code-security-review
Code Security Review
Overview
Performs comprehensive security code reviews to identify vulnerabilities, assess security risks, and provide actionable remediation guidance. Covers OWASP Top 10, CWE classifications, compliance requirements, and security best practices.
Security Review Workflow
1. Initial Assessment
Gather context about the application:
- Application type: Web app, API, mobile, desktop, embedded
- Data sensitivity: PII, financial data, healthcare records, proprietary information
- Compliance requirements: PCI-DSS, GDPR, HIPAA, SOC 2, ISO 27001
- Authentication mechanisms: OAuth, JWT, session-based, API keys
- Technology stack: Languages, frameworks, libraries, databases
- External integrations: Third-party APIs, cloud services, payment processors
Perform threat modeling:
- Identify critical assets (data, functions, resources)
- Map attack surfaces (user inputs, APIs, file uploads, network interfaces)
- Determine threat actors (external attackers, malicious insiders, automated bots)
- Assess existing security controls
2. Code Analysis
Systematically review code for security vulnerabilities:
Priority Areas:
- Authentication & Authorization - Login flows, session management, access controls
- Input Validation - All user inputs, API parameters, file uploads
- Data Protection - Encryption at rest and in transit, sensitive data handling
- API Security - Rate limiting, authentication, input validation
- Dependency Security - Third-party libraries, outdated packages, known CVEs
- Configuration - Security headers, CORS, environment variables, secrets management
- Error Handling - Information disclosure, stack traces, error messages
- Business Logic - Race conditions, workflow bypasses, state manipulation
3. Vulnerability Classification
Classify each finding:
- Severity: Critical, High, Medium, Low, Informational
- CWE ID: Common Weakness Enumeration identifier
- OWASP Category: Map to OWASP Top 10 if applicable
- CVSS Score: Calculate if applicable (use CVSS 3.1)
- Exploitability: How easy to exploit
- Impact: Data loss, privilege escalation, DoS, data breach
4. Documentation
Produce comprehensive security report:
- Executive Summary - High-level findings and risk overview
- Detailed Findings - Each vulnerability with code examples and exploit scenarios
- Remediation Guidance - Specific fixes with secure code examples
- Compliance Assessment - Status against required standards
- Remediation Timeline - Prioritized action plan
- Security Metrics - Vulnerability counts by severity and category
Severity Classification
Critical (CVSS 9.0-10.0):
- Remote code execution
- Authentication bypass
- SQL injection with data access
- Hardcoded credentials for production systems
- Complete access control bypass
High (CVSS 7.0-8.9):
- Privilege escalation
- Sensitive data exposure (PII, financial)
- Cross-site scripting (XSS) with session theft
- Insecure deserialization
- XML external entity (XXE) injection
Medium (CVSS 4.0-6.9):
- Information disclosure
- Cross-site request forgery (CSRF)
- Weak cryptography
- Security misconfiguration
- Missing security headers
Low (CVSS 0.1-3.9):
- Version disclosure
- Verbose error messages
- Missing best practices
- Security through obscurity
Informational:
- Recommendations for defense in depth
- Future-proofing suggestions
- Security hygiene improvements
Report Structure
Generate security reports in this format:
Executive Summary
- Total vulnerabilities by severity
- Critical risk areas
- Compliance status summary
- Overall security posture rating
- Recommended immediate actions
Detailed Findings
For each vulnerability:
## [SEVERITY] Finding Title (CWE-XXX)
**Severity**: Critical/High/Medium/Low
**CWE ID**: CWE-XXX
**OWASP**: A0X:YYYY
**CVSS Score**: X.X (if applicable)
**Description**:
[Clear explanation of the vulnerability]
**Location**:
- File: path/to/file.ext
- Lines: XX-XX
- Function/Class: function_name()
**Vulnerable Code**:
```language
[Actual vulnerable code snippet]
Exploit Scenario: [Step-by-step demonstration of how an attacker could exploit this]
Impact: [What could happen if exploited - data breach, privilege escalation, etc.]
