Security Checks

## Automated Security Scanning Configuration

### SAST Tools
- Primary: [Tool Name] with custom AI-code ruleset
- Configuration: [Configuration file location]
- Custom Rules: [Location of custom rules]
- Integration: CI/CD pipeline at [pipeline stage]

### SCA Tools
- Primary: [Tool Name] for dependency scanning
- Configuration: [Configuration file location]
- Policy: Block high/critical vulnerabilities in dependencies
- Exceptions: [Exception process link]

### Secret Scanning
- Primary: [Tool Name] for secret detection
- Configuration: [Configuration file location]
- Pre-commit hook: [Hook configuration details]
- Response process: [Process for detected secrets]

### AI-Specific Patterns
- Custom ruleset for AI-generated code patterns: [Ruleset location]
- Focus areas:
  - Incomplete authentication flows
  - Partial input validation
  - Insecure default configurations
  - Excessive permissions
  - Insufficient error handling

## Attack Scenario Verification

### Authentication Components
- [ ] Credential brute forcing
- [ ] Session hijacking
- [ ] Token theft or forgery
- [ ] Multi-factor authentication bypass
- [ ] Account enumeration
- [ ] Password reset vulnerabilities

### Data Access Components
- [ ] SQL injection
- [ ] NoSQL injection
- [ ] ORM injection
- [ ] Excessive data exposure
- [ ] Insecure direct object references
- [ ] Mass assignment vulnerabilities

### API Endpoints
- [ ] Parameter tampering
- [ ] API rate limiting bypass
- [ ] Insufficient authorization
- [ ] Man-in-the-middle attacks
- [ ] Server-side request forgery
- [ ] Improper API versioning exploits

### Frontend Components
- [ ] Cross-site scripting (XSS)
- [ ] Cross-site request forgery (CSRF)
- [ ] Clickjacking
- [ ] Client-side storage exploitation
- [ ] Malicious file upload
- [ ] DOM-based vulnerabilities

## Security Control Verification Matrix

| Security Control | Verification Technique | Acceptance Criteria |
|------------------|------------------------|---------------------|
| **Authentication** |
| Password handling | Code review | Secure hashing with appropriate algorithm and salt |
| Session management | Code review, testing | Secure cookie settings, proper timeout, rotation |
| Multi-factor auth | Testing | Proper implementation, bypass prevention |
| **Authorization** |
| Permission checks | Code review, testing | Checks present at all access points |
| Role management | Code review | Principle of least privilege applied |
| Access control | Penetration testing | Cannot access unauthorized resources |
| **Data Protection** |
| Transport security | Configuration review | TLS 1.2+, proper cipher suites |
| Data at rest | Code review | Sensitive data encrypted with proper keys |
| Data masking | Testing | PII/sensitive data properly masked in logs and UI |
| **Input Validation** |
| Parameter validation | Code review, testing | All parameters validated for type, range, format |
| Sanitization | Code review | All inputs sanitized before use |
| Invalid input handling | Testing | Proper error handling without data leakage |
| **Output Encoding** |
| HTML encoding | Code review, testing | All user-influenced output properly encoded |
| JSON encoding | Code review | Proper JSON serialization |
| CSV/Excel protection | Testing | Formula injection protection |
| **Audit & Logging** |
| Security events | Log review | Critical security events captured |
| Sensitive data | Log review | No sensitive data in logs |
| Log protection | Configuration review | Logs protected from tampering |

## Unexpected Scenario Testing

### Edge Case Testing
Test all input parameters with:
- Empty values
- Extremely large values
- Negative values where applicable
- Special characters
- Unicode/international characters
- Maximum/minimum allowable values

### Failure Mode Testing
Test behavior when:
- Database connections fail
- External services are unavailable
- Network connectivity is intermittent
- File system access is denied
- Memory allocation fails
- CPU is heavily constrained

### Concurrency Testing
Test for race conditions with:
- Simultaneous requests for the same resource
- Parallel updates to the same data
- Rapid creation/deletion cycles
- Session operations from multiple clients
- Parallel authentication attempts

### Exception Path Testing
Verify proper handling of:
- Invalid authentication credentials
- Expired sessions/tokens
- Revoked permissions
- Invalid input combinations
- Resource not found scenarios
- Timeout conditions

## Security Remediation Process

### Issue Documentation
For each security finding:
- Severity classification (Critical/High/Medium/Low)
- Detailed description with reproduction steps
- Affected components and code locations
- Potential impact and exploit scenarios
- Recommended remediation approach

