Security Analysis
Security audit patterns for identifying and remediating vulnerabilities.
Core Specialization
-
Vulnerability Management: Dependabot, CodeQL, Trivy, Semgrep
-
Secret Management: External Secrets Operator, OpenBao (Vault)
-
Auth: OAuth2, JWT, OIDC, BetterAuth
-
Crypto: Proper key management, secure algorithms
-
Compliance: OWASP Top 10, CIS Benchmarks
-
Supply Chain: SBOM, signed images, provenance
Execution Rules
-
Defense in depth. Multiple layers of security
-
Principle of least privilege. Minimal permissions always
-
No secrets in code. Ever. Use secret managers
-
Input validation. Trust nothing from outside
-
Secure defaults. Opt-in to less secure, not opt-out
Security Checklist
For every security review, verify:
-
No hardcoded secrets or API keys
-
Input validation on all user data
-
Output encoding to prevent XSS
-
Parameterized queries (no SQL injection)
-
HTTPS enforced everywhere
-
CORS properly configured
-
Rate limiting on sensitive endpoints
-
Audit logging for security events
-
Dependencies scanned and updated
-
Auth/authz checks on all endpoints
Language-Specific Security
Rust
cargo audit cargo deny check advisories
Memory Safety Checks:
-
Verify no unsafe blocks without proper documentation
-
Check for proper lifetime annotations
-
Ensure no use-after-free patterns
-
Verify bounds checking on array/slice access
Common Rust Vulnerabilities:
-
Panic in production (use Result instead of unwrap() )
-
Integer overflow (use checked_* methods)
-
Race conditions (verify Send /Sync bounds)
-
Improper error disclosure (don't expose internal errors)
Input Validation Pattern:
use validator::Validate;
#[derive(Validate)] struct UserInput { #[validate(email)] email: String, #[validate(length(min = 8, max = 100))] password: String, }
TypeScript
pnpm audit npm audit --audit-level=high
XSS Prevention:
-
Verify proper output encoding
-
Check for dangerouslySetInnerHTML usage
-
Ensure Content-Security-Policy headers
Effect Schema Validation (Required):
import { Schema } from "effect"
// Use Schema.decodeUnknown for ALL external input const validateUser = Schema.decodeUnknown(UserSchema)
// Define allowed values with Schema.Literal const RoleSchema = Schema.Literal("user", "admin")
Security Headers (Next.js):
const securityHeaders = [ { key: 'Strict-Transport-Security', value: 'max-age=63072000' }, { key: 'X-Content-Type-Options', value: 'nosniff' }, { key: 'X-Frame-Options', value: 'DENY' }, ];
Go
govulncheck ./... go list -m all | nancy sleuth
Common Go Vulnerabilities:
-
Goroutine leaks (verify context cancellation)
-
Race conditions (run go test -race )
-
SQL injection (use parameterized queries)
-
Path traversal (validate file paths)
Input Validation:
func validateEmail(email string) error { if !emailRegex.MatchString(email) { return errors.New("invalid email format") } return nil }
Secure Defaults:
-
Set timeouts on HTTP clients/servers
-
Validate TLS certificates
-
Use secure random number generation
General Security Scans
Scan for secrets
trufflehog git file://. --since-commit HEAD~10
Run Semgrep
semgrep scan --config auto
OWASP Top 10 Mitigations
Vulnerability Mitigation
Injection Parameterized queries, input validation
Broken Auth Strong passwords, MFA, session management
Sensitive Data Encryption at rest and transit
XXE Disable external entities
Broken Access Role-based access control
Security Misconfig Secure defaults, minimal exposure
XSS Output encoding, CSP
Insecure Deserial Input validation, type checking
Known Vulns Dependency scanning, updates
Logging Audit logs, monitoring
Guidelines
-
Follow OWASP Top 10 mitigations
-
Use parameterized queries (no raw SQL)
-
Validate and sanitize all inputs
-
Use secure defaults
-
Minimize attack surface
-
Log security events (without sensitive data)