🇺🇸English
Software Security & AppSec — Quick Reference
Production-grade security patterns for building secure applications in Jan 2026. Covers OWASP Top 10:2025 (stable) https://owasp.org/Top10/2025/ plus OWASP API Security Top 10 (2023) https://owasp.org/API-Security/ and secure SDLC baselines (NIST SSDF) https://csrc.nist.gov/publications/detail/sp/800-218/final.
When to Use This Skill
Activate this skill when:
- Implementing authentication or authorization systems
- Handling user input that could lead to injection attacks (SQL, XSS, command injection)
- Designing secure APIs or web applications
- Working with cryptographic operations or sensitive data storage
- Conducting security reviews, threat modeling, or vulnerability assessments
- Responding to security incidents or compliance audit requirements
- Building systems that must comply with OWASP, NIST, PCI DSS, GDPR, HIPAA, or SOC 2
- Integrating third-party dependencies (supply chain security review)
- Implementing zero trust architecture or modern cloud-native security patterns
- Establishing or improving secure SDLC gates (threat modeling, SAST/DAST, dependency scanning)
When NOT to Use This Skill
- General backend development without security focus → use software-backend
- Infrastructure/cloud security (IAM, network security, container hardening) → use ops-devops-platform
- Smart contract auditing as primary focus → use software-crypto-web3
- ML model security (adversarial attacks, data poisoning) → use ai-mlops
- Compliance-only questions without implementation → consult compliance team directly
Quick Reference Table
| Security Task | Tool/Pattern | Implementation | When to Use |
|---|
| Primary Auth | Passkeys/WebAuthn | navigator.credentials.create() | New apps (2026+), phishing-resistant, broad platform support |
| Password Storage | bcrypt/Argon2 | bcrypt.hash(password, 12) | Legacy auth fallback (never store plaintext) |
| Input Validation | Allowlist regex | /^[a-zA-Z0-9_]{3,20}$/ | All user input (SQL, XSS, command injection prevention) |
| SQL Queries | Parameterized queries | db.execute(query, [userId]) |
Authentication Decision Matrix (Jan 2026)
| Method | Use Case | Token Lifetime | Security Level | Notes |
|---|
| Passkeys/WebAuthn | Primary auth (2026+) | N/A (cryptographic) | Highest | Phishing-resistant, broad platform support |
| OAuth 2.1 + PKCE | Third-party auth | 5-15 min access | High | Replaces implicit flow, mandatory PKCE |
| Session cookies | Traditional web apps | 30 min - 4 hrs | Medium-High | HttpOnly, Secure, SameSite=Strict |
| JWT stateless | APIs, microservices | 15-30 min | Medium | Always validate signature, short expiry |
| API keys | Machine-to-machine | Long-lived | Low-Medium | Rotate regularly, scope permissions |
Jurisdiction notes (verify): Authentication assurance requirements vary by country, industry, and buyer. Prefer passkeys/FIDO2; treat SMS OTP as recovery-only/low assurance unless you can justify it.
OWASP Top 10:2025 Quick Checklist
| Risk | Key Controls | Test
---|---|---|---
A01 | Broken Access Control | RBAC/ABAC, deny by default, CORS allowlist | BOLA, BFLA, privilege escalation
A02 | Security Misconfiguration | Harden defaults, disable unused features, error handling | Default creds, stack traces, headers
A03 | Supply Chain Failures (NEW) | SBOM, dependency scanning, SLSA, code signing | Outdated deps, typosquatting, compromised packages
A04 | Cryptographic Failures | TLS 1.3, AES-256-GCM, key rotation, no MD5/SHA1 | Weak ciphers, exposed secrets, cert validation
A05 | Injection | Parameterized queries, input validation, output encoding | SQLi, XSS, command injection, LDAP injection
A06 | Insecure Design | Threat modeling, secure design patterns, abuse cases | Design flaws, missing controls, trust boundaries
A07 | Authentication Failures | MFA/passkeys, rate limiting, secure password storage | Credential stuffing, brute force, session fixation
A08 | Integrity Failures | Code signing, CI/CD pipeline security, SRI | Unsigned updates, pipeline poisoning, CDN tampering
A09 | Logging Failures | Structured JSON, SIEM integration, correlation IDs | Missing logs, PII in logs, no alerting
A10 | Exceptional Conditions (NEW) | Fail-safe defaults, complete error recovery, input validation | Error handling gaps, fail-open, resource exhaustion
Decision Tree: Security Implementation
Security requirement: [Feature Type]
├─ User Authentication?
│ ├─ Session-based? → Cookie sessions + CSRF tokens
│ ├─ Token-based? → JWT with refresh tokens (references/authentication-authorization.md)
│ └─ Third-party? → OAuth2/OIDC integration
│
├─ User Input?
│ ├─ Database query? → Parameterized queries (NEVER string concatenation)
│ ├─ HTML output? → DOMPurify sanitization + CSP headers
│ ├─ File upload? → Content validation, size limits, virus scanning
│ └─ API parameters? → Allowlist validation (references/input-validation.md)
│
├─ Sensitive Data?
