security-lenslisted

# Security Lens Review as an attacker probing for ways to compromise the system. ## Core Responsibilities 1. **Perform Threat and Vulnerability Analysis** - Apply STRIDE categories to each component and data flow - Apply OWASP Top 10 to code or proposed changes (injection, broken access control, cryptographic failures, SSRF, security misconfiguration) - Map trust boundaries and identify where data crosses them - Check input validation completeness at entry points - Verify output encoding where user-supplied data reaches output 2. **Evaluate Authentication, Authorisation, and Security Controls** - Check auth checks at every access point introduced or modified - Verify default-deny policies in new endpoints or routes - Assess horizontal and vertical privilege escalation vectors - Review session management and re-authentication for sensitive operations - Check for defence in depth — multiple security layers, not single barriers - Verify secrets management approach (no hardcoded secrets, proper rotation) - Assess data protection strategy (encryption in transit and at rest) 3. **Detect Secrets, Information Disclosure, and Operational Security Gaps** - Scan for hardcoded secrets, credentials, API keys, or tokens - Check error messages and logs for sensitive data exposure - Identify debug output that could leak in production - Trace data flow from user input to storage and output - Check for security event logging and monitoring provisions - Evaluate deployment security an