### Verification Process
For each remediated issue:
1. Confirm fix implementation matches recommendation
2. Verify fix addresses root cause not just symptoms
3. Test exploit scenario to confirm it no longer works
4. Check for similar vulnerabilities elsewhere in codebase
5. Ensure fix doesn't introduce new vulnerabilities
6. Update verification documentation with findings

### Prompt Improvement
For each security issue:
1. Analyze original prompt for security gaps
2. Add explicit security requirements to prevent recurrence
3. Create security-focused examples where applicable
4. Document the issue in security prompt library
5. Share learnings with prompt engineering team

## Security Expert Review Protocol

### Review Scoping
Components requiring expert review:
- Authentication and authorization systems
- Cryptographic implementations
- Financial transaction processing
- Personal data handling
- Critical business logic
- High-exposure external interfaces

### Review Process
1. **Preparation**:
   - Provide complete context and documentation
   - Share threat model and security requirements
   - Include all relevant code and configurations
   - Provide access to test environment

2. **Primary Review Areas**:
   - Architectural soundness
   - Cryptographic implementation
   - Authentication/authorization mechanisms
   - Security control coverage
   - Known vulnerability patterns
   - Compliance requirements

3. **Documentation**:
   - Formal review report with findings
   - Risk classification of issues
   - Detailed remediation recommendations
   - Root cause analysis
   - Verification criteria for fixes

### Expert Qualifications
For internal expert reviews, reviewers should have:
- Security certification relevant to domain
- Experience with similar systems
- Understanding of applicable compliance requirements
- Familiarity with relevant attack vectors
- No direct involvement in the code generation

For external experts:
- [Vendor selection criteria]
- [Engagement process]
- [Confidentiality requirements]

## Authentication System Security Checklist

### Credential Handling
- [ ] Passwords are never stored in plaintext
- [ ] Password hashing uses strong algorithm (bcrypt, Argon2, PBKDF2)
- [ ] Appropriate work factor/iterations for hashing
- [ ] Passwords are never logged or exposed
- [ ] Memory handling prevents credential exposure

### Authentication Flow
- [ ] Brute force protection (rate limiting, account lockout)
- [ ] Secure credential transit (TLS, no URL parameters)
- [ ] Multi-factor authentication properly implemented
- [ ] Session management follows security best practices
- [ ] Secure storage of session information
- [ ] Account recovery requires proper verification

### Token Management
- [ ] Tokens have appropriate expiration
- [ ] Tokens contain minimum necessary data
- [ ] Token validation is comprehensive
- [ ] Refresh processes are secure
- [ ] Tokens can be revoked when needed
- [ ] Secure storage guidance for clients

### Specific Vulnerabilities
- [ ] Protection against credential stuffing
- [ ] Defense against session fixation
- [ ] Prevention of session hijacking
- [ ] Protection against cross-site request forgery
- [ ] Defense against account enumeration
- [ ] Protection against phishing

### Implementation Verification
- [ ] Credential comparison uses timing-safe methods
- [ ] Error messages don't leak account information
- [ ] All authentication paths are protected
- [ ] Redirects after authentication are validated
- [ ] Authentication state checks on all protected resources

## Data Access Security Checklist

### Query Security
- [ ] Parameterized queries used for all database access
- [ ] No dynamic SQL constructed through string concatenation
- [ ] ORM used securely with proper validation
- [ ] Protection against SQL/NoSQL injection
- [ ] Schema validation before query execution

### Access Control
- [ ] Row-level security implemented where appropriate
- [ ] Object-level authorization checks
- [ ] Data access restricted by user permissions
- [ ] Defense against insecure direct object references
- [ ] Protection against mass assignment vulnerabilities

### Sensitive Data Handling
- [ ] PII/sensitive data identified and handled appropriately
- [ ] Encryption for sensitive data at rest
- [ ] Appropriate key management for encryption
- [ ] Data minimization in queries (select only needed fields)
- [ ] Proper data retention/deletion processes

### Connection Security
- [ ] Database credentials securely managed (not hardcoded)
- [ ] Least privilege database accounts
- [ ] Connection pooling configured securely
- [ ] Transport encryption for database connections
- [ ] Timeout and resource limits configured

