askill
security-audit

security-auditSafety 100Repository

Performs security audits checking for exposed secrets, weak authentication, SQL injection, XSS vulnerabilities, and validates security best practices

security-auditammonsd
0 stars
1.2k downloads
Updated 2/7/2026

Package Files

Loading files...
SKILL.md

Security Audit Skill

This skill performs security audits of the ActivityTracking application.

When to Use

  • Before production deployment
  • After major security-related changes
  • Regular security reviews (quarterly recommended)
  • Investigating potential security issues

Security Audit Checklist

1. Authentication & Authorization

JWT Token Security

  • JWT_SECRET is 256-bit minimum
  • JWT_SECRET stored in environment variable, not code
  • Access token expiration set (24 hours recommended)
  • Refresh token expiration set (7 days recommended)
  • Token revocation implemented for logout/password changes
  • Rate limiting on auth endpoints (5 req/min configured)
# Check for hardcoded secrets
git grep -i "jwt.secret\s*=" src/
git grep -i "Bearer\s+[A-Za-z0-9-_=]+\.[A-Za-z0-9-_=]+\.[A-Za-z0-9-_=]+" src/

Password Security

  • Passwords hashed with BCrypt (strength 10+)
  • Password expiration policy enforced (90 days)
  • Password history prevents reuse
  • Account lockout after failed attempts (5 attempts)
  • Password complexity requirements enforced (12+ chars, mixed case)
// Verify BCrypt strength
@Bean
public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder(12);  // Strength 12 recommended
}

Role-Based Access Control

  • @PreAuthorize annotations on sensitive methods
  • Principal validation in controllers
  • User can only access their own data
  • Admin-only endpoints properly protected
# Find methods without @PreAuthorize that should have it
grep -r "public.*delete\|public.*update" src/main/java/com/ammons/taskactivity/service/ | grep -v "@PreAuthorize"

2. Input Validation

SQL Injection Prevention

  • All queries use parameterized queries
  • No string concatenation in SQL
  • @Query annotations use :param syntax
# Find potential SQL injection vulnerabilities
grep -r "\"SELECT.*+\|\"INSERT.*+\|\"UPDATE.*+" src/

XSS Prevention

  • Thymeleaf templates use th:text (not th:utext)
  • User input sanitized before display
  • Content-Security-Policy header configured
# Check for unsafe Thymeleaf usage
grep -r "th:utext" src/main/resources/templates/

File Upload Security

  • Magic number validation for file types
  • File size limits enforced (max 10MB)
  • Filename sanitization implemented
  • Files stored outside web root
// Verify magic number validation exists
private boolean isValidFileType(byte[] fileBytes) {
    // JPEG: FF D8 FF
    // PNG: 89 50 4E 47
    // PDF: 25 50 44 46
}

3. Sensitive Data Exposure

Environment Variables

  • All secrets in environment variables
  • No secrets in application.properties
  • .env file in .gitignore
# Check for exposed secrets in git history
git log -p | grep -i "password\|secret\|key" | grep -v "\.md"

# Check for secrets in committed files
git grep -i "password.*=\|secret.*=\|key.*=" | grep -v "\.example\|\.md"

Logging

  • Passwords never logged
  • JWT tokens never logged
  • Credit card numbers never logged
  • PII properly redacted in logs
# Check for potential secret logging
grep -r "log.*password\|log.*token\|log.*secret" src/ --include="*.java"

4. Security Headers

Check SecurityConfig for proper headers:

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http
        .headers(headers -> headers
            .frameOptions().deny()  // ✅ X-Frame-Options
            .contentSecurityPolicy("default-src 'self'")  // ✅ CSP
            .xssProtection().block(true)  // ✅ XSS Protection
            .contentTypeOptions().disable()  // ❌ Should be enabled
        );
}

Required Headers:

  • X-Frame-Options: DENY
  • Content-Security-Policy: default-src 'self'
  • X-Content-Type-Options: nosniff
  • Referrer-Policy: no-referrer
  • Permissions-Policy: geolocation=(), microphone=(), camera=()
  • Strict-Transport-Security (HSTS in production)

5. CORS Configuration

# Production - Strict
cors.allowed-origins=https://yourdomain.com

# Development - Permissive (OK)
cors.allowed-origins=http://localhost:4200,http://localhost:8080
  • CORS origins restricted in production
  • Credentials allowed only for same-origin
  • Methods limited to required set

6. Dependency Vulnerabilities

# Check for known vulnerabilities
./mvnw dependency:tree
./mvnw dependency-check:check

cd frontend
npm audit
npm audit fix
  • All dependencies up-to-date
  • No critical vulnerabilities
  • No high vulnerabilities in production

