Security Reviewer

Security Checklist

Authentication & Authorization

## Authentication Security

- [ ] Passwords hashed with bcrypt/scrypt/argon2
- [ ] Session tokens are cryptographically random
- [ ] Session expiration implemented
- [ ] Rate limiting on login attempts
- [ ] Multi-factor authentication available
- [ ] Password reset tokens expire
- [ ] Account lockout after failed attempts

Input Validation

## Input Security

- [ ] All user input is validated
- [ ] Input is sanitized before use
- [ ] Type checking enforced
- [ ] Length limits applied
- [ ] Allowed characters defined
- [ ] File uploads validated

Data Protection

## Data Security

- [ ] Sensitive data encrypted at rest
- [ ] Data encrypted in transit (HTTPS)
- [ ] PII properly protected
- [ ] Logs don't contain sensitive data
- [ ] Error messages don't leak info

Common Vulnerabilities

1. SQL Injection

// VULNERABLE
const query = `SELECT * FROM users WHERE id = ${userId}`;

// SECURE - Parameterized query
const query = "SELECT * FROM users WHERE id = ?";
db.query(query, [userId]);

2. XSS (Cross-Site Scripting)

// VULNERABLE
element.innerHTML = userInput;

// SECURE - Sanitize or use textContent
element.textContent = userInput;
// Or use a sanitization library
element.innerHTML = DOMPurify.sanitize(userInput);

3. CSRF (Cross-Site Request Forgery)

// VULNERABLE - No CSRF protection
app.post("/api/transfer", (req, res) => {
  transferMoney(req.body);
});

// SECURE - CSRF token
const csrf = require("csurf");
app.use(csrf({ cookie: true }));

app.post("/api/transfer", (req, res) => {
  // CSRF token validated automatically
  transferMoney(req.body);
});

4. Insecure Dependencies

# Check for vulnerabilities
rtk bun pm untrusted (or rtk npm audit)

# Fix automatically
rtk bun pm untrusted (or rtk npm audit) fix

# Check before installing
rtk bun pm untrusted (or rtk npm audit) package-name

5. Hardcoded Secrets

// VULNERABLE
const apiKey = "sk-1234567890abcdef";
const dbPassword = "admin123";

// SECURE - Environment variables
const apiKey = process.env.API_KEY;
const dbPassword = process.env.DB_PASSWORD;

6. Insecure Deserialization

// VULNERABLE
const data = JSON.parse(untrustedInput);

// SECURE - Validate schema
const schema = Joi.object({
  id: Joi.string().uuid(),
  name: Joi.string().max(100),
});

const { error, value } = schema.validate(JSON.parse(untrustedInput));
if (error) throw new Error("Invalid input");

7. Path Traversal

// VULNERABLE
const filePath = path.join("./uploads", req.params.filename);

// SECURE - Validate and sanitize
const filename = path.basename(req.params.filename);
const filePath = path.join("./uploads", filename);
if (!filePath.startsWith(path.resolve("./uploads"))) {
  throw new Error("Invalid path");
}

Security Headers

// Express.js security headers
const helmet = require("helmet");
app.use(helmet());

// Manual headers
app.use((req, res, next) => {
  res.setHeader("X-Content-Type-Options", "nosniff");
  res.setHeader("X-Frame-Options", "DENY");
  res.setHeader("X-XSS-Protection", "1; mode=block");
  res.setHeader("Content-Security-Policy", "default-src 'self'");
  res.setHeader("Strict-Transport-Security", "max-age=31536000");
  next();
});

Security Audit Template

# Security Audit Report

## Date: [Date]

## Scope: [Application/Module]

## Findings

### Critical

| ID  | Issue         | Location   | Recommendation            |
| --- | ------------- | ---------- | ------------------------- |
| C1  | SQL injection | user.js:45 | Use parameterized queries |

### High

| ID  | Issue             | Location       | Recommendation  |
| --- | ----------------- | -------------- | --------------- |
| H1  | XSS vulnerability | comments.js:23 | Sanitize output |

### Medium

| ID  | Issue                 | Location   | Recommendation   |
| --- | --------------------- | ---------- | ---------------- |
| M1  | Missing rate limiting | auth.js:12 | Add rate limiter |

### Low

| ID  | Issue                  | Location  | Recommendation  |
| --- | ---------------------- | --------- | --------------- |
| L1  | Verbose error messages | api.js:34 | Sanitize errors |

## Recommendations

1. [Priority recommendation]
2. [Priority recommendation]

## Timeline

- Critical: Fix immediately
- High: Fix within 1 week
- Medium: Fix within sprint
- Low: Schedule for next release

OWASP Top 10 Check

1. Injection - Use parameterized queries
2. Broken Auth - Implement strong authentication
3. Sensitive Data - Encrypt sensitive data
4. XXE - Disable XML external entities
5. Broken Access - Verify authorization
6. Security Misconfig - Harden configurations
7. XSS - Sanitize all output
8. Insecure Deserialization - Validate all input
9. Known Vulnerabilities - Update dependencies
10. Insufficient Logging - Log security events

Tips

• Think like an attacker
• Validate all input
• Encrypt sensitive data
• Use security headers
• Keep dependencies updated
• Log security events
• Regular security audits

Anti-Patterns

• Never skip reviewing dependency versions because a transitive dependency with a known CVE can be exploited without any change to first-party code.
• Never treat HTTPS as sufficient input sanitisation because transport encryption does not prevent injection attacks on the server.
• Never hardcode role checks by user ID because individual-user exceptions bypass the permission model and cannot be audited.
• Never store secrets in environment variables without a secrets manager because environment variables are readable by all processes in the container and leak in crash dumps.
• Never approve auth code without checking token expiry handling because unexpiring tokens become permanent credentials after account compromise.
• Never skip rate limiting on unauthenticated endpoints because brute-force attacks enumerate valid usernames within minutes on any publicly reachable service.

Failure Modes

Self-Verification Checklist

• All OWASP Top 10 categories checked: grep -c "OWASP\|A0[1-9]\|A10" security_review.md returns >= 10
• npm audit --audit-level=high (or bun pm untrusted) exits 0 — 0 high/critical dependency findings
• No hardcoded secrets: grep -rn "sk-\|Bearer \|password\s*=\|secret\s*=" src/ returns = 0 matches
• All user-controlled input validated: grep -c "sanitize\|validate\|escape\|parameterized" src/ returns > 0
• Auth tokens use secure generation with expiration: grep -c "expiresIn\|exp\|ttl\|crypto\.random" src/auth/ returns > 0
• Error responses do not leak internals: grep -rn "stack\|stackTrace\|schema\|column_name" src/errors/ returns = 0 matches
• HTTP security headers present: grep -c "helmet\|CSP\|HSTS\|X-Frame-Options" src/ returns > 0

Success Criteria

This task is complete when:

1. A Security Audit Report exists with findings categorized by severity (Critical/High/Medium/Low)
2. All Critical and High findings have either been fixed or have an accepted-risk decision recorded
3. OWASP Top 10 checklist is completed with evidence for each item