name: software-security-appsec description: Modern application security patterns including OWASP Top 10:2025, zero trust architecture, supply chain security, authentication, authorization, input validation, and cryptography for 2024-2025

Software Security & AppSec — Quick Reference

Production-grade security patterns for building secure applications in 2024-2025. Covers OWASP Top 10:2025 (including new Supply Chain Failures category), zero trust architecture, modern authentication, and defensive coding.

When to Use This Skill

Activate this skill when:

Implementing authentication or authorization systems
Handling user input that could lead to injection attacks (SQL, XSS, command injection)
Designing secure APIs or web applications
Working with cryptographic operations or sensitive data storage
Conducting security reviews, threat modeling, or vulnerability assessments
Responding to security incidents or compliance audit requirements
Building systems that must comply with OWASP, NIST, PCI DSS, GDPR, HIPAA, or SOC 2
Integrating third-party dependencies (supply chain security review)
Implementing zero trust architecture or modern cloud-native security patterns

Quick Reference Table

Security Task	Tool/Pattern	Implementation	When to Use
Password Storage	bcrypt/Argon2	`bcrypt.hash(password, 12)`	Always hash passwords (never store plaintext)
Input Validation	Allowlist regex	`/^[a-zA-Z0-9_]{3,20}$/`	All user input (SQL, XSS, command injection prevention)
SQL Queries	Parameterized queries	`db.execute(query, [userId])`	All database operations (prevent SQL injection)
API Authentication	JWT + OAuth2	`jwt.sign(payload, secret, options)`	Stateless auth with short-lived tokens (15-30 min)
Data Encryption	AES-256-GCM	`crypto.createCipheriv('aes-256-gcm')`	Sensitive data at rest (PII, financial, health)
HTTPS/TLS	TLS 1.3	Force HTTPS redirects	All production traffic (data in transit)
Access Control	RBAC/ABAC	`requireRole('admin', 'moderator')`	Resource authorization (APIs, admin panels)
Rate Limiting	express-rate-limit	`limiter({ windowMs: 15min, max: 100 })`	Public APIs, auth endpoints (DoS prevention)

Decision Tree: Security Implementation

Security requirement: [Feature Type]
    ├─ User Authentication?
    │   ├─ Session-based? → Cookie sessions + CSRF tokens
    │   ├─ Token-based? → JWT with refresh tokens (resources/authentication-authorization.md)
    │   └─ Third-party? → OAuth2/OIDC integration
    │
    ├─ User Input?
    │   ├─ Database query? → Parameterized queries (NEVER string concatenation)
    │   ├─ HTML output? → DOMPurify sanitization + CSP headers
    │   ├─ File upload? → Content validation, size limits, virus scanning
    │   └─ API parameters? → Allowlist validation (resources/input-validation.md)
    │
    ├─ Sensitive Data?
    │   ├─ Passwords? → bcrypt/Argon2 (cost factor 12+)
    │   ├─ PII/financial? → AES-256-GCM encryption + key rotation
    │   ├─ API keys/tokens? → Environment variables + secrets manager
    │   └─ In transit? → TLS 1.3 only
    │
    ├─ Access Control?
    │   ├─ Simple roles? → RBAC (templates/web-application/template-authorization.md)
    │   ├─ Complex rules? → ABAC with policy engine
    │   └─ Relationship-based? → ReBAC (owner, collaborator, viewer)
    │
    └─ API Security?
        ├─ Public API? → Rate limiting + API keys
        ├─ CORS needed? → Strict origin allowlist (never *)
        └─ Headers? → Helmet.js (CSP, HSTS, X-Frame-Options)

.NET/EF Core Crypto Integration Security

For C#/.NET crypto/fintech services using Entity Framework Core, see:

resources/dotnet-efcore-crypto-security.md — Security rules and C# patterns

Key rules summary:

No secrets in code — use configuration/environment variables
No sensitive data in logs (tokens, keys, PII)
Use decimal for financial values, never double/float
EF Core or parameterized queries only — no dynamic SQL
Generic error messages to users, detailed logging server-side

Navigation

Core Resources (Updated 2024-2025)

2025 Updates & Modern Architecture

resources/supply-chain-security.md — NEW: OWASP A03:2025, npm Shai-Hulud attack response, SLSA, Sigstore, trusted publishing
resources/zero-trust-architecture.md — NEW: NIST SP 800-207, CISA maturity model, mTLS, SPIFFE/SPIRE, policy-based access
resources/owasp-top-10.md — OWASP Top 10:2025 threats and mitigations with new categories
resources/advanced-xss-techniques.md — 2024-2025 XSS: mutation XSS, polyglots, SVG attacks, context-aware encoding

Foundation Security Patterns

resources/secure-design-principles.md — Defense in depth, least privilege, secure defaults
resources/authentication-authorization.md — AuthN/AuthZ flows, OAuth 2.1, JWT best practices, RBAC/ABAC
resources/input-validation.md — Allowlist validation, SQL injection, XSS, CSRF prevention, file upload security
resources/cryptography-standards.md — AES-256-GCM, Argon2, TLS 1.3, key management
resources/common-vulnerabilities.md — Path traversal, command injection, deserialization, SSRF

External References

data/sources.json — 70+ curated security resources (OWASP 2025, supply chain, zero trust, API security, compliance)

Templates by Domain

Web Application Security

templates/web-application/template-authentication.md — Secure authentication flows (JWT, OAuth2, sessions, MFA)
templates/web-application/template-authorization.md — RBAC/ABAC/ReBAC policy patterns

API Security

templates/api/template-secure-api.md — Secure API gateway, rate limiting, CORS, security headers

Cloud-Native Security

templates/cloud-native/crypto-security.md — Cryptography usage, key management, HSM integration

Blockchain & Web3 Security

resources/smart-contract-security-auditing.md — NEW: Smart contract auditing, vulnerability patterns, formal verification, Solidity security

Related Skills

Security Ecosystem

../software-backend/SKILL.md — API implementation patterns and error handling
../software-architecture-design/SKILL.md — Secure system decomposition and dependency design
../ops-devops-platform/SKILL.md — DevSecOps pipelines, secrets management, infrastructure hardening
../software-crypto-web3/SKILL.md — Smart contract security, blockchain vulnerabilities, DeFi patterns
../qa-testing-strategy/SKILL.md — Security testing, SAST/DAST integration, penetration testing

AI/LLM Security

../ai-llm/SKILL.md — LLM security patterns including prompt injection prevention
../ai-mlops/SKILL.md — ML model security, adversarial attacks, privacy-preserving ML

Quality & Resilience

../qa-resilience/SKILL.md — Resilience, safeguards, failure handling, chaos engineering
../qa-refactoring/SKILL.md — Security-focused refactoring patterns

Operational Playbooks

resources/operational-playbook.md — Core security principles, OWASP summaries, authentication patterns, and detailed code examples

software-security-appsec

$ Installer

name: software-security-appsec description: Modern application security patterns including OWASP Top 10:2025, zero trust architecture, supply chain security, authentication, authorization, input validation, and cryptography for 2024-2025

Software Security & AppSec — Quick Reference

When to Use This Skill

Quick Reference Table

Decision Tree: Security Implementation

.NET/EF Core Crypto Integration Security

Navigation

Core Resources (Updated 2024-2025)

2025 Updates & Modern Architecture

Foundation Security Patterns

External References

Templates by Domain

Web Application Security

API Security

Cloud-Native Security

Blockchain & Web3 Security

Related Skills

Security Ecosystem

AI/LLM Security

Quality & Resilience

Operational Playbooks

Repository

Actions

Related Skills