| name | secure-coding |
| description | Language-agnostic secure coding and vulnerability review grounded in OWASP Top 10:2025, OWASP ASVS 5.0, and CWE Top 25 (2025): input validation, injection, authentication/authorization, secrets handling, supply-chain hygiene, error/exception handling, SSRF, cryptographic misuse. Use when writing or reviewing code that crosses a trust boundary (user input, network, files, third-party data), handling credentials/secrets, adding dependencies, or when asked for a security review in any language. For Apple-platform specifics (Keychain, ATS, entitlements) use apple-secure-coding.
|
| allowed-tools | ["Read","Glob","Grep"] |
Secure Coding (Language-Agnostic)
IRON LAW: ALL EXTERNAL INPUT IS HOSTILE UNTIL VALIDATED.
NO SECRET EVER APPEARS IN SOURCE, LOGS, OR ERROR MESSAGES.
Threat Frame (before reviewing or writing)
- Assets — what is worth stealing/corrupting here? (credentials, PII,
tokens, money-moving operations)
- Trust boundaries — where does external data enter? (HTTP, files, IPC,
env vars, DB content, third-party APIs, AI/LLM output)
- Abuse cases — for each entry point: "what would an attacker send?"
OWASP Top 10:2025 Checklist
| # | Risk | Check for |
|---|
| A01 | Broken Access Control (incl. SSRF) | Authorization enforced server-side on every object/function access; no IDOR; outbound fetches of user-supplied URLs validated against allowlist |
| A02 | Security Misconfiguration | Safe defaults; debug off in prod; minimal surface; headers (CSP, HSTS) |
| A03 | Software Supply Chain Failures | Pinned dependencies, lockfiles, provenance/signature checks, minimal deps, no abandoned packages |
| A04 | Cryptographic Failures | Modern AEAD (AES-GCM/ChaCha20-Poly1305); no MD5/SHA-1 for security, no ECB, no homegrown crypto; unique nonces; TLS everywhere |
| A05 | Injection | Parameterized queries; no string-built SQL/shell/eval; output encoding for XSS (CWE Top 25 2025: XSS #1, SQLi #2) |
| A06 | Insecure Design | Threat-model security-relevant features before coding; fail secure |
| A07 | Authentication Failures | Rate limiting, MFA support, no credential leakage in errors/timing, secure session lifecycle, CSRF protection (CWE #3) |
| A08 | Software & Data Integrity Failures | No unsigned/unverified updates or deserialization of untrusted data |
| A09 | Logging & Alerting Failures | Security events logged WITHOUT secrets/PII; tamper-evident; actionable alerts |
| A10 | Mishandling of Exceptional Conditions | No swallowed errors on security paths; no fail-open; resource cleanup on error paths |
Non-Negotiables (any language)
- Validate with allowlists at the boundary; canonicalize before validating
(paths, URLs, Unicode).
- Secrets come from a secret manager/keystore or environment at deploy time —
never source control. Grep for high-entropy literals before approving.
- Least privilege: narrowest scopes, capabilities, file permissions, DB grants.
- Defense in depth: never a single control between attacker and asset.
- Errors: precise internally, generic externally (no stack traces or internal
paths to users).
- New dependency = supply-chain decision: maintenance status, transitive
surface, lockfile updated, license checked.
Rationalization Table (STOP signs)
| If you think… | Reality |
|---|
| "It's internal, no one malicious can reach it" | Internal services get compromised; SSRF reaches "internal" |
| "We'll sanitize later" | Later never comes; the boundary is now |
| "This input is from our own frontend" | Attackers don't use your frontend |
| "Logging it helps debugging" | Logs leak; mask secrets/PII now |
Severity & Reporting
Report findings as: vulnerability class + CWE ID, location, exploitation
scenario, concrete fix, severity (Critical/High/Medium/Low). Sort by severity.
Map to ASVS 5.0 level (L1 baseline / L2 standard / L3 high-assurance) when the
project declares one.
Related Skills
| Need | Skill |
|---|
| Apple-platform security (Keychain, ATS, entitlements) | apple-secure-coding |
| Memory-corruption classes, sanitizers, ownership review | memory-safety |
| Xcode hardening build settings | audit-xcode-security-settings |
| C memory safety annotations | c-bounds-safety |
| Security-audit execution contract | planner (security-audit template) |
| General review workflow | code-review |