| name | owasp-security |
| version | 1.0.0 |
| description | OWASP-aligned application security review and remediation for access control, cryptography, injection, insecure design, misconfiguration, vulnerable dependencies, auth, integrity, logging, SSRF, and secure coding controls. |
| author | skillregistry |
| license | MIT |
| agents | ["cursor","claude-code","copilot"] |
| categories | ["security"] |
| tags | ["owasp","security","appsec"] |
OWASP Security
Use OWASP Top 10 as a risk checklist, not a complete security program. Prioritize concrete exploitability in the codebase and apply small, verifiable fixes.
Workflow
- Identify assets, trust boundaries, authentication, authorization, and data flows.
- Check the OWASP Top 10 categories against the actual change or subsystem.
- Prefer framework-supported controls over custom security code.
- Patch the smallest viable control and add a regression test.
- Review logs/errors to ensure secrets and stack traces are not exposed.
- Document residual risk if a full fix needs product or architecture work.
Checklist
- Broken access control: object-level and function-level authorization.
- Cryptographic failures: TLS, secret handling, password hashing, key rotation.
- Injection: parameterized queries, command execution controls, output encoding.
- Insecure design: missing abuse cases, approval gates, rate limits.
- Misconfiguration: CORS, security headers, default credentials, debug flags.
- Vulnerable components: dependency scanning and patch policy.
- Auth failures: token lifetime, MFA/session controls, credential stuffing protection.
- Integrity failures: CI/CD permissions, signed artifacts, trusted update paths.
- Logging/monitoring failures: security events and alertable failures.
- SSRF: URL allowlists, DNS/IP validation, metadata IP blocks.
Verification
pnpm test
pnpm audit
docker scout cves <image>
Also run targeted tests: unauthorized access, invalid tokens, malicious input, SSRF URL attempts, and secret redaction.
Resources
Principles
- Security controls must be testable.
- Authorization is checked server-side, every time.
- Validate input and encode output.
- Secrets never belong in logs, clients, or images.
- Secure defaults beat documentation warnings.