moai-ref-owasp-checklist

Featured

OWASP Top 10 security checklist, authentication patterns, input validation, and HTTP security headers reference. Agent-extending skill that amplifies backend-implementation and security-audit workflows with production-grade security patterns. NOT for: frontend UI, DevOps deployment, performance optimization, testing strategy.

AI & Automation 1,120 stars 207 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# OWASP Security Checklist Reference ## Target Agents - `manager-develop` - Applies checklist during backend API implementation (`cycle_type=tdd` or `cycle_type=ddd` context) - `/moai review --security` - Primary security-audit invocation surface (replaces the retired `/moai security` subcommand per SPEC-SUBCOMMAND-RETIRE-001); equivalently available as a per-spawn `Agent(general-purpose)` security specialist per `archived-agent-rejection.md` §C ## OWASP API Security Top 10 | Rank | Vulnerability | Check | Defense | |------|-------------|-------|---------| | A1 | **BOLA** (Broken Object Level Authorization) | Can user A access user B's resources? | Verify object ownership at every endpoint | | A2 | **Broken Authentication** | Weak passwords, unlimited login attempts? | bcrypt (cost 12+), rate limit, MFA | | A3 | **Broken Object Property Level Authorization** | Are hidden fields exposed in responses? | Response DTOs, field-level filtering | | A4 | **Unrestricted Resource Consumption** | Can mass requests crash the server? | Rate limiting, enforce pagination limits | | A5 | **Broken Function Level Authorization** | Can regular users call admin APIs? | RBAC middleware, permission checks | | A6 | **SSRF** (Server-Side Request Forgery) | Can URL input access internal resources? | URL whitelist, block internal IPs | | A7 | **Security Misconfiguration** | Debug mode, default accounts exposed? | Separate prod config, inspect headers | | A8 | **Lack of Automated Threat Protection*...

Details

Author
modu-ai
Repository
modu-ai/moai-adk
Created
9 months ago
Last Updated
today
Language
Go
License
Apache-2.0

Integrates with

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Listed

security-checklist

OWASP-based security checklist any agent can reference when reviewing or writing code

1 Updated today
sefaertunc
AI & Automation Featured

moai-ref-llm-security

AI/LLM defensive security reference: prompt-injection defense, OWASP LLM Top 10 defensive mapping, MCP and agentic tool-call hardening, training-data poisoning detection, model-output validation and guardrails, MITRE ATLAS defensive correlation, and NIST AI RMF governance. Agent-extending skill that amplifies backend, security, and AI-application engineering with production-grade defensive patterns for LLM-backed systems. NOT for: offensive techniques (jailbreak authoring, attack-payload crafting, red-team exploitation), model training or fine-tuning methodology, prompt optimization for capability, web-app OWASP Top 10 (see moai-ref-owasp-checklist), or general API design (see moai-ref-api-patterns).

1,120 Updated today
modu-ai
AI & Automation Featured

moai-ref-secops

DevSecOps, container, and API operational defensive security reference: CI/CD pipeline hardening, secret scanning, IaC misconfiguration detection, SAST/DAST integration, container image scanning, Kubernetes RBAC hardening, container-escape defense, runtime threat detection, OWASP API Top 10 operational defense, WAF rule tuning, and GraphQL/REST depth and rate limiting. Agent-extending skill that amplifies backend, security, and platform-engineering work with production-grade defensive patterns for pipelines, containers, and running APIs. NOT for: offensive techniques (exploit execution, container-escape attack steps, privilege-escalation procedures, attack tooling), dev-time web-app OWASP Top 10 (see moai-ref-owasp-checklist), LLM/AI security (see moai-ref-llm-security), supply-chain provenance and signing (see moai-ref-supply-chain), or general API design (see moai-ref-api-patterns).

1,120 Updated today
modu-ai