secure-codinglisted

Apply OWASP-grounded secure coding when writing or reviewing backend, frontend, API, data, or infrastructure code, handling auth/secrets/user input, or doing a security pass. Use whenever code touches authentication, authorization, secrets, databases, file/network I/O, deserialization, or external input — and during the security-engineer QA lens and /ship-check.
StielChancellor/VibeGod-Tech-Team · ★ 0 · Code & Development · score 65

Install: claude install-skill StielChancellor/VibeGod-Tech-Team

# Secure Coding (OWASP) Security is a default, not a phase. This skill backs the `security-engineer` agent, the Stage-7 security QA lens, and `/ship-check`. The runtime guardrail hooks (`guard-bash`, `guard-write`) enforce the hardest rules automatically; this skill is the judgment layer. ## Fits in the pipeline Continuous. Explicit gates at Stage 3 (threat model in the blueprint), Stage 6 (secure implementation), Stage 7 (security QA lens), Stage 8 (`/ship-check`). Honors vibegod-principles #7 (security by default). User > skills > default. ## OWASP Top 10 (2021) — what to enforce - **A01 Broken Access Control** — deny by default; enforce authz on EVERY request server-side (never trust the client/UI); check object ownership (no IDOR); no privilege escalation paths. - **A02 Cryptographic Failures** — TLS everywhere; encrypt sensitive data at rest; strong, current algorithms (Argon2/bcrypt/scrypt for passwords, AES-GCM, SHA-256+); never roll your own crypto; no secrets in code (hooks block this). - **A03 Injection** — parameterized queries / prepared statements ONLY; never concatenate or interpolate untrusted input into SQL, shell, HTML, LDAP, or templates; encode output per context; avoid `eval`/dynamic code (hooks warn). - **A04 Insecure Design** — threat-model in the blueprint (STRIDE); secure defaults; rate limits; abuse cases; fail safely (closed). - **A05 Security Misconfiguration** — harden defaults; remove debug/sample/admin; least privilege; security