ReddRadar
Agent skill
arch-security-review
Use when reviewing code for security vulnerabilities, implementing authorization, or ensuring data protection.
Stars
163
Forks
31
Install this agent skill to your Project
npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/data/arch-security-review
SKILL.md
Security Review Workflow
When to Use This Skill
- Security audit of code changes
- Implementing authentication/authorization
- Data protection review
- Vulnerability assessment
Pre-Flight Checklist
- Identify security-sensitive areas
- Review OWASP Top 10 relevance
- Check for existing security patterns
- Plan remediation approach
OWASP Top 10 Checklist
1. Broken Access Control
csharp
// :x: VULNERABLE - No authorization check
[HttpGet("{id}")]
public async Task<Employee> Get(string id)
=> await repo.GetByIdAsync(id);
// :white_check_mark: SECURE - Authorization enforced
[HttpGet("{id}")]
[PlatformAuthorize(Roles.Manager, Roles.Admin)]
public async Task<Employee> Get(string id)
{
var employee = await repo.GetByIdAsync(id);
// Verify access to this specific resource
if (employee.CompanyId != RequestContext.CurrentCompanyId())
throw new UnauthorizedAccessException();
return employee;
}
2. Cryptographic Failures
csharp
// :x: VULNERABLE - Storing plain text secrets
var apiKey = config["ApiKey"];
await SaveToDatabase(apiKey);
// :white_check_mark: SECURE - Encrypt sensitive data
var encryptedKey = encryptionService.Encrypt(apiKey);
await SaveToDatabase(encryptedKey);
// Use secure configuration
var apiKey = config.GetValue<string>("ApiKey"); // From Azure Key Vault
3. Injection
csharp
// :x: VULNERABLE - SQL Injection
var sql = $"SELECT * FROM Users WHERE Name = '{name}'";
await context.Database.ExecuteSqlRawAsync(sql);
// :white_check_mark: SECURE - Parameterized query
await context.Users.Where(u => u.Name == name).ToListAsync();
// Or if raw SQL needed:
await context.Database.ExecuteSqlRawAsync(
"SELECT * FROM Users WHERE Name = @p0", name);
4. Insecure Design
csharp
// :x: VULNERABLE - No rate limiting
[HttpPost("login")]
public async Task<IActionResult> Login(LoginRequest request)
=> await authService.Login(request);
// :white_check_mark: SECURE - Rate limiting applied
[HttpPost("login")]
[RateLimit(MaxRequests = 5, WindowSeconds = 60)]
public async Task<IActionResult> Login(LoginRequest request)
=> await authService.Login(request);
5. Security Misconfiguration
csharp
// :x: VULNERABLE - Detailed errors in production
app.UseDeveloperExceptionPage(); // Exposes stack traces
// :white_check_mark: SECURE - Generic errors in production
if (env.IsDevelopment())
app.UseDeveloperExceptionPage();
else
app.UseExceptionHandler("/Error");
6. Vulnerable Components
bash
# Check for vulnerable packages
dotnet list package --vulnerable
# Update vulnerable packages
dotnet outdated
7. Authentication Failures
csharp
// :x: VULNERABLE - Weak password policy
if (password.Length >= 4) { }
// :white_check_mark: SECURE - Strong password policy
public class PasswordPolicy
{
public bool Validate(string password)
{
return password.Length >= 12
&& password.Any(char.IsUpper)
&& password.Any(char.IsLower)
&& password.Any(char.IsDigit)
&& password.Any(c => !char.IsLetterOrDigit(c));
}
}
8. Data Integrity Failures
csharp
// :x: VULNERABLE - No validation of external data
var userData = await externalApi.GetUserAsync(id);
await SaveToDatabase(userData);
// :white_check_mark: SECURE - Validate external data
var userData = await externalApi.GetUserAsync(id);
var validation = userData.Validate();
if (!validation.IsValid)
throw new ValidationException(validation.Errors);
await SaveToDatabase(userData);
9. Logging Failures
csharp
// :x: VULNERABLE - Logging sensitive data
Logger.LogInformation("User login: {Email} {Password}", email, password);
// :white_check_mark: SECURE - Redact sensitive data
Logger.LogInformation("User login: {Email}", email);
// Never log passwords, tokens, or PII
10. SSRF (Server-Side Request Forgery)
csharp
// :x: VULNERABLE - User-controlled URL
var url = request.WebhookUrl;
await httpClient.GetAsync(url); // Could access internal services
// :white_check_mark: SECURE - Validate and restrict URLs
if (!IsAllowedUrl(request.WebhookUrl))
throw new SecurityException("Invalid webhook URL");
private bool IsAllowedUrl(string url)
{
var uri = new Uri(url);
return AllowedDomains.Contains(uri.Host)
&& uri.Scheme == "https";
}
Authorization Patterns
Controller Level
csharp
[ApiController]
[Route("api/[controller]")]
[PlatformAuthorize] // Require authentication
public class EmployeeController : PlatformBaseController
{
[HttpPost]
[PlatformAuthorize(Roles.Admin, Roles.Manager)] // Role-based
public async Task<IActionResult> Create(...)