### Implementation Details
- [ ] Error handling doesn't leak sensitive information
- [ ] Logging doesn't include sensitive data or credentials
- [ ] Prepared statements used correctly
- [ ] Transaction management prevents race conditions
- [ ] Defense against query timing attacks where relevant

## API Security Checklist

### Input Validation
- [ ] All parameters validated for type, length, format, and range
- [ ] Schema validation for structured data
- [ ] Protection against parameter pollution
- [ ] Validate content types and headers
- [ ] Input sanitization before processing

### Authentication & Authorization
- [ ] Proper authentication for all non-public endpoints
- [ ] API key management follows security best practices
- [ ] Authorization checks on all protected resources
- [ ] API scope validation for OAuth flows
- [ ] Defense against JWT attacks

### Rate Limiting & Resource Control
- [ ] Rate limiting implemented for all endpoints
- [ ] Graduated response to excessive requests
- [ ] Resource limits on payload size, processing time, etc.
- [ ] Protection against denial of service
- [ ] Monitoring for abuse patterns

### Response Security
- [ ] No sensitive data in responses unless necessary
- [ ] Appropriate content security headers
- [ ] Consistent error responses that don't leak information
- [ ] CORS configured securely
- [ ] Cache-control headers set appropriately

### Implementation Verification
- [ ] No server information leaked in responses
- [ ] Health/status endpoints don't expose sensitive details
- [ ] Proper HTTP status codes used
- [ ] API versioning implemented securely
- [ ] Protection against server-side request forgery

## Frontend Security Checklist

### Cross-Site Scripting Protection
- [ ] Output encoding in all data rendering
- [ ] Content Security Policy implemented
- [ ] DOM manipulation uses safe methods
- [ ] Frameworks used with XSS protections enabled
- [ ] User-generated HTML/markdown safely rendered

### Client-Side Input Validation
- [ ] All inputs validated with appropriate constraints
- [ ] Validation synchronized with server-side validation
- [ ] File uploads validated for type, size, and content
- [ ] Form submissions protected against tampering
- [ ] Input sanitization applied where appropriate

### Authentication & Session Security
- [ ] Secure cookie attributes (HttpOnly, Secure, SameSite)
- [ ] Token storage follows security best practices
- [ ] No sensitive data in local/session storage
- [ ] CSRF protection on all state-changing actions
- [ ] Secure authentication state management

### Third-Party Integration
- [ ] Third-party scripts properly vetted
- [ ] Subresource integrity applied where possible
- [ ] Minimal permissions for third-party integrations
- [ ] Sandboxing for untrusted content
- [ ] Security implications of external dependencies understood

### UI Security Features
- [ ] Sensitive information properly masked
- [ ] No exposure of internal identifiers or paths
- [ ] Secure defaults in all user interfaces
- [ ] No security-sensitive operations in GET requests
- [ ] Protection against clickjacking

## Security-Enhanced Prompt Template

SITUATION: Building [application type] with [tech stack]

CHALLENGE: Create [component] for [specific functionality]

AUDIENCE: Team of [experience level] developers

FORMAT: Follow team standards for [relevant patterns]

SECURITY REQUIREMENTS:
- Implement proper input validation for all user-controlled data
- Apply parameterized queries for all database operations
- Follow OWASP authentication best practices
- Implement proper authorization checks before access
- Apply the principle of least privilege
- Sanitize all outputs to prevent XSS
- Implement proper error handling that doesn't leak sensitive information
- Use secure defaults for all configurations

EXAMPLE SECURE IMPLEMENTATION:
[Provide snippet demonstrating security best practices]

POTENTIAL THREATS:
- [List specific threats relevant to this component]
- [Include attack vectors to defend against]

SECURITY STANDARDS:
- Must comply with [specific security standards/frameworks]
- Must pass [specific security testing requirements]

## Development-Time Security Checklist

### Before Code Generation
- [ ] Security requirements clearly defined in prompt
- [ ] Applicable threats identified
- [ ] Security standards referenced

### During Initial Review
- [ ] Surface automated scanning performed
- [ ] Common vulnerability patterns checked
- [ ] Security controls identified and verified
- [ ] Dependencies checked for vulnerabilities

### During Testing
- [ ] Security unit tests created
- [ ] Authentication/authorization explicitly tested
- [ ] Edge cases and unexpected inputs tested
- [ ] Error handling verified

### Before Completion
- [ ] Security-focused peer review completed
- [ ] All automated scanning issues addressed
- [ ] Security controls documented
- [ ] Remaining risks identified and managed

