security-auditlisted

# Security Audit Skill Security checklist for Java applications based on OWASP Top 10 and secure coding practices. ## When to Use - Security code review - Before production releases - User asks about "security", "vulnerability", "OWASP" - Reviewing authentication/authorization code - Checking for injection vulnerabilities --- ## OWASP Top 10 Quick Reference | # | Risk | Java Mitigation | |---|------|-----------------| | A01 | Broken Access Control | Role-based checks, deny by default | | A02 | Cryptographic Failures | Use strong algorithms, no hardcoded secrets | | A03 | Injection | Parameterized queries, input validation | | A04 | Insecure Design | Threat modeling, secure defaults | | A05 | Security Misconfiguration | Disable debug, secure headers | | A06 | Vulnerable Components | Dependency scanning, updates | | A07 | Authentication Failures | Strong passwords, MFA, session management | | A08 | Data Integrity Failures | Verify signatures, secure deserialization | | A09 | Logging Failures | Log security events, no sensitive data | | A10 | SSRF | Validate URLs, allowlist domains | --- ## Input Validation (All Frameworks) ### Bean Validation (JSR 380) Works in Spring, Quarkus, Jakarta EE, and standalone. ```java // ✅ GOOD: Validate at boundary public class CreateUserRequest { @NotNull(message = "Username is required") @Size(min = 3, max = 50, message = "Username must be 3-50 characters") @Pattern(regexp = "^[a-zA-Z0-9_]+$", message = "Username can only c