java-security-audit

What problem does it solve?

This skill is a defensive audit playbook. It helps you identify security risks early, produce a clear findings report (severity + mitigations), and add tests to prevent regressions while remaining within approved security processes. It does not teach exploitation and emphasizes safe, compliant practices.

Core Features & Use Cases

• Build a quick system map (30–60 minutes) and deliver a concise "security context" note.
• Apply OWASP Top 10 lens to map features and entry points to risk categories and ensure every entry point has an OWASP pass.
• Perform authorization reviews (authz correctness) with checks for server-side enforcement, tenant/user scoping, and strong admin protection; include negative tests.
• Harden input validation and injection defenses across request boundaries, using allowlists, length bounds, and safe data handling; include boundary and invalid-payload tests.
• Conduct SSRF defensive reviews for URL fetches, redirects, and external requests with allowlists, timeouts, and safe parsing.
• Perform deserialization defensive reviews, avoid native Java serialization for untrusted data, and prefer strict schemas and explicit subtype allowlists.
• Enforce secrets hygiene and governance to prevent secrets in repos/logs, and add CI secret scanning and dependency checks.
• Do a quick dependency/supply-chain pass focusing on pinning versions and removing unused libraries.

Quick Start

Run the defensive Java security audit workflow against your backend service to generate a findings report with mitigations and tests.