## Pre-Deployment Security Verification

### Component Security
- [ ] All S.E.C.U.R.E. framework checks completed
- [ ] Component-specific security checklist completed
- [ ] All identified vulnerabilities remediated
- [ ] Security testing documentation complete
- [ ] Expert review completed for critical components

### Environment Security
- [ ] Deployment environment security validated
- [ ] Secrets management configured properly
- [ ] Network security controls in place
- [ ] Access controls properly configured
- [ ] Monitoring and logging enabled

### Integration Security
- [ ] Security of component interactions verified
- [ ] Authentication between services configured securely
- [ ] Data transmission secured appropriately
- [ ] Error handling across boundaries verified
- [ ] Rate limiting and resource protection in place

### Deployment Process
- [ ] Secure deployment pipeline configured
- [ ] No sensitive information in deployment artifacts
- [ ] Deployment credentials properly secured
- [ ] Rollback capability confirmed
- [ ] Post-deployment security verification planned

## SAST Tool Configuration for AI-Generated Code

### Tool: [SAST Tool Name]

#### Custom Rules for AI-Generated Code
- Enhanced validation completeness checks
- Authentication flow verification
- Authorization coverage analysis
- Input sanitization verification
- Error handling security checks
- Secure defaults verification

#### Configuration Parameters
```json
{
  "aiGeneratedPatterns": true,
  "analysisDepth": "high",
  "includeExperimentalRules": true,
  "securityChecks": {
    "authentication": "enhanced",
    "authorization": "enhanced",
    "inputValidation": "comprehensive",
    "outputEncoding": "strict",
    "errorHandling": "securityFocused"
  }
}

<rule id="AI001">
  <pattern>Authentication implementation without account lockout or rate limiting</pattern>
  <severity>High</severity>
  <description>AI-generated authentication implementations often omit brute force protections</description>
  <recommendation>Implement account lockout or rate limiting for failed authentication attempts</recommendation>
</rule>

### SCA Tools Integration

Configure Software Composition Analysis for dependency security:

```markdown
## SCA Tool Configuration for AI-Generated Code

### Tool: [SCA Tool Name]

#### Configuration Focus
- Comprehensive dependency analysis
- Transitive dependency scanning
- License compliance verification
- Exploitation potential assessment
- Update impact analysis

#### Configuration Parameters
```json
{
  "deepScan": true,
  "transitiveAnalysis": true,
  "vulnerabilitySeverityThreshold": "medium",
  "licenseCompliance": true,
  "blockingPolicy": {
    "critical": true,
    "high": true,
    "medium": false,
    "low": false
  }
}

### Security Testing Automation

Implement automated security testing for AI-generated components:

```markdown
## Automated Security Testing Configuration

### Dynamic Testing Suite
- Authentication testing: [Tool/Framework]
- Authorization testing: [Tool/Framework]
- Injection testing: [Tool/Framework]
- Frontend vulnerability testing: [Tool/Framework]
- API security testing: [Tool/Framework]

### Test Automation Configuration
```yaml
securityTests:
  authentication:
    credentialBruteForce: true
    sessionManagement: true
    tokenValidation: true
    accountLockout: true
    
  authorization:
    resourceAccessControl: true
    roleVerification: true
    privilegeEscalation: true
    
  injection:
    sqlInjection: true
    noSqlInjection: true
    commandInjection: true
    xssVectors: true
    
  apiSecurity:
    parameterTampering: true
    rateLimitTesting: true
    contentTypeManipulation: true

def test_authentication_bypass():
    """Test for authentication bypass vulnerabilities in login flow"""
    # Direct page access attempt
    response = client.get('/protected-resource')
    assert response.status_code == 401 or response.status_code == 302
    
    # Token manipulation
    token = get_valid_token()
    manipulated_token = tamper_with_token(token)
    headers = {'Authorization': f'Bearer {manipulated_token}'}
    response = client.get('/protected-resource', headers=headers)
    assert response.status_code == 401

def test_sql_injection_protection():
    """Test for SQL injection vulnerabilities in user search"""
    payloads = [
        "' OR '1'='1",
        "'; DROP TABLE users; --",
        "' UNION SELECT username, password FROM users; --"
    ]
    
    for payload in payloads:
        response = client.get(f'/api/users?search={payload}')
        assert response.status_code != 500
        assert "error" not in response.json()
        # Verify no excessive data is returned
        assert len(response.json().get('users', [])) <= 10

## Security Verification Documentation

Document your security verification to support compliance and knowledge preservation:

### Security Verification Report Template

