Security

Phase 2: Vulnerability Scanning

Check for common vulnerability patterns:

1. Injection Points (CRITICAL - check first)

   • SQL queries with string concatenation
   • Shell command execution with user input
   • HTML rendering with unescaped content
   • See references/owasp-top-10.md for patterns

2. Authentication/Authorization

   • Missing auth checks on endpoints
   • Broken access control (can user A access user B's data?)
   • Weak session management
   • See references/auth-patterns.md for secure patterns

3. Secrets Management

   • Hardcoded credentials, API keys, tokens
   • Secrets in logs or error messages
   • Secrets committed to git history
   • See references/secrets-guide.md for detection patterns

4. Data Exposure

   • Sensitive data in responses (passwords, tokens, PII)
   • Verbose error messages revealing internals
   • Debug endpoints left enabled

Phase 3: Verification

Before approving:

1. Test Security Controls

   • Do auth checks actually prevent unauthorized access?
   • Does input validation reject malicious input?
   • Are rate limits effective?

2. Review Dependencies

   • Any new dependencies with known vulnerabilities?
   • Run npm audit / pip-audit / govulncheck

3. Check Configuration

   • Security headers configured?
   • HTTPS enforced?
   • Secure cookie flags set?

Red Flags - STOP and Investigate

If you see ANY of these, STOP and investigate before proceeding:

Critical - Block Immediately

- String concatenation in SQL: f"SELECT * FROM users WHERE id = '{id}'"
- eval() or exec() with any external input
- innerHTML with user-controlled content
- Hardcoded secrets: API_KEY = "sk-live-..."
- Missing authentication on sensitive endpoints
- Shell commands with user input: os.system(f"ls {path}")

High Risk - Require Justification

- Disabling security features: verify=False, --no-verify
- Broad CORS: Access-Control-Allow-Origin: *
- Elevated privileges: running as root, admin endpoints
- Cryptographic operations (easy to get wrong)
- Custom auth implementations (use standard libraries)

Suspicious Patterns - Question Intent

- Base64 "encoding" treated as encryption
- MD5/SHA1 for passwords (use bcrypt/argon2)
- JWT with 'none' algorithm or long expiry
- Catching and silencing all exceptions
- Comments like "TODO: add auth later"

Common Rationalizations - Don't Accept These

Security Checklist

Before approving ANY code change:

• Injection: No string concatenation in queries/commands
• Auth: All sensitive endpoints require authentication
• AuthZ: Users can only access their own data
• Secrets: No hardcoded credentials, keys in env vars
• Input: All user input validated and sanitized
• Output: Sensitive data not leaked in responses/logs
• Dependencies: No known vulnerabilities (npm audit clean)
• Headers: Security headers configured (CSP, HSTS, etc.)

Quick Reference Commands

# Secret scanning
gitleaks detect --source .
trufflehog filesystem .

# Dependency audit
npm audit                    # Node.js
pip-audit                    # Python
govulncheck ./...           # Go
cargo audit                  # Rust

# SAST scanning
semgrep --config auto .
bandit -r src/              # Python
gosec ./...                 # Go

References

Detailed patterns and examples in references/:

• owasp-top-10.md - Top 10 vulnerabilities with code examples
• auth-patterns.md - Secure authentication implementation
• secrets-guide.md - Secret detection and management
• security-headers.md - HTTP security header configuration