Security Audit

When to Use

Use this skill when reviewing code for security or performing security audits.

OWASP Top 10 Checklist

1. Injection

• SQL queries use parameterized statements
• OS commands avoid user input
• LDAP queries are sanitized

2. Broken Authentication

• Passwords hashed with bcrypt/argon2
• Session tokens are secure random
• MFA available for sensitive operations

3. Sensitive Data Exposure

• Data encrypted at rest
• TLS for data in transit
• Secrets not in code/logs

4. XML External Entities (XXE)

• XML parsing disables external entities
• JSON preferred over XML

5. Broken Access Control

• Authorization checked on every request
• Direct object references validated
• CORS configured correctly

6. Security Misconfiguration

• Debug mode disabled in production
• Default credentials changed
• Security headers set

7. Cross-Site Scripting (XSS)

• Output encoding applied
• Content Security Policy set
• Input validation present

8. Insecure Deserialization

• User input not deserialized directly
• Integrity checks on serialized data

9. Using Components with Known Vulnerabilities

• Dependencies up to date
• Vulnerability scanning in CI
• SBOM maintained

10. Insufficient Logging & Monitoring

• Security events logged
• Logs don't contain sensitive data
• Alerting configured

Report Format

## Security Audit: [Component]

### Scope
[What was reviewed]

### Findings
| ID | Severity | Issue | Remediation |
|----|----------|-------|-------------|
| S1 | Critical | [Issue] | [Fix] |

### Recommendations
1. [Priority recommendation]
2. [Secondary recommendation]