Security Audit

Quick Start

When performing a security audit:

1. Identify attack surfaces (API, parsing, storage, auth).
2. Review input validation and trust boundaries.
3. Check authn/authz, secret handling, and sensitive logging.
4. Review data protection, PII handling, and retention controls.
5. Return prioritized findings with concrete remediations.

Audit Focus Areas

• Authentication and authorization
• Input validation and unsafe parsing
• Injection vectors (SQL, command, path, template)
• Secret exposure and credential handling
• PII processing, redaction, and retention
• Abuse controls (rate limit, replay, idempotency)
• Dependency/supply-chain risk indicators

Output Format

Use this exact structure:

## Findings
- [Severity] Title
  - Attack scenario:
  - Impact:
  - Where:
  - Remediation:

## Threat Model Notes
- ...

## Hardening Checklist
- ...

## Residual Risk Summary
- ...