bytelyst/learning_ai_common_plat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
13e53d46bf
learning_ai_common_plat/AI.dev/SKILLS/security-auditing.md
saravanakumardb1 c3b869ceb9 feat: create AI.dev/SKILLS repository with reusable development skills 
- Add 15 comprehensive skills extracted from Windsurf workflows
- Cover debugging, testing, releases, deployment, security, and documentation
- Each skill includes step-by-step instructions and copy-pasteable commands
- Skills organized by category with cross-references and difficulty levels
2026-02-12 17:13:16 -08:00

9.4 KiB
Raw Blame History

Security Auditing Skill

Description: Security best practices and audit procedures for full-stack applications.

When to Use

  • Before production deployments
  • After adding new features
  • Regular security reviews
  • Compliance requirements

Security Checklist

🔐 Authentication & Authorization

  • JWT secrets are strong (32+ chars) and rotated regularly
  • Tokens have appropriate expiration (≤24h for access tokens)
  • Password hashing uses bcrypt/argon2 with proper salt rounds
  • Role-based access control (RBAC) is implemented
  • Admin endpoints require admin role verification
  • API endpoints validate permissions on every request

🔒 Data Protection

  • All sensitive data is encrypted at rest (Cosmos DB)
  • HTTPS enforced in production
  • Environment variables contain secrets, never committed
  • PII data is identified and protected
  • Database queries use parameterized inputs
  • Input validation on all endpoints

🛡️ API Security

  • CORS properly configured
  • Rate limiting implemented on public endpoints
  • Request size limits set
  • SQL/NoSQL injection protection
  • XSS protection headers enabled
  • CSRF protection for state-changing operations

📦 Dependencies

  • No known vulnerabilities in dependencies
  • Dependencies regularly updated
  • License compliance checked
  • Supply chain security (SLSA) considered

Security Auditing Commands

Python Security Audit

# Check for known vulnerabilities
pip-audit

# Bandit static analysis for security issues
bandit -r src/ -f json -o bandit-report.json

# Safety check for dependencies
safety check --json --output safety-report.json

# Semgrep for custom security rules
semgrep --config=auto src/

TypeScript/Node.js Security Audit

# Audit npm dependencies
npm audit --audit-level moderate

# Fix vulnerabilities
npm audit fix

# Snyk for advanced scanning
npx snyk test --json > snyk-report.json

# eslint-plugin-security for code issues
npm run lint -- --config .eslintrc.security.js

Infrastructure Security

# Check exposed ports
nmap -sS -O localhost

# SSL/TLS configuration test
nmap --script ssl-enum-ciphers -p 443 yourdomain.com

# Docker security scan
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
  aquasec/trivy image your-app:latest

# Terraform security check (if using IaC)
tfsec .

Common Security Issues and Fixes

1. Hardcoded Secrets

Bad:

const apiKey = 'sk-1234567890abcdef';

Good:

const apiKey = process.env.API_KEY;
if (!apiKey) throw new Error('API_KEY required');

2. SQL/NoSQL Injection

Bad:

const query = `SELECT * FROM users WHERE email = '${email}'`;

Good:

const query = 'SELECT * FROM users WHERE email = ?';
const result = await db.query(query, [email]);

3. XSS Prevention

Bad:

div.innerHTML = userContent;

Good:

div.textContent = userContent;
// or use a sanitization library
div.innerHTML = DOMPurify.sanitize(userContent);

4. Insecure Direct Object Reference

Bad:

app.get('/api/users/:id', async (req, res) => {
  const user = await getUserById(req.params.id);
  res.json(user);
});

Good:

app.get('/api/users/:id', async (req, res) => {
  if (req.user.id !== req.params.id && !req.user.isAdmin) {
    return res.status(403).json({ error: 'Forbidden' });
  }
  const user = await getUserById(req.params.id);
  res.json(user);
});

Security Headers

Implement in Fastify

import fastifyHelmet from '@fastify/helmet';

await server.register(fastifyHelmet, {
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ["'self'"],
      styleSrc: ["'self'", "'unsafe-inline'"],
      scriptSrc: ["'self'"],
      imgSrc: ["'self'", 'data:', 'https:'],
    },
  },
  hsts: {
    maxAge: 31536000,
    includeSubDomains: true,
    preload: true,
  },
});

Implement in Next.js

// next.config.js
const securityHeaders = [
  {
    key: 'X-DNS-Prefetch-Control',
    value: 'on',
  },
  {
    key: 'Strict-Transport-Security',
    value: 'max-age=63072000; includeSubDomains; preload',
  },
  {
    key: 'X-XSS-Protection',
    value: '1; mode=block',
  },
  {
    key: 'X-Frame-Options',
    value: 'DENY',
  },
  {
    key: 'X-Content-Type-Options',
    value: 'nosniff',
  },
];

module.exports = {
  async headers() {
    return [
      {
        source: '/(.*)',
        headers: securityHeaders,
      },
    ];
  },
};

