# Security Patterns

Scannable patterns for security code review. Each file has:
- **Rule** — what to do
- **Correct Pattern** — code that works (Python)
- **Incorrect Pattern** — common mistakes
- **Edge Cases** — gotchas

Based on OWASP Top 10:2025 and recent security research.

## Patterns

### Fundamentals

| File | Topic | OWASP 2025 |
|------|-------|------------|
| [secure-defaults.md](secure-defaults.md) | Fail closed, deny by default, defense in depth | A06 |
| [input-validation.md](input-validation.md) | Allowlist > blocklist, validate at boundaries | A03 |
| [credential-handling.md](credential-handling.md) | No hardcoded secrets, environment/secret manager | — |
| [audit-logging.md](audit-logging.md) | What to log, what not to log | A09 |
| [error-handling.md](error-handling.md) | Fail closed, no sensitive info in errors | A10 |

### Identity

| File | Topic | OWASP 2025 |
|------|-------|------------|
| [authentication.md](authentication.md) | Passwords, tokens, MFA, brute force protection | A07 |
| [authorization.md](authorization.md) | Permission checks, IDOR prevention, privilege escalation | A01 |

### Attack Prevention

| File | Topic | OWASP 2025 |
|------|-------|------------|
| [injection-prevention.md](injection-prevention.md) | SQL, command, template, path traversal | A05 |
| [dos-prevention.md](dos-prevention.md) | Rate limiting, resource bounds, algorithmic complexity | — |
| [prompt-injection.md](prompt-injection.md) | LLM security, data/instruction separation | — |
| [deserialization.md](deserialization.md) | Untrusted data deserialization, pickle, yaml | A08 |

### Infrastructure

| File | Topic | OWASP 2025 |
|------|-------|------------|
| [supply-chain.md](supply-chain.md) | SBOM, dependency scanning, signed packages | A03 |
| [cryptography.md](cryptography.md) | Strong algorithms, key management, TLS | A04 |

## OWASP Top 10:2025 Coverage

| # | Category | Pattern |
|---|----------|---------|
| A01 | Broken Access Control | authorization.md |
| A02 | Security Misconfiguration | secure-defaults.md |
| A03 | Software Supply Chain Failures | supply-chain.md |
| A04 | Cryptographic Failures | cryptography.md |
| A05 | Injection | injection-prevention.md |
| A06 | Insecure Design | secure-defaults.md |
| A07 | Authentication Failures | authentication.md |
| A08 | Software or Data Integrity Failures | deserialization.md |
| A09 | Security Logging and Alerting Failures | audit-logging.md |
| A10 | Mishandling of Exceptional Conditions | error-handling.md |

## Sources

- [OWASP Top 10:2025](https://owasp.org/Top10/2025/)
- [OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org/)
- [OWASP LLM Top 10](https://owasp.org/www-project-top-10-for-large-language-model-applications/)
- [CWE (Common Weakness Enumeration)](https://cwe.mitre.org/)

## Usage

Reference these patterns when building or reviewing systems. Code examples are in Python for universal model comprehension; concepts apply to any language.