.NET crypto/fintech services using Entity Framework Core, see:

• resources/dotnet-efcore-crypto-security.md — Security rules and C# patterns

Key rules summary:

• No secrets in code — use configuration/environment variables
• No sensitive data in logs (tokens, keys, PII)
• Use decimal for financial values, never double/float
• EF Core or parameterized queries only — no dynamic SQL
• Generic error messages to users, detailed logging server-side

Navigation

Core Resources (Updated 2024-2025)

2025 Updates & Modern Architecture

• resources/supply-chain-security.md — NEW: OWASP A03:2025, npm Shai-Hulud attack response, SLSA, Sigstore, trusted publishing
• resources/zero-trust-architecture.md — NEW: NIST SP 800-207, CISA maturity model, mTLS, SPIFFE/SPIRE, policy-based access
• resources/owasp-top-10.md — OWASP Top 10:2025 threats and mitigations with new categories
• resources/advanced-xss-techniques.md — 2024-2025 XSS: mutation XSS, polyglots, SVG attacks, context-aware encoding

Foundation Security Patterns

• resources/secure-design-principles.md — Defense in depth, least privilege, secure defaults
• resources/authentication-authorization.md — AuthN/AuthZ flows, OAuth 2.1, JWT best practices, RBAC/ABAC
• resources/input-validation.md — Allowlist validation, SQL injection, XSS, CSRF prevention, file upload security
• resources/cryptography-standards.md — AES-256-GCM, Argon2, TLS 1.3, key management
• resources/common-vulnerabilities.md — Path traversal, command injection, deserialization, SSRF

External References

• data/sources.json — 70+ curated security resources (OWASP 2025, supply chain, zero trust, API security, compliance)

Templates by Domain

Web Application Security

• templates/web-application/template-authentication.md — Secure authentication flows (JWT, OAuth2, sessions, MFA)
• templates/web-application/template-authorization.md — RBAC/ABAC/ReBAC policy patterns

API Security

• templates/api/template-secure-api.md — Secure API gateway, rate limiting, CORS, security headers

Cloud-Native Security

• templates/cloud-native/crypto-security.md — Cryptography usage, key management, HSM integration

Blockchain & Web3 Security

• resources/smart-contract-security-auditing.md — NEW: Smart contract auditing, vulnerability patterns, formal verification, Solidity security

Related Skills

Security Ecosystem

• ../software-backend/SKILL.md — API implementation patterns and error handling
• ../software-architecture-design/SKILL.md — Secure system decomposition and dependency design
• ../ops-devops-platform/SKILL.md — DevSecOps pipelines, secrets management, infrastructure hardening
• ../software-crypto-web3/SKILL.md — Smart contract security, blockchain vulnerabilities, DeFi patterns
• ../qa-testing-strategy/SKILL.md — Security testing, SAST/DAST integration, penetration testing

AI/LLM Security

• ../ai-llm/SKILL.md — LLM security patterns including prompt injection prevention
• ../ai-mlops/SKILL.md — ML model security, adversarial attacks, privacy-preserving ML

Quality & Resilience

• ../qa-resilience/SKILL.md — Resilience, safeguards, failure handling, chaos engineering
• ../qa-refactoring/SKILL.md — Security-focused refactoring patterns

Operational Playbooks

• resources/operational-playbook.md — Core security principles, OWASP summaries, authentication patterns, and detailed code examples