Rate Limiting

Fastify Implementation

import rateLimit from '@fastify/rate-limit';

await server.register(rateLimit, {
  max: 100, // 100 requests
  timeWindow: '1 minute', // per minute
  errorResponseBuilder: (request, context) => ({
    code: 'RATE_LIMIT_EXCEEDED',
    error: 'Too many requests',
    retryAfter: context.ttl,
  }),
});

// Stricter limits for auth endpoints
await server.register(rateLimit, {
  max: 5,
  timeWindow: '15 minutes',
  hook: 'preHandler',
  routes: ['/api/auth/login', '/api/auth/register'],
});

Environment Security

.env File Template

# .env.example (committed)
COSMOS_ENDPOINT=
COSMOS_KEY=
JWT_SECRET=
AZURE_SPEECH_KEY=
AZURE_OPENAI_KEY=

# .env.local (gitignored)
COSMOS_ENDPOINT=https://your-cosmos.documents.azure.com:443/
COSMOS_KEY=your-actual-key-here
JWT_SECRET=your-super-secret-jwt-key-32-chars
AZURE_SPEECH_KEY=your-speech-key
AZURE_OPENAI_KEY=your-openai-key

Git Hooks for Security

#!/bin/sh
# .husky/pre-commit
# Prevent committing secrets

# Check for potential secrets
if git diff --cached --name-only | xargs grep -l "password\|secret\|key" 2>/dev/null; then
  echo "⚠️  Warning: Possible secrets detected in staged files"
  echo "Please review and ensure no actual secrets are committed"
  exit 1
fi

# Check for .env files
if git diff --cached --name-only | grep -E "\.env$"; then
  echo "❌ Error: .env files should not be committed"
  exit 1
fi

OWASP Top 10 Mitigations

1. Broken Access Control

  • Implement proper authorization checks
  • Use RBAC with least privilege
  • Validate permissions on every request

2. Cryptographic Failures

  • Use strong encryption algorithms
  • Proper key management
  • Hash passwords with bcrypt/argon2

3. Injection

  • Use parameterized queries
  • Validate and sanitize inputs
  • Use ORMs with built-in protection

4. Insecure Design

  • Implement security by design
  • Use threat modeling
  • Secure default configurations

5. Security Misconfiguration

  • Remove default credentials
  • Disable unused features
  • Keep software updated

6. Vulnerable Components

  • Regular dependency updates
  • Vulnerability scanning
  • Use trusted sources

7. Authentication Failures

  • Multi-factor authentication
  • Strong password policies
  • Account lockout mechanisms

8. Data Integrity Failures

  • Digital signatures
  • Checksums
  • Immutable audit logs

9. Security Logging Failures

  • Comprehensive logging
  • Monitor for suspicious activity
  • Protect log integrity

10. Server-Side Request Forgery (SSRF)

  • Validate URLs
  • Allowlist destinations
  • Network segmentation

Security Testing

Automated Security Tests

// tests/security/auth.test.ts
describe('Security', () => {
  it('should reject requests without token', async () => {
    const response = await app.inject({
      method: 'GET',
      url: '/api/protected',
    });

    expect(response.statusCode).toBe(401);
  });

  it('should reject invalid tokens', async () => {
    const response = await app.inject({
      method: 'GET',
      url: '/api/protected',
      headers: {
        authorization: 'Bearer invalid.token.here',
      },
    });

    expect(response.statusCode).toBe(401);
  });

  it('should prevent SQL injection', async () => {
    const maliciousInput = "'; DROP TABLE users; --";
    const response = await app.inject({
      method: 'POST',
      url: '/api/search',
      payload: { query: maliciousInput },
    });

    expect(response.statusCode).toBe(400);
  });
});

Penetration Testing Checklist

  • Authentication bypass attempts
  • Authorization testing
  • Input validation fuzzing
  • Session management testing
  • Error disclosure analysis
  • Business logic flaws

Incident Response

Security Incident Plan

  1. Detection

    • Monitor security tools
    • Review logs regularly
    • Set up alerts

  2. Assessment

    • Determine scope
    • Classify severity
    • Document findings

  3. Containment

    • Isolate affected systems
    • Change credentials
    • Block malicious IPs

  4. Eradication

    • Remove malware
    • Patch vulnerabilities
    • Clean data

  5. Recovery

    • Restore from backup
    • Monitor for recurrence
    • Update defenses

  6. Post-mortem

    • Document lessons learned
    • Update processes
    • Train team

Notes

  • Security is ongoing - Not a one-time task
  • Defense in depth - Multiple layers of security
  • Principle of least privilege - Minimum access necessary
  • Regular audits - Schedule and perform regularly
  • Stay informed - Keep up with security news

Related Skills