OWASP Security Best Practices Skill

Apply these security standards when writing or reviewing code.

Quick Reference: OWASP Top 10:2025

Security Code Review Checklist

When reviewing code, check for these issues:

Input Handling

• All user input validated server-side
• Using parameterized queries (not string concatenation)
• Input length limits enforced
• Allowlist validation preferred over denylist

Authentication & Sessions

• Passwords hashed with Argon2/bcrypt (not MD5/SHA1)
• Session tokens have sufficient entropy (128+ bits)
• Sessions invalidated on logout
• MFA available for sensitive operations

Access Control

• Authorization checked on every request
• Using object references user cannot manipulate
• Deny by default policy
• Privilege escalation paths reviewed

Data Protection

• Sensitive data encrypted at rest
• TLS for all data in transit
• No sensitive data in URLs/logs
• Secrets in environment/vault (not code)

Error Handling

• No stack traces exposed to users
• Fail-closed on errors (deny, not allow)
• All exceptions logged with context
• Consistent error responses (no enumeration)

Secure Code Patterns

SQL Injection Prevention

python
1# UNSAFE
2cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
3
4# SAFE
5cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))

Command Injection Prevention

python
1# UNSAFE
2os.system(f"convert {filename} output.png")
3
4# SAFE
5subprocess.run(["convert", filename, "output.png"], shell=False)

Password Storage

python
1# UNSAFE
2hashlib.md5(password.encode()).hexdigest()
3
4# SAFE
5from argon2 import PasswordHasher
6PasswordHasher().hash(password)

Access Control

python
1# UNSAFE - No authorization check
2@app.route('/api/user/<user_id>')
3def get_user(user_id):
4    return db.get_user(user_id)
5
6# SAFE - Authorization enforced
7@app.route('/api/user/<user_id>')
8@login_required
9def get_user(user_id):
10    if current_user.id != user_id and not current_user.is_admin:
11        abort(403)
12    return db.get_user(user_id)

Error Handling

python
1# UNSAFE - Exposes internals
2@app.errorhandler(Exception)
3def handle_error(e):
4    return str(e), 500
5
6# SAFE - Fail-closed, log context
7@app.errorhandler(Exception)
8def handle_error(e):
9    error_id = uuid.uuid4()
10    logger.exception(f"Error {error_id}: {e}")
11    return {"error": "An error occurred", "id": str(error_id)}, 500

Fail-Closed Pattern

python
1# UNSAFE - Fail-open
2def check_permission(user, resource):
3    try:
4        return auth_service.check(user, resource)
5    except Exception:
6        return True  # DANGEROUS!
7
8# SAFE - Fail-closed
9def check_permission(user, resource):
10    try:
11        return auth_service.check(user, resource)
12    except Exception as e:
13        logger.error(f"Auth check failed: {e}")
14        return False  # Deny on error

Agentic AI Security (OWASP 2026)

When building or reviewing AI agent systems, check for:

Agent Security Checklist

• All agent inputs sanitized and validated
• Tools operate with minimum required permissions
• Credentials are short-lived and scoped
• Third-party plugins verified and sandboxed
• Code execution happens in isolated environments
• Agent communications authenticated and encrypted
• Circuit breakers between agent components
• Human approval for sensitive operations
• Behavior monitoring for anomaly detection
• Kill switch available for agent systems

ASVS 5.0 Key Requirements

Level 1 (All Applications)

• Passwords minimum 12 characters
• Check against breached password lists
• Rate limiting on authentication
• Session tokens 128+ bits entropy
• HTTPS everywhere

Level 2 (Sensitive Data)

• All L1 requirements plus:
• MFA for sensitive operations
• Cryptographic key management
• Comprehensive security logging
• Input validation on all parameters

Level 3 (Critical Systems)

• All L1/L2 requirements plus:
• Hardware security modules for keys
• Threat modeling documentation
• Advanced monitoring and alerting
• Penetration testing validation

Language-Specific Security Quirks

Important: The examples below are illustrative starting points, not exhaustive. When reviewing code, think like a senior security researcher: consider the language's memory model, type system, standard library pitfalls, ecosystem-specific attack vectors, and historical CVE patterns. Each language has deeper quirks beyond what's listed here.

