Rodin
8a94a08511
Now covers all OWASP Top 10:2025 categories: - A03: supply-chain.md (SolarWinds, Bybit, npm worm examples) - A04: cryptography.md (algorithm recommendations, key management) - A08: deserialization.md (pickle, yaml, language-specific risks) - A10: error-handling.md (fail closed, error messages)
2.9 KiB
2.9 KiB
Security Patterns
Scannable patterns for security code review. Each file has:
- Rule — what to do
- Correct Pattern — code that works (Python)
- Incorrect Pattern — common mistakes
- Edge Cases — gotchas
Based on OWASP Top 10:2025 and recent security research.
Patterns
Fundamentals
| File | Topic | OWASP 2025 |
|---|---|---|
| secure-defaults.md | Fail closed, deny by default, defense in depth | A06 |
| input-validation.md | Allowlist > blocklist, validate at boundaries | A03 |
| credential-handling.md | No hardcoded secrets, environment/secret manager | — |
| audit-logging.md | What to log, what not to log | A09 |
| error-handling.md | Fail closed, no sensitive info in errors | A10 |
Identity
| File | Topic | OWASP 2025 |
|---|---|---|
| authentication.md | Passwords, tokens, MFA, brute force protection | A07 |
| authorization.md | Permission checks, IDOR prevention, privilege escalation | A01 |
Attack Prevention
| File | Topic | OWASP 2025 |
|---|---|---|
| injection-prevention.md | SQL, command, template, path traversal | A05 |
| dos-prevention.md | Rate limiting, resource bounds, algorithmic complexity | — |
| prompt-injection.md | LLM security, data/instruction separation | — |
| deserialization.md | Untrusted data deserialization, pickle, yaml | A08 |
Infrastructure
| File | Topic | OWASP 2025 |
|---|---|---|
| supply-chain.md | SBOM, dependency scanning, signed packages | A03 |
| cryptography.md | Strong algorithms, key management, TLS | A04 |
OWASP Top 10:2025 Coverage
| # | Category | Pattern |
|---|---|---|
| A01 | Broken Access Control | authorization.md |
| A02 | Security Misconfiguration | secure-defaults.md |
| A03 | Software Supply Chain Failures | supply-chain.md |
| A04 | Cryptographic Failures | cryptography.md |
| A05 | Injection | injection-prevention.md |
| A06 | Insecure Design | secure-defaults.md |
| A07 | Authentication Failures | authentication.md |
| A08 | Software or Data Integrity Failures | deserialization.md |
| A09 | Security Logging and Alerting Failures | audit-logging.md |
| A10 | Mishandling of Exceptional Conditions | error-handling.md |
Sources
Usage
Reference these patterns when building or reviewing systems. Code examples are in Python for universal model comprehension; concepts apply to any language.