Remediation: [Specific steps to fix the vulnerability]
Secure Code Example:
[Working secure implementation]
References:
- [Relevant CWE, CVE, or documentation links]
### Remediation Timeline
- **Phase 1 (Critical - Week 1)**: List of critical issues
- **Phase 2 (High - Weeks 2-3)**: List of high severity issues
- **Phase 3 (Medium - Month 2)**: List of medium severity issues
- **Phase 4 (Low - Month 3)**: List of low severity issues
### Compliance Assessment
For each applicable standard, document:
- Requirements checked
- Compliance status (Compliant/Non-Compliant/Partially Compliant)
- Specific gaps identified
- Remediation needed for compliance
## Detailed References
For comprehensive vulnerability patterns, testing procedures, and compliance details:
- **OWASP Top 10 & CWE Patterns**: See [security-review-workflow.md](references/security-review-workflow.md) for:
- Detailed vulnerability patterns for each OWASP Top 10 category
- Code examples of vulnerable and secure implementations
- Testing procedures and detection methods
- Complete CWE mappings and classifications
- **Security Testing Procedures**: See [security-testing-checklist.md](references/security-testing-checklist.md) for:
- Comprehensive testing checklist by category
- Manual and automated testing techniques
- Security testing tools and configurations
- API security testing procedures
- **Compliance Requirements**: See [compliance-requirements.md](references/compliance-requirements.md) for:
- PCI-DSS requirements and validation
- GDPR data protection requirements
- HIPAA security and privacy rules
- SOC 2 security controls
- **Report Examples**: See [report-example.md](references/report-example.md) for:
- Complete security report template
- Example findings with remediation guidance
- Executive summary examples
- Remediation timeline structures
## Best Practices
**Be Thorough:**
- Review ALL user input points
- Check ALL database queries
- Verify ALL authentication and authorization checks
- Test ALL file operations and uploads
- Examine ALL external integrations
**Be Practical:**
- Prioritize by risk (likelihood × impact)
- Consider exploitability and business context
- Account for compensating controls
- Balance security with usability
**Be Clear:**
- Provide step-by-step exploit scenarios
- Show exact vulnerable code locations
- Give specific, actionable remediation steps
- Include working secure code examples
**Be Professional:**
- Focus on code issues, not developers
- Use industry-standard classifications (CWE, OWASP, CVSS)
- Provide credible references (NIST, OWASP, vendor documentation)
- Document assumptions and testing limitations
More from dauquangthanh/hanoi-rainbow
frontend-design-review
Conducts comprehensive frontend design reviews covering UI/UX design quality, design system validation, accessibility compliance, responsive design patterns, component library architecture, and visual design consistency. Evaluates design specifications, Figma/Sketch files, design tokens, interaction patterns, and user experience flows. Identifies usability issues, accessibility violations, design system deviations, and provides actionable recommendations for improvement. Produces detailed design review reports with severity-rated findings, visual examples, and implementation guidelines. Use when reviewing frontend designs, validating design systems, ensuring accessibility compliance, evaluating component libraries, assessing responsive designs, or when users mention design review, UI/UX review, Figma review, design system validation, accessibility audit, or frontend design quality.
276frontend-ui-ux-design
Creates comprehensive frontend UI/UX designs including user interfaces, design systems, component libraries, responsive layouts, and accessibility implementations. Produces wireframes, mockups, design specifications, and implementation guidelines. Use when designing user interfaces, creating design systems, building component libraries, implementing responsive designs, ensuring accessibility compliance, or when users mention UI design, UX design, interface design, design systems, user experience, or frontend design patterns.
167keycloak-administration
Provides comprehensive KeyCloak administration guidance including realm management, user/group administration, client configuration, authentication flows, identity brokering, authorization policies, security hardening, and troubleshooting. Covers SSO configuration, SAML/OIDC setup, role-based access control (RBAC), user federation (LDAP/AD), social login integration, multi-factor authentication (MFA), and high availability deployments. Use when configuring KeyCloak, setting up SSO, managing realms and clients, troubleshooting authentication issues, implementing RBAC, or when users mention "KeyCloak", "SSO", "OIDC", "SAML", "identity provider", "IAM", "authentication flow", "user federation", "realm configuration", or "access management".
165oracle-cloud
Provides comprehensive Oracle Cloud Infrastructure (OCI) guidance including compute instances, networking (VCN, load balancers, VPN), storage (block, object, file), database services (Autonomous Database, MySQL, NoSQL), container orchestration (OKE), identity and access management (IAM), resource management, cost optimization, and infrastructure as code (Terraform OCI provider, Resource Manager). Produces infrastructure code, deployment scripts, configuration guides, and architectural diagrams. Use when designing OCI architecture, provisioning cloud resources, migrating to Oracle Cloud, implementing OCI security, setting up OCI databases, deploying containerized applications on OKE, managing OCI resources, or when users mention "Oracle Cloud", "OCI", "Autonomous Database", "VCN", "OKE", "OCI Terraform", "Resource Manager", "Oracle Cloud Infrastructure", or "OCI migration".
82backend-design
Designs comprehensive backend systems including RESTful APIs, microservices, database architecture, authentication/authorization, caching strategies, message queues, and scalability patterns. Produces API specifications, database schemas, architecture diagrams, and implementation guides. Use when designing backend services, APIs, data models, distributed systems, authentication flows, or when users mention backend architecture, API design, database design, microservices, or server-side development.
55requirement-review
Conducts comprehensive requirements review including completeness validation, clarity assessment, consistency checking, testability evaluation, and standards compliance. Produces detailed review reports with findings, gaps, conflicts, and improvement recommendations. Use when reviewing requirements documents (BRD, SRS, user stories), validating acceptance criteria, assessing requirements quality, identifying gaps and conflicts, or ensuring standards compliance (IEEE 830, INVEST criteria). Trigger when users mention "review requirements", "validate requirements", "check requirements quality", "find requirement issues", or "assess BRD/SRS quality".
52