7. API Security

Rate Limiting

  • Rate limiting on auth endpoints
  • Bucket4j configuration verified
  • DDoS protection considered
// Verify rate limiting exists
@Configuration
public class RateLimitConfig {
    @Bean
    public Bucket createNewBucket() {
        return Bucket.builder()
            .addLimit(Bandwidth.classic(5, Refill.intervally(5, Duration.ofMinutes(1))))
            .build();
    }
}

API Endpoint Security

  • All /api/* endpoints require JWT
  • Proper HTTP methods used (POST for create, PUT for update)
  • 401 Unauthorized returned for invalid tokens
  • 403 Forbidden returned for insufficient permissions
# Find API endpoints without security
grep -r "@GetMapping\|@PostMapping\|@PutMapping\|@DeleteMapping" src/main/java/com/ammons/taskactivity/controller/ -A 3 | grep -v "@PreAuthorize"

8. Database Security

  • Database user has minimal permissions
  • Database connection encrypted (SSL in production)
  • Database credentials in Secrets Manager (AWS)
  • Connection pooling configured properly
# Check database configuration
spring.datasource.url=jdbc:postgresql://localhost:5432/taskactivity?ssl=true&sslmode=require

9. AWS Security (Production)

  • IAM roles follow least privilege
  • S3 bucket not publicly accessible
  • S3 encryption at rest enabled
  • RDS encryption enabled
  • Security groups properly configured
  • VPC with private subnets for ECS/RDS
# Check S3 bucket public access
aws s3api get-bucket-policy-status --bucket taskactivity-receipts-prod

# Check RDS encryption
aws rds describe-db-instances --db-instance-identifier taskactivity-db | jq '.DBInstances[0].StorageEncrypted'

10. Session Management

  • JWT tokens have expiration
  • Refresh tokens have expiration
  • Token revocation on logout
  • Token revocation on password change
  • No session fixation vulnerabilities

Security Audit Report Template

# Security Audit Report

**Date:** January 19, 2026
**Auditor:** Dean Ammons
**Application:** ActivityTracking
**Version:** 0.0.1-SNAPSHOT

## Executive Summary

Overall Security Rating: [High/Medium/Low]

## Findings

### Critical Issues (Fix Immediately)

1. [Issue description]
    - **Risk:** [Description of risk]
    - **Remediation:** [How to fix]
    - **Priority:** Critical

### High Priority Issues

1. [Issue description]
    - **Risk:** [Description of risk]
    - **Remediation:** [How to fix]
    - **Priority:** High

### Medium Priority Issues

1. [Issue description]

### Low Priority Issues

1. [Issue description]

### Best Practices Recommendations

1. [Recommendation]

## Compliance Checklist

- [ ] OWASP Top 10 addressed
- [ ] PCI DSS compliance (if handling payments)
- [ ] GDPR compliance (if EU users)
- [ ] SOC 2 requirements (if applicable)

## Action Items

| Issue              | Priority | Owner | Due Date   | Status |
| ------------------ | -------- | ----- | ---------- | ------ |
| Fix exposed secret | Critical | Dean  | 2026-01-20 | Open   |

## Next Audit

Recommended: [3 months from now]

Quick Security Scan Commands

# Full security scan
.\scripts\security-scan.ps1

# Check for exposed secrets
git grep -i "password.*=\|secret.*=\|api.key.*=" | grep -v "\.md\|\.example"

# Check dependencies
./mvnw dependency-check:check
cd frontend && npm audit

# Check for SQL injection
grep -r "\"SELECT.*+\|\"INSERT.*+" src/

# Check for hardcoded IPs or URLs
grep -r "\d\{1,3\}\.\d\{1,3\}\.\d\{1,3\}\.\d\{1,3\}" src/ --include="*.java"

Remediation Priority

  1. Critical - Fix within 24 hours

    • Exposed credentials
    • SQL injection vulnerabilities
    • Authentication bypass

  2. High - Fix within 1 week

    • Missing authorization checks
    • XSS vulnerabilities
    • Weak encryption

  3. Medium - Fix within 1 month

    • Missing security headers
    • Outdated dependencies
    • Weak password policy

  4. Low - Fix in next sprint

    • Code style security issues
    • Documentation gaps
    • Logging improvements

Memory Bank References

  • Check ai/project-overview.md for security features
  • Check ai/architecture-patterns.md for security architecture
  • Check docs/Security_Measures_and_Best_Practices.md for detailed security docs

Install

Download ZIP
Requires askill CLI v1.0+

AI Quality Score

96/100Analyzed 2/9/2026

An exceptionally thorough security auditing skill providing a comprehensive checklist and actionable commands for Java/Spring Boot applications. It covers code, configuration, and infrastructure security.

100
100
80
95
98

Metadata

Licenseunknown
Version-
Updated2/7/2026
Publisherammonsd

Tags

apici-cddatabaseobservabilitysecurity