owasp-security-standards
- Repo stars 0
- Author updated Live
- Author repo skills-registry
- Domain
- Security
- Compatible agents
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- Trust score
- 88 / 100 · community maintained
- Author / version / license
- @tomevault-io · no license declared
- Token usage
- Lean
- Setup complexity
- Guided setup
- External API key
- Not required
- Operating systems
- Unspecified (assume cross-platform)
- Runtime requirements
- Python
- Permissions
-
- Read-only
- Shell exec
- Write / modify
- Network behavior
- Local-only
- Install commands
- 26 variants
Profile is derived at build time from SKILL.md and install vectors. Subject to drift from author intent.
Heads up: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: owasp-security-standards
description: Use when reviewing code for security vulnerabilities, implementing authentication/authorization…
category: security
runtime: Python
---
# owasp-security-standards output preview
## PART A: Task fit
- Use case: Use when reviewing code for security vulnerabilities, implementing authentication/authorization, handling user input, or discussing web application security. Covers OWASP Top 10:2025, ASVS 5.0, secure code patterns, and code review checklists. For language-specific quirks see language-security skill. For AI agent security see agentic-ai-security skill..
- Inputs: target material, constraints, expected output, and acceptance criteria.
- Evidence boundary: follow “Quick Reference: OWASP Top 10:2025 / Security Code Review Checklist / Input Handling” and do not present inference as author intent.
## PART B: Execution result
- **01** The card summarizes the use case; runtime output centers on “Use when reviewing code for security vulnerabilities, implementing authentication/authorization, handling user input, or discussing web application security. Covers OWASP Top 10:2025, ASVS 5.0, secure code patterns, and code review checklists. For language-specific quirks see language-security skill. For AI agent security see agentic-ai-security skill.”.
- **02** When the source has headings, the agent prioritizes “Quick Reference: OWASP Top 10:2025 / Security Code Review Checklist / Input Handling” so the result follows the author’s structure.
- **03** Typical output includes task judgment, concrete steps, required commands or file edits, validation, and follow-up options.
- **04** Risk context follows the fingerprint: read files, run shell commands, write/modify files; mostly runs locally; usually needs no extra API key.
## Running Rules
- read files, run shell commands, write/modify files; mostly runs locally; usually needs no extra API key.
- Validate with a small sample before expanding scope.
- Return the result, validation criteria, and next iteration options. The source does not require a stable slash command. After installation, invoke the skill by name and describe the task.
Name target files or source material, expected output, forbidden changes, and whether network or shell access is allowed. Permission fingerprint: read files, run shell commands, write/modify files.
Start with a small task and check whether the result follows “Quick Reference: OWASP Top 10:2025 / Security Code Review Checklist / Input Handling”. Inspect diffs, logs, previews, or tests before expanding scope.
Confirm the final output includes a concrete result, evidence, and next action. If it stays generic, tighten inputs, boundaries, and acceptance criteria.
---
name: owasp-security-standards
description: Use when reviewing code for security vulnerabilities, implementing authentication/authorization…
category: security
source: tomevault-io/skills-registry
---
# owasp-security-standards
## When to use
- Use when reviewing code for security vulnerabilities, implementing authentication/authorization, handling user input…
- Use it when the task has clear inputs, repeatable steps, and validation criteria.
## What to provide
- Target material, scope, expected result, and forbidden changes.
- Whether network, commands, file writes, or external services are allowed.
## Execution rules
- Organize steps around “Quick Reference: OWASP Top 10:2025 / Security Code Review Checklist / Input Handling” and keep inference separate from source facts.
- read files, run shell commands, write/modify files; mostly runs locally; usually needs no extra API key.
- Validate with a small sample before expanding the task.
## Output requirements
- Return the deliverable, key evidence, validation method, and next action.
- Mark missing information as unknown; do not invent commands, platforms, or dependencies. The author source anchors workflow facts; repository files anchor sources and commands; Fluxly only adds fit, limitations, and quality judgment.
skill "owasp-security-standards" {
input -> user goal + target files + boundaries + acceptance criteria
context -> Quick Reference: OWASP Top 10:2025 / Security Code Review Checklist / Input Handling
rules -> SKILL.md triggers / order / output contract
runtime -> Python | read files, run shell commands, write/modify files | mostly runs locally
guardrails -> usually needs no extra API key + small-sample validation + diff/log review
output -> copyable result + checklist + next iteration
} OWASP Security Standards
Apply these security standards when writing or reviewing code.
