owasp-securitylisted

Use when reviewing code for security vulnerabilities, implementing authentication/authorization, handling user input, or discussing web application security. Covers OWASP Top 10:2025, ASVS 5.0, and Agentic AI security (2026).
Bbk-man/claude-code-owasp · ★ 0 · Code & Development · score 72

Install: claude install-skill Bbk-man/claude-code-owasp

# OWASP Security Best Practices Skill Apply these security standards when writing or reviewing code. ## Quick Reference: OWASP Top 10:2025 | # | Vulnerability | Key Prevention | |---|---------------|----------------| | A01 | Broken Access Control | Deny by default, enforce server-side, verify ownership | | A02 | Security Misconfiguration | Harden configs, disable defaults, minimize features | | A03 | Supply Chain Failures | Lock versions, verify integrity, audit dependencies | | A04 | Cryptographic Failures | TLS 1.2+, AES-256-GCM, Argon2/bcrypt for passwords | | A05 | Injection | Parameterized queries, input validation, safe APIs | | A06 | Insecure Design | Threat model, rate limit, design security controls | | A07 | Auth Failures | MFA, check breached passwords, secure sessions | | A08 | Integrity Failures | Sign packages, SRI for CDN, safe serialization | | A09 | Logging Failures | Log security events, structured format, alerting | | A10 | Exception Handling | Fail-closed, hide internals, log with context | ## Security Code Review Checklist When reviewing code, check for these issues: ### Input Handling - [ ] All user input validated server-side - [ ] Using parameterized queries (not string concatenation) - [ ] Input length limits enforced - [ ] Allowlist validation preferred over denylist ### Authentication & Sessions - [ ] Passwords hashed with Argon2/bcrypt (not MD5/SHA1) - [ ] Session tokens have sufficient entropy (128+ bits) - [ ] Sessions invalidated on logou