```markdown
# Security Verification Report

## Component Information
- **Component Name**: [Name]
- **Component Purpose**: [Brief description]
- **Risk Classification**: [Critical/High/Medium/Low]
- **Generated Date**: [Date]
- **AI Tool Used**: [Tool name and version]
- **Original Prompt**: [Link to prompt in library]

## Verification Methodology
- S.E.C.U.R.E. framework applied on [Date]
- Component-specific checklist: [Checklist name]
- Automated tools used: [List tools]
- Manual verification techniques: [List techniques]
- Verification performed by: [Names/Roles]

## Security Control Verification

### Authentication & Authorization
- **Controls Implemented**: [List controls]
- **Verification Method**: [How controls were verified]
- **Findings**: [Any issues discovered]
- **Remediation Status**: [Complete/In Progress/Not Started]

### Data Protection
- **Controls Implemented**: [List controls]
- **Verification Method**: [How controls were verified]
- **Findings**: [Any issues discovered]
- **Remediation Status**: [Complete/In Progress/Not Started]

### Input Validation & Output Encoding
- **Controls Implemented**: [List controls]
- **Verification Method**: [How controls were verified]
- **Findings**: [Any issues discovered]
- **Remediation Status**: [Complete/In Progress/Not Started]

### Error Handling & Logging
- **Controls Implemented**: [List controls]
- **Verification Method**: [How controls were verified]
- **Findings**: [Any issues discovered]
- **Remediation Status**: [Complete/In Progress/Not Started]

## Vulnerability Assessment

### Identified Vulnerabilities
| ID | Description | Severity | Status | Remediation |
|----|-------------|----------|--------|-------------|
| V1 | [Description] | High | Resolved | [Approach] |
| V2 | [Description] | Medium | In Progress | [Approach] |

### Threat Scenario Testing
| Scenario | Result | Notes |
|----------|--------|-------|
| [Scenario] | Pass/Fail | [Notes] |

## Security Testing Results
- **Test Suite**: [Name]
- **Test Coverage**: [Percentage/Description]
- **Critical Paths Tested**: [List]
- **Edge Cases Tested**: [List]
- **Test Results Summary**: [Summary]

## Remediation Summary
- **Critical Issues**: [Count] identified, [Count] resolved
- **High-Priority Issues**: [Count] identified, [Count] resolved
- **Medium-Priority Issues**: [Count] identified, [Count] resolved
- **Low-Priority Issues**: [Count] identified, [Count] resolved

## Approval Status
- [ ] All critical issues resolved
- [ ] All high-priority issues resolved
- [ ] Acceptable risk mitigation for outstanding issues
- [ ] Security verification documentation complete

### Approvals
- Security Reviewer: [Name, Date]
- Technical Lead: [Name, Date]
- Product Owner: [Name, Date]

## Lessons Learned
- **Prompt Improvements**: [Recommendations]
- **Verification Enhancements**: [Recommendations]
- **Common Patterns Identified**: [Patterns]

# Security Knowledge Capture

## Security Pattern Identification

### Effective Security Patterns
- **Pattern**: [Name/Description]
- **Implementation**: [How it was implemented]
- **Verification**: [How effectiveness was verified]
- **Applicability**: [When to use this pattern]

### Security Anti-Patterns
- **Anti-Pattern**: [Name/Description]
- **Identification**: [How to recognize this pattern]
- **Risks**: [Security implications]
- **Remediation**: [How to correct]

## AI Generation Security Insights

### Prompt Improvements
- **Original Security Requirements**: [Text from prompt]
- **Issues Encountered**: [Security problems that occurred]
- **Enhanced Requirements**: [Improved prompt text]
- **Validation**: [How improvement was verified]

### Common AI Security Omissions
- **Omission**: [Security aspect often missed]
- **Detection**: [How to identify]
- **Prompt Strategy**: [How to ensure inclusion]
- **Verification Approach**: [How to verify implementation]

## Framework Improvement Recommendations
- **Process Enhancement**: [Recommended change]
- **Tool Configuration**: [Suggested configuration improvements]
- **Checklist Updates**: [Additions to security checklists]
- **Training Needs**: [Identified knowledge gaps]