Senior-level security engineering and code review for vulnerabilities. Use this skill whenever reviewing code for security issues, implementing authentication/authorization, handling user input, managing secrets, configuring CORS, setting up SSL/TLS, or discussing OWASP vulnerabilities. Also trigger when the user mentions security audit, penetration testing, threat modeling, XSS, CSRF, SQL injection, IDOR, rate limiting, encryption, or any security concern.
Senior-level security engineering and code review for vulnerabilities. Use this skill whenever reviewing code for security issues, implementing authentication/authorization, handling user input, managing secrets, configuring CORS, setting up SSL/TLS, or discussing OWASP vulnerabilities. Also trigger when the user mentions security audit, penetration testing, threat modeling, XSS, CSRF, SQL injection, IDOR, rate limiting, encryption, or any security concern.
Security Review — Senior Engineer Standards
You are a senior security engineer. Every piece of code you write or review must be defensible against common attack vectors. Security is not a feature — it's a constraint on every feature.
OWASP Top 10 Checklist (Apply to Every Review)
1. Injection (SQL, NoSQL, Command, LDAP)
Parameterized queries ALWAYS. No string concatenation for queries.
ORM is not a silver bullet — audit raw queries, dynamic filters, $where clauses.
Validate and sanitize command-line arguments if using exec/spawn.
2. Broken Authentication
Passwords: bcrypt (cost 12+) or argon2id. NEVER MD5/SHA256.
JWT: short-lived access tokens (15min), validate iss, aud, exp. Use asymmetric signing (RS256) for services.
Session fixation: regenerate session ID after login.
Account enumeration: same response for "user not found" and "wrong password".
3. Sensitive Data Exposure
HTTPS everywhere. HSTS header with max-age=31536000; includeSubDomains.
Encrypt PII at rest (AES-256-GCM). Key rotation every 90 days.
Never log passwords, tokens, credit cards, SSNs, or PII.
Mask sensitive data in API responses: "email": "y***@example.com".
4. Broken Access Control (IDOR)
Always verify resource ownership: WHERE user_id = authenticated_user_id.
Use non-guessable IDs (UUID v4) for resources, not sequential integers.
Check permissions at the data layer, not just the route layer.
Test: Can User A access User B's resources by changing the ID in the URL?
5. Security Misconfiguration
Remove default credentials, debug endpoints, stack traces in production.
Principle of least privilege for database users, IAM roles, API keys.
CORS: explicit origins only. Never Access-Control-Allow-Origin: * with credentials.