│ ├─ Passwords? → bcrypt/Argon2 (cost factor 12+)
│ ├─ PII/financial? → AES-256-GCM encryption + key rotation
│ ├─ API keys/tokens? → Environment variables + secrets manager
│ └─ In transit? → TLS 1.3 only
│
├─ Access Control?
│ ├─ Simple roles? → RBAC (assets/web-application/template-authorization.md)
│ ├─ Complex rules? → ABAC with policy engine
│ └─ Relationship-based? → ReBAC (owner, collaborator, viewer)
│
└─ API Security?
├─ Public API? → Rate limiting + API keys
├─ CORS needed? → Strict origin allowlist (never *)
└─ Headers? → Helmet.js (CSP, HSTS, X-Frame-Options)
Security ROI & Business Value (Jan 2026)
Security investment justification and compliance-driven revenue. Full framework: references/security-business-value.md
Quick Breach Cost Reference
Indicative figures (source: IBM Cost of a Data Breach 2024; refresh for current year): https://www.ibm.com/reports/data-breach
| Metric | Global Avg | US Avg | Impact |
|---|
| Avg breach cost | $4.88M | $9.36M | Budget justification baseline |
| Cost per record | $165 | $194 | Data classification priority |
| Detection time | 204 days | 191 days | SIEM/monitoring ROI |
| DevSecOps adoption | -$1.68M | -34% | Shift-left justification |
| IR team | -$2.26M | -46% | Highest ROI control |
Compliance → Enterprise Sales
| Certification | Deals Unlocked | Sales Impact |
|---|
| SOC 2 Type II | $100K+ enterprise | Typically reduces security questionnaire friction |
| ISO 27001 | $250K+ EU enterprise | Preferred vendor status |
| HIPAA | Healthcare vertical | Market access |
| FedRAMP | $1M+ government | US gov market entry |
ROI Formula (Quick Reference)
Security ROI = (Risk Reduction - Investment) / Investment × 100
Risk Reduction = Breach Probability × Avg Cost × Control Effectiveness
Example: 15% × $4.88M × 46% = $337K/year risk reduction
Incident Response Patterns (Jan 2026)
Security Incident Playbook
| Phase | Actions |
|---|
| Detect | Alert fires, user report, automated scan |
| Contain | Isolate affected systems, revoke compromised credentials |
| Investigate | Collect logs, determine scope, identify root cause |
| Remediate | Patch vulnerability, rotate secrets, update defenses |
| Recover | Restore services, verify fixes, update monitoring |
| Learn | Post-mortem, update playbooks, share lessons |
Security Logging Requirements
| What to Log | Format | Retention |
|---|
| Authentication events | JSON with correlation ID | 90 days minimum |
| Authorization failures | JSON with user context | 90 days minimum |
| Data access (sensitive) | JSON with resource ID | 1 year minimum |
| Security scan results | SARIF format | 1 year minimum |
Do:
- Include correlation IDs across services
- Log to SIEM (Splunk, Datadog, ELK)
- Mask PII in logs
Avoid:
- Logging passwords, tokens, or keys
- Unstructured log formats
- Missing timestamps or context
Common Security Mistakes
| FAIL Bad Practice | PASS Correct Approach | Risk |
|---|
query = "SELECT * FROM users WHERE id=" + userId | db.execute("SELECT * FROM users WHERE id=?", [userId]) | SQL injection |
| Storing passwords in plaintext or MD5 | bcrypt.hash(password, 12) or Argon2 | Credential theft |
res.send(userInput) without encoding | res.send(DOMPurify.sanitize(userInput)) | XSS |
| Hardcoded API keys in source code | Environment variables + secrets manager |
Optional: AI/Automation Extensions
Note : Security considerations for AI systems. Skip if not building AI features.