}
Handler Level
csharp
protected override async Task<PlatformValidationResult<T>> ValidateRequestAsync(
PlatformValidationResult<T> validation, CancellationToken ct)
{
return await validation
// Check role
.And(_ => RequestContext.HasRole(Roles.Admin), "Admin role required")
// Check company access
.And(_ => entity.CompanyId == RequestContext.CurrentCompanyId(),
"Access denied: different company")
// Check ownership
.And(_ => entity.OwnerId == RequestContext.UserId() ||
RequestContext.HasRole(Roles.Admin),
"Access denied: not owner");
}
Query Level
csharp
// Always filter by company/user context
var employees = await repo.GetAllAsync(
e => e.CompanyId == RequestContext.CurrentCompanyId()
&& (e.IsPublic || e.OwnerId == RequestContext.UserId()));
Data Protection
Sensitive Data Handling
csharp
public class SensitiveDataHandler
{
// Encrypt at rest
public string EncryptForStorage(string plainText)
=> encryptionService.Encrypt(plainText);
// Mask for display
public string MaskEmail(string email)
{
var parts = email.Split('@');
return $"{parts[0][0]}***@{parts[1]}";
}
// Never log sensitive data
public void LogUserAction(User user)
{
Logger.LogInformation("User action: {UserId}", user.Id);
// NOT: Logger.Log("User: {Email} {Phone}", user.Email, user.Phone);
}
}
File Upload Security
csharp
public async Task<IActionResult> Upload(IFormFile file)
{
// Validate file type
var allowedTypes = new[] { ".pdf", ".docx", ".xlsx" };
var extension = Path.GetExtension(file.FileName).ToLowerInvariant();
if (!allowedTypes.Contains(extension))
return BadRequest("Invalid file type");
// Validate file size
if (file.Length > 10 * 1024 * 1024) // 10MB
return BadRequest("File too large");
// Scan for malware (if available)
if (!await antivirusService.ScanAsync(file))
return BadRequest("File rejected by security scan");
// Generate safe filename
var safeFileName = $"{Guid.NewGuid()}{extension}";
// Save to isolated storage
await fileService.SaveAsync(file, safeFileName);
return Ok();
}
Security Scanning Commands
bash
# .NET vulnerability scan
dotnet list package --vulnerable
# Outdated packages
dotnet outdated
# Secret scanning
grep -r "password\|secret\|apikey" --include="*.cs" --include="*.json"
# Hardcoded credentials
grep -r "Password=\"" --include="*.cs"
grep -r "connectionString.*password" --include="*.json"
Security Review Checklist
Authentication
- Strong password policy enforced
- Account lockout after failed attempts
- Secure session management
- JWT tokens properly validated
- Refresh token rotation
Authorization
- All endpoints require authentication
- Role-based access control implemented
- Resource-level permissions checked
- No privilege escalation possible
Input Validation
- All inputs validated
- SQL injection prevented (parameterized queries)
- XSS prevented (output encoding)
- File uploads validated
- URL validation for redirects
Data Protection
- Sensitive data encrypted at rest
- HTTPS enforced
- No sensitive data in logs
- Proper error handling (no stack traces)
Dependencies
- No known vulnerable packages
- Dependencies regularly updated
- Third-party code reviewed
Anti-Patterns to AVOID
:x: Trusting client input
csharp
var isAdmin = request.IsAdmin; // User-supplied!
:x: Exposing internal errors
csharp
catch (Exception ex) { return BadRequest(ex.ToString()); }
:x: Hardcoded secrets
csharp
var apiKey = "sk_live_xxxxx";
:x: Insufficient logging
csharp
// No audit trail for sensitive operations
await DeleteAllUsers();
Verification Checklist
- OWASP Top 10 reviewed
- Authentication/authorization verified
- Input validation complete
- Sensitive data protected
- No hardcoded secrets
- Logging appropriate (no PII)
- Dependencies scanned
See Also
See /security command for structured security review workflow.
IMPORTANT Task Planning Notes
- Always plan and break many small todo tasks
- Always add a final review todo task to review the works done at the end to find any fix or enhancement needed
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
majiayu000/claude-skill-registry
agent-ops-spec
Manage specification documents in .agent/specs/. Use when user provides requirements, acceptance criteria, or feature descriptions that need to be tracked and validated against implementation.
163
31
Explore
majiayu000/claude-skill-registry
agent-ops-state
Maintain .agent state files. Use at session start, after meaningful steps, and before concluding: read/update constitution/memory/focus/issues/baseline consistently.
163
31
Explore
majiayu000/claude-skill-registry
agent-ops-spec
Manage specification documents in .agent/specs/. Use when user provides requirements, acceptance criteria, or feature descriptions that need to be tracked and validated against implementation.
163
31
Explore
majiayu000/claude-skill-registry
agent-ops-testing
Test strategy, execution, and coverage analysis. Use when designing tests, running test suites, or analyzing test results beyond baseline checks.
163
31
Explore
majiayu000/claude-skill-registry
agent-ops-testing
Test strategy, execution, and coverage analysis. Use when designing tests, running test suites, or analyzing test results beyond baseline checks.
163
31
Explore
majiayu000/claude-skill-registry
agent-ops-state
Maintain .agent state files. Use at session start, after meaningful steps, and before concluding: read/update constitution/memory/focus/issues/baseline consistently.
163
31
Explore
Didn't find tool you were looking for?