software-security-appsec
Modern application security patterns including OWASP Top 10:2025, zero trust architecture, supply chain security, authentication, authorization, input validation, and cryptography for 2024-2025
$ Installieren
git clone https://github.com/vasilyu1983/AI-Agents-public /tmp/AI-Agents-public && cp -r /tmp/AI-Agents-public/frameworks/claude-code-kit/framework/skills/software-security-appsec ~/.claude/skills/AI-Agents-public// tip: Run this command in your terminal to install the skill
SKILL.md
name: software-security-appsec description: Modern application security patterns including OWASP Top 10:2025, zero trust architecture, supply chain security, authentication, authorization, input validation, and cryptography for 2024-2025
Software Security & AppSec â Quick Reference
Production-grade security patterns for building secure applications in 2024-2025. Covers OWASP Top 10:2025 (including new Supply Chain Failures category), zero trust architecture, modern authentication, and defensive coding.
When to Use This Skill
Activate this skill when:
- Implementing authentication or authorization systems
- Handling user input that could lead to injection attacks (SQL, XSS, command injection)
- Designing secure APIs or web applications
- Working with cryptographic operations or sensitive data storage
- Conducting security reviews, threat modeling, or vulnerability assessments
- Responding to security incidents or compliance audit requirements
- Building systems that must comply with OWASP, NIST, PCI DSS, GDPR, HIPAA, or SOC 2
- Integrating third-party dependencies (supply chain security review)
- Implementing zero trust architecture or modern cloud-native security patterns
Quick Reference Table
| Security Task | Tool/Pattern | Implementation | When to Use |
|---|---|---|---|
| Password Storage | bcrypt/Argon2 | bcrypt.hash(password, 12) | Always hash passwords (never store plaintext) |
| Input Validation | Allowlist regex | /^[a-zA-Z0-9_]{3,20}$/ | All user input (SQL, XSS, command injection prevention) |
| SQL Queries | Parameterized queries | db.execute(query, [userId]) | All database operations (prevent SQL injection) |
| API Authentication | JWT + OAuth2 | jwt.sign(payload, secret, options) | Stateless auth with short-lived tokens (15-30 min) |
| Data Encryption | AES-256-GCM | crypto.createCipheriv('aes-256-gcm') | Sensitive data at rest (PII, financial, health) |
| HTTPS/TLS | TLS 1.3 | Force HTTPS redirects | All production traffic (data in transit) |
| Access Control | RBAC/ABAC | requireRole('admin', 'moderator') | Resource authorization (APIs, admin panels) |
| Rate Limiting | express-rate-limit | limiter({ windowMs: 15min, max: 100 }) | Public APIs, auth endpoints (DoS prevention) |
Decision Tree: Security Implementation
Security requirement: [Feature Type]
ââ User Authentication?
â ââ Session-based? â Cookie sessions + CSRF tokens
â ââ Token-based? â JWT with refresh tokens (resources/authentication-authorization.md)
â ââ Third-party? â OAuth2/OIDC integration
â
ââ User Input?
â ââ Database query? â Parameterized queries (NEVER string concatenation)
â ââ HTML output? â DOMPurify sanitization + CSP headers
â ââ File upload? â Content validation, size limits, virus scanning
â ââ API parameters? â Allowlist validation (resources/input-validation.md)
â
ââ Sensitive Data?
â ââ Passwords? â bcrypt/Argon2 (cost factor 12+)
â ââ PII/financial? â AES-256-GCM encryption + key rotation
â ââ API keys/tokens? â Environment variables + secrets manager
â ââ In transit? â TLS 1.3 only
â
ââ Access Control?
â ââ Simple roles? â RBAC (templates/web-application/template-authorization.md)
â ââ Complex rules? â ABAC with policy engine
â ââ Relationship-based? â ReBAC (owner, collaborator, viewer)
â
ââ API Security?
ââ Public API? â Rate limiting + API keys
ââ CORS needed? â Strict origin allowlist (never *)
ââ Headers? â Helmet.js (CSP, HSTS, X-Frame-Options)
.NET/EF Core Crypto Integration Security
For C#/.NET crypto/fintech services using Entity Framework Core, see:
- resources/dotnet-efcore-crypto-security.md â Security rules and C# patterns
Key rules summary:
- No secrets in code â use configuration/environment variables
- No sensitive data in logs (tokens, keys, PII)
- Use
decimalfor financial values, neverdouble/float - EF Core or parameterized queries only â no dynamic SQL
- Generic error messages to users, detailed logging server-side
Navigation
Core Resources (Updated 2024-2025)
2025 Updates & Modern Architecture
- resources/supply-chain-security.md â NEW: OWASP A03:2025, npm Shai-Hulud attack response, SLSA, Sigstore, trusted publishing
- resources/zero-trust-architecture.md â NEW: NIST SP 800-207, CISA maturity model, mTLS, SPIFFE/SPIRE, policy-based access
- resources/owasp-top-10.md â OWASP Top 10:2025 threats and mitigations with new categories
- resources/advanced-xss-techniques.md â 2024-2025 XSS: mutation XSS, polyglots, SVG attacks, context-aware encoding
Foundation Security Patterns
- resources/secure-design-principles.md â Defense in depth, least privilege, secure defaults
- resources/authentication-authorization.md â AuthN/AuthZ flows, OAuth 2.1, JWT best practices, RBAC/ABAC
- resources/input-validation.md â Allowlist validation, SQL injection, XSS, CSRF prevention, file upload security
- resources/cryptography-standards.md â AES-256-GCM, Argon2, TLS 1.3, key management
- resources/common-vulnerabilities.md â Path traversal, command injection, deserialization, SSRF
External References
- data/sources.json â 70+ curated security resources (OWASP 2025, supply chain, zero trust, API security, compliance)
Templates by Domain
Web Application Security
- templates/web-application/template-authentication.md â Secure authentication flows (JWT, OAuth2, sessions, MFA)
- templates/web-application/template-authorization.md â RBAC/ABAC/ReBAC policy patterns
API Security
- templates/api/template-secure-api.md â Secure API gateway, rate limiting, CORS, security headers
Cloud-Native Security
- templates/cloud-native/crypto-security.md â Cryptography usage, key management, HSM integration
Blockchain & Web3 Security
- resources/smart-contract-security-auditing.md â NEW: Smart contract auditing, vulnerability patterns, formal verification, Solidity security
Related Skills
Security Ecosystem
- ../software-backend/SKILL.md â API implementation patterns and error handling
- ../software-architecture-design/SKILL.md â Secure system decomposition and dependency design
- ../ops-devops-platform/SKILL.md â DevSecOps pipelines, secrets management, infrastructure hardening
- ../software-crypto-web3/SKILL.md â Smart contract security, blockchain vulnerabilities, DeFi patterns
- ../qa-testing-strategy/SKILL.md â Security testing, SAST/DAST integration, penetration testing
AI/LLM Security
- ../ai-llm/SKILL.md â LLM security patterns including prompt injection prevention
- ../ai-mlops/SKILL.md â ML model security, adversarial attacks, privacy-preserving ML
Quality & Resilience
- ../qa-resilience/SKILL.md â Resilience, safeguards, failure handling, chaos engineering
- ../qa-refactoring/SKILL.md â Security-focused refactoring patterns
Operational Playbooks
- resources/operational-playbook.md â Core security principles, OWASP summaries, authentication patterns, and detailed code examples
Repository
vasilyu1983
Author
vasilyu1983/AI-Agents-public/frameworks/claude-code-kit/framework/skills/software-security-appsec
21
Stars
6
Forks
Updated4d ago
Added1w ago