Quick Reference: OWASP Top 10:2025
| # | Vulnerability | Key Prevention |
|---|---|---|
| A01 | Broken Access Control | Deny by default, enforce server-side, verify ownership |
| A02 | Security Misconfiguration | Harden configs, disable defaults, minimize features |
| A03 | Supply Chain Failures | Lock versions, verify integrity, audit dependencies |
| A04 | Cryptographic Failures | TLS 1.2+, AES-256-GCM, Argon2/bcrypt for passwords |
| A05 | Injection | Parameterized queries, input validation, safe APIs |
| A06 | Insecure Design | Threat model, rate limit, design security controls |
| A07 | Auth Failures | MFA, check breached passwords, secure sessions |
| A08 | Integrity Failures | Sign packages, SRI for CDN, safe serialization |
| A09 | Logging Failures | Log security events, structured format, alerting |
| A10 | Exception Handling | Fail-closed, hide internals, log with context |
Security Code Review Checklist
When reviewing code, check for these issues:
Input Handling
- All user input validated server-side
- Using parameterized queries (not string concatenation)
- Input length limits enforced
- Allowlist validation preferred over denylist
Authentication & Sessions
- Passwords hashed with Argon2/bcrypt (not MD5/SHA1)
- Session tokens have sufficient entropy (128+ bits)
- Sessions invalidated on logout
- MFA available for sensitive operations
Access Control
- Check for framework-level auth middleware (e.g., Next.js middleware.ts, proxy.ts, Express middleware) before flagging missing per-route auth
- Authorization checked on every request
- Using object references user cannot manipulate
- Deny by default policy
- Privilege escalation paths reviewed
Data Protection
- Sensitive data encrypted at rest
- TLS for all data in transit
- No sensitive data in URLs/logs
- Secrets in environment/vault (not code)
Error Handling
- No stack traces exposed to users
- Fail-closed on errors (deny, not allow)
- All exceptions logged with context
- Consistent error responses (no enumeration)
Secure Code Patterns
SQL Injection Prevention
# UNSAFE
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
# SAFE
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
Command Injection Prevention
# UNSAFE
os.system(f"convert {filename} output.png")
# SAFE
subprocess.run(["convert", filename, "output.png"], shell=False)
Password Storage
# UNSAFE
hashlib.md5(password.encode()).hexdigest()
# SAFE
from argon2 import PasswordHasher
PasswordHasher().hash(password)
Access Control
# UNSAFE - No authorization check
@app.route('/api/user/<user_id>')
def get_user(user_id):
return db.get_user(user_id)
# SAFE - Authorization enforced
@app.route('/api/user/<user_id>')
@login_required
def get_user(user_id):
if current_user.id != user_id and not current_user.is_admin:
abort(403)
return db.get_user(user_id)
Error Handling
# UNSAFE - Exposes internals
@app.errorhandler(Exception)
def handle_error(e):
return str(e), 500
# SAFE - Fail-closed, log context
@app.errorhandler(Exception)
def handle_error(e):
error_id = uuid.uuid4()
logger.exception(f"Error {error_id}: {e}")
return {"error": "An error occurred", "id": str(error_id)}, 500
Fail-Closed Pattern
# UNSAFE - Fail-open
def check_permission(user, resource):
try:
return auth_service.check(user, resource)
except Exception:
return True # DANGEROUS!
# SAFE - Fail-closed
def check_permission(user, resource):
try:
return auth_service.check(user, resource)
except Exception as e:
logger.error(f"Auth check failed: {e}")
return False # Deny on error
ASVS 5.0 Key Requirements
Level 1 (All Applications)
- Passwords minimum 12 characters
- Check against breached password lists
- Rate limiting on authentication
- Session tokens 128+ bits entropy
- HTTPS everywhere
Level 2 (Sensitive Data)
- All L1 requirements plus:
- MFA for sensitive operations
- Cryptographic key management
- Comprehensive security logging
- Input validation on all parameters
Level 3 (Critical Systems)
- All L1/L2 requirements plus:
- Hardware security modules for keys
- Threat modeling documentation
- Advanced monitoring and alerting
- Penetration testing validation
Related Skills
- Language-specific security quirks: See
language-securityskill for 20+ language-specific vulnerability patterns - AI agent security: See
agentic-ai-securityskill for OWASP Agentic AI Top 10 2026 - Full OWASP report: See
OWASP-2025-2026-Report.mdin this directory for detailed descriptions of all categories
When to Apply This Skill
Use this skill when:
- Writing authentication or authorization code
- Handling user input or external data
- Implementing cryptography or password storage
- Reviewing code for security vulnerabilities
- Designing API endpoints
- Configuring application security settings
- Handling errors and exceptions
- Working with third-party dependencies
Source: AlexDevFlow/Claude10XD — distributed by TomeVault.
Decide Fit First
Design Intent
How To Use It
Boundaries And Review