LLM Security Patterns
| Threat | Mitigation |
|---|
| Prompt injection | Input validation, output filtering, sandboxed execution |
| Data exfiltration | Output scanning, PII detection |
| Model theft | API rate limiting, watermarking |
| Jailbreaking | Constitutional AI, guardrails |
AI-Assisted Security Tools
| Tool | Use Case |
|---|
| Semgrep | Static analysis with AI rules |
| Snyk Code | AI-powered vulnerability detection |
| GitHub CodeQL | Semantic code analysis |
.NET/EF Core Crypto Integration Security
For C#/.NET crypto/fintech services using Entity Framework Core, see:
Key rules summary:
- No secrets in code — use configuration/environment variables
- No sensitive data in logs (tokens, keys, PII)
- Use
decimal for financial values, never double/float
- EF Core or parameterized queries only — no dynamic SQL
- Generic error messages to users, detailed logging server-side
Navigation
Core Resources (Updated 2024-2026)
Security Business Value & ROI
- references/security-business-value.md — Breach cost modeling, security ROI formulas, compliance → enterprise sales, investment justification templates
2025 Updates & Modern Architecture
- references/supply-chain-security.md — Dependency, build, and artifact integrity (SLSA, provenance, signing)
- references/zero-trust-architecture.md — NIST SP 800-207, service identity, policy-based access
- references/owasp-top-10.md — OWASP Top 10:2025 (final) guide + 2021→2025 diffs
- references/advanced-xss-techniques.md — 2024-2025 XSS: mutation XSS, polyglots, SVG attacks, context-aware encoding
API Security, Incident Response & Threat Modeling
- references/api-security-patterns.md — OWASP API Security Top 10, BOLA/BFLA, rate limiting, API keys, GraphQL/gRPC security
- references/incident-response-playbook.md — IR team roles, severity triage, containment by incident type, evidence handling, communication templates, postmortem
- references/threat-modeling-guide.md — STRIDE, PASTA, data flow diagrams, attack trees, risk scoring (CVSS/DREAD), lightweight agile threat modeling
Foundation Security Patterns
- references/secure-design-principles.md — Defense in depth, least privilege, secure defaults
- references/authentication-authorization.md — AuthN/AuthZ flows, OAuth 2.1, JWT best practices, RBAC/ABAC
- references/input-validation.md — Allowlist validation, SQL injection, XSS, CSRF prevention, file upload security
- references/cryptography-standards.md — AES-256-GCM, Argon2, TLS 1.3, key management
- references/common-vulnerabilities.md — Path traversal, command injection, deserialization, SSRF
External References
Templates by Domain
Web Application Security
API Security
- assets/api/template-secure-api.md — Secure API gateway, rate limiting, CORS, security headers
Cloud-Native Security
- assets/cloud-native/crypto-security.md — Cryptography usage, key management, HSM integration
Blockchain & Web3 Security
- references/smart-contract-security-auditing.md — NEW : Smart contract auditing, vulnerability patterns, formal verification, Solidity security
Related Skills
Security Ecosystem
- ../software-backend/SKILL.md — API implementation patterns and error handling
- ../software-architecture-design/SKILL.md — Secure system decomposition and dependency design
- ../ops-devops-platform/SKILL.md — DevSecOps pipelines, secrets management, infrastructure hardening
- ../software-crypto-web3/SKILL.md — Smart contract security, blockchain vulnerabilities, DeFi patterns
- ../qa-testing-strategy/SKILL.md — Security testing, SAST/DAST integration, penetration testing
AI/LLM Security
- ../ai-llm/SKILL.md — LLM security patterns including prompt injection prevention
- ../ai-mlops/SKILL.md — ML model security, adversarial attacks, privacy-preserving ML
Quality & Resilience
- ../qa-resilience/SKILL.md — Resilience, safeguards, failure handling, chaos engineering
- ../qa-refactoring/SKILL.md — Security-focused refactoring patterns
Trend Awareness Protocol
IMPORTANT : When users ask recommendation questions about application security, you MUST use WebSearch to check current trends before answering. If WebSearch is unavailable, use data/sources.json + web browsing and state what you verified vs assumed.
Trigger Conditions
- "What's the best approach for [authentication/authorization]?"
- "What should I use for [secrets/encryption/API security]?"
- "What's the latest in application security?"
- "Current best practices for [OWASP/zero trust/supply chain]?"
- "Is [security approach] still recommended in 2026?"
- "What are the latest security vulnerabilities?"
- "Best auth solution for [use case]?"
Required Searches
- Search:
"application security best practices 2026"
- Search:
"OWASP Top 10 2025 2026"
- Search:
"[authentication/authorization] trends 2026"
- Search:
"supply chain security 2026"
What to Report
After searching, provide:
- Current landscape : What security approaches are standard NOW
- Emerging threats : New vulnerabilities or attack vectors
- Deprecated/declining : Approaches that are no longer secure
- Recommendation : Based on fresh data and current advisories
Example Topics (verify with fresh search)
- OWASP Top 10 updates
- Passkeys and passwordless authentication
- AI security concerns (prompt injection, model poisoning)
- Supply chain security (SBOMs, dependency scanning)
- Zero trust architecture implementation
- API security (BOLA, broken auth)
Pre-Implementation Security Gate
Before building any feature that involves storage, uploads, or user-generated content:
- Threat model first : Identify what an attacker could do with this feature (file upload → malware, storage → data exfiltration, user content → XSS).
- Check OWASP mapping : Map the feature to relevant OWASP Top 10 categories above.
- Define constraints before coding : Set file type allowlist, size limits, storage isolation, and access controls before writing the first line.
- Review existing security patterns : Check if the project already has upload/storage security utilities to reuse.
Building storage/upload features without upfront security constraints leads to retroactive hardening that is more expensive and error-prone.
Operational Playbooks
- references/operational-playbook.md — Core security principles, OWASP summaries, authentication patterns, and detailed code examples
Fact-Checking
- Use web search/web fetch to verify current external facts, versions, pricing, deadlines, regulations, or platform behavior before final answers.
- Prefer primary sources; report source links and dates for volatile information.
- If web access is unavailable, state the limitation and mark guidance as unverified.
Weekly Installs
97
Repository
vasilyu1983/ai-…s-public
GitHub Stars
49
First Seen
Jan 23, 2026
Security Audits
Gen Agent Trust HubPassSocketPassSnykWarn
Installed on
codex79
gemini-cli78
opencode78
cursor77
github-copilot73
amp65