Different languages have unique security pitfalls. Here are the top 20 languages with key security considerations. Go deeper for the specific language you're working in:

JavaScript / TypeScript

Main Risks: Prototype pollution, XSS, eval injection

javascript
1// UNSAFE: Prototype pollution
2Object.assign(target, userInput)
3// SAFE: Use null prototype or validate keys
4Object.assign(Object.create(null), validated)
5
6// UNSAFE: eval injection
7eval(userCode)
8// SAFE: Never use eval with user input

Watch for: eval(), innerHTML, document.write(), prototype chain manipulation, __proto__

Python

Main Risks: Pickle deserialization, format string injection, shell injection

python
1# UNSAFE: Pickle RCE
2pickle.loads(user_data)
3# SAFE: Use JSON or validate source
4json.loads(user_data)
5
6# UNSAFE: Format string injection
7query = "SELECT * FROM users WHERE name = '%s'" % user_input
8# SAFE: Parameterized
9cursor.execute("SELECT * FROM users WHERE name = %s", (user_input,))

Watch for: pickle, eval(), exec(), os.system(), subprocess with shell=True

Java

Main Risks: Deserialization RCE, XXE, JNDI injection

java
1// UNSAFE: Arbitrary deserialization
2ObjectInputStream ois = new ObjectInputStream(userStream);
3Object obj = ois.readObject();
4
5// SAFE: Use allowlist or JSON
6ObjectMapper mapper = new ObjectMapper();
7mapper.readValue(json, SafeClass.class);

Watch for: ObjectInputStream, Runtime.exec(), XML parsers without XXE protection, JNDI lookups

C#

Main Risks: Deserialization, SQL injection, path traversal

csharp
1// UNSAFE: BinaryFormatter RCE
2BinaryFormatter bf = new BinaryFormatter();
3object obj = bf.Deserialize(stream);
4
5// SAFE: Use System.Text.Json
6var obj = JsonSerializer.Deserialize<SafeType>(json);

Watch for: BinaryFormatter, JavaScriptSerializer, TypeNameHandling.All, raw SQL strings

PHP

Main Risks: Type juggling, file inclusion, object injection

php
1// UNSAFE: Type juggling in auth
2if ($password == $stored_hash) { ... }
3// SAFE: Use strict comparison
4if (hash_equals($stored_hash, $password)) { ... }
5
6// UNSAFE: File inclusion
7include($_GET['page'] . '.php');
8// SAFE: Allowlist pages
9$allowed = ['home', 'about']; include(in_array($page, $allowed) ? "$page.php" : 'home.php');

Watch for: == vs ===, include/require, unserialize(), preg_replace with /e, extract()

Go

Main Risks: Race conditions, template injection, slice bounds

go
1// UNSAFE: Race condition
2go func() { counter++ }()
3// SAFE: Use sync primitives
4atomic.AddInt64(&counter, 1)
5
6// UNSAFE: Template injection
7template.HTML(userInput)
8// SAFE: Let template escape
9{{.UserInput}}

Watch for: Goroutine data races, template.HTML(), unsafe package, unchecked slice access

Ruby

Main Risks: Mass assignment, YAML deserialization, regex DoS

ruby
1# UNSAFE: Mass assignment
2User.new(params[:user])
3# SAFE: Strong parameters
4User.new(params.require(:user).permit(:name, :email))
5
6# UNSAFE: YAML RCE
7YAML.load(user_input)
8# SAFE: Use safe_load
9YAML.safe_load(user_input)

Watch for: YAML.load, Marshal.load, eval, send with user input, .permit!

Rust

Main Risks: Unsafe blocks, FFI boundary issues, integer overflow in release

rust
1// CAUTION: Unsafe bypasses safety
2unsafe { ptr::read(user_ptr) }
3
4// CAUTION: Release integer overflow
5let x: u8 = 255;
6let y = x + 1; // Wraps to 0 in release!
7// SAFE: Use checked arithmetic
8let y = x.checked_add(1).unwrap_or(255);

Watch for: unsafe blocks, FFI calls, integer overflow in release builds, .unwrap() on untrusted input

Swift

Main Risks: Force unwrapping crashes, Objective-C interop

swift
1// UNSAFE: Force unwrap on untrusted data
2let value = jsonDict["key"]!
3// SAFE: Safe unwrapping
4guard let value = jsonDict["key"] else { return }
5
6// UNSAFE: Format string
7String(format: userInput, args)
8// SAFE: Don't use user input as format

Watch for: force unwrap (!), try!, ObjC bridging, NSSecureCoding misuse

Kotlin

Main Risks: Null safety bypass, Java interop, serialization

kotlin
1// UNSAFE: Platform type from Java
2val len = javaString.length // NPE if null
3// SAFE: Explicit null check
4val len = javaString?.length ?: 0
5
6// UNSAFE: Reflection
7clazz.getDeclaredMethod(userInput)
8// SAFE: Allowlist methods

Watch for: Java interop nulls (! operator), reflection, serialization, platform types

C / C++

Main Risks: Buffer overflow, use-after-free, format string

c
1// UNSAFE: Buffer overflow
2char buf[10]; strcpy(buf, userInput);
3// SAFE: Bounds checking
4strncpy(buf, userInput, sizeof(buf) - 1);
5
6// UNSAFE: Format string
7printf(userInput);
8// SAFE: Always use format specifier
9printf("%s", userInput);

Watch for: strcpy, sprintf, gets, pointer arithmetic, manual memory management, integer overflow

Scala

Main Risks: XML external entities, serialization, pattern matching exhaustiveness

scala
1// UNSAFE: XXE
2val xml = XML.loadString(userInput)
3// SAFE: Disable external entities
4val factory = SAXParserFactory.newInstance()
5factory.setFeature("http://xml.org/sax/features/external-general-entities", false)

Watch for: Java interop issues, XML parsing, Serializable, exhaustive pattern matching

R

Main Risks: Code injection, file path manipulation

r
1# UNSAFE: eval injection
2eval(parse(text = user_input))
3# SAFE: Never parse user input as code
4
5# UNSAFE: Path traversal
6read.csv(paste0("data/", user_file))
7# SAFE: Validate filename
8if (grepl("^[a-zA-Z0-9]+\\.csv$", user_file)) read.csv(...)

