Software Security Appsec

What it does

This skill analyzes code and provides guidance on strengthening application security posture based on AppSec best practices. It covers vulnerabilities outlined in the OWASP Top 10:2025, the OWASP API Security Top 10 (2023), and secure Software Development Lifecycle (SDLC) baselines from NIST SSDF. The skill provides recommendations for remediation steps and helps developers implement production-grade security patterns for applications being built in 2026 and beyond.

When to use it

• Implementing authentication or authorization systems.
• Handling user input that could lead to injection attacks (SQL, XSS, command injection).
• Designing secure APIs or web applications.
• Working with cryptographic operations or sensitive data storage.
• Integrating third-party dependencies and performing supply chain security reviews.

Key capabilities

• Covers OWASP Top 10:2025 and OWASP API Security Top 10 (2023).
• Provides guidance based on NIST SSDF secure SDLC baselines.
• Offers recommendations for authentication/authorization, input validation, SQL query security, API authentication, data encryption, access control, rate limiting, and more.
• Suggests specific tools and patterns like Passkeys/WebAuthn, bcrypt/Argon2, parameterized queries, OAuth 2.1 + PKCE, JWT, AES-256-GCM, TLS 1.3, and express-rate-limit.

Example prompts

• "How can I prevent SQL injection in this database query?"
• "What are the best practices for storing passwords securely?"
• "Suggest a secure authentication flow for my API using OAuth 2.1."
• “What security considerations should I keep in mind when integrating this third-party library?”

Tips & gotchas

• This skill is designed for developers focused on application security, not general backend development or infrastructure/cloud security.
• It focuses on implementation guidance and doesn't handle compliance questions that don’t require practical steps.
• The recommendations are geared towards applications being built in 2026 and beyond.