Watch for: eval(), parse(), source(), system(), file path manipulation

Perl

Main Risks: Regex injection, open() injection, taint mode bypass

perl
1# UNSAFE: Regex DoS
2$input =~ /$user_pattern/;
3# SAFE: Use quotemeta
4$input =~ /\Q$user_pattern\E/;
5
6# UNSAFE: open() command injection
7open(FILE, $user_file);
8# SAFE: Three-argument open
9open(my $fh, '<', $user_file);

Watch for: Two-arg open(), regex from user input, backticks, eval, disabled taint mode

Shell (Bash)

Main Risks: Command injection, word splitting, globbing

bash
1# UNSAFE: Unquoted variables
2rm $user_file
3# SAFE: Always quote
4rm "$user_file"
5
6# UNSAFE: eval
7eval "$user_command"
8# SAFE: Never eval user input

Watch for: Unquoted variables, eval, backticks, $(...) with user input, missing set -euo pipefail

Lua

Main Risks: Sandbox escape, loadstring injection

lua
1-- UNSAFE: Code injection
2loadstring(user_code)()
3-- SAFE: Use sandboxed environment with restricted functions

Watch for: loadstring, loadfile, dofile, os.execute, io library, debug library

Elixir

Main Risks: Atom exhaustion, code injection, ETS access

elixir
1# UNSAFE: Atom exhaustion DoS
2String.to_atom(user_input)
3# SAFE: Use existing atoms only
4String.to_existing_atom(user_input)
5
6# UNSAFE: Code injection
7Code.eval_string(user_input)
8# SAFE: Never eval user input

Watch for: String.to_atom, Code.eval_string, :erlang.binary_to_term, ETS public tables

Dart / Flutter

Main Risks: Platform channel injection, insecure storage

dart
1// UNSAFE: Storing secrets in SharedPreferences
2prefs.setString('auth_token', token);
3// SAFE: Use flutter_secure_storage
4secureStorage.write(key: 'auth_token', value: token);

Watch for: Platform channel data, dart:mirrors, Function.apply, insecure local storage

PowerShell

Main Risks: Command injection, execution policy bypass

powershell
1# UNSAFE: Injection
2Invoke-Expression $userInput
3# SAFE: Avoid Invoke-Expression with user data
4
5# UNSAFE: Unvalidated path
6Get-Content $userPath
7# SAFE: Validate path is within allowed directory

Watch for: Invoke-Expression, & $userVar, Start-Process with user args, -ExecutionPolicy Bypass

SQL (All Dialects)

Main Risks: Injection, privilege escalation, data exfiltration

sql
1-- UNSAFE: String concatenation
2"SELECT * FROM users WHERE id = " + userId
3
4-- SAFE: Parameterized query (language-specific)
5-- Use prepared statements in ALL cases

Watch for: Dynamic SQL, EXECUTE IMMEDIATE, stored procedures with dynamic queries, privilege grants

Deep Security Analysis Mindset

When reviewing any language, think like a senior security researcher:

1. Memory Model: How does the language handle memory? Managed vs manual? GC pauses exploitable?
2. Type System: Weak typing = type confusion attacks. Look for coercion exploits.
3. Serialization: Every language has its pickle/Marshal equivalent. All are dangerous.
4. Concurrency: Race conditions, TOCTOU, atomicity failures specific to the threading model.
5. FFI Boundaries: Native interop is where type safety breaks down.
6. Standard Library: Historic CVEs in std libs (Python urllib, Java XML, Ruby OpenSSL).
7. Package Ecosystem: Typosquatting, dependency confusion, malicious packages.
8. Build System: Makefile/gradle/npm script injection during builds.
9. Runtime Behavior: Debug vs release differences (Rust overflow, C++ assertions).
10. Error Handling: How does the language fail? Silently? With stack traces? Fail-open?

For any language not listed: Research its specific CWE patterns, CVE history, and known footguns. The examples above are entry points, not complete coverage.

When to Apply This Skill

Use this skill when:

• Writing authentication or authorization code
• Handling user input or external data
• Implementing cryptography or password storage
• Reviewing code for security vulnerabilities
• Designing API endpoints
• Building AI agent systems
• Configuring application security settings
• Handling errors and exceptions
• Working with third-party dependencies
• Working in any language - apply the deep analysis mindset above