security-checklist

Original：🇨🇳 Chinese

Translated

1 scripts

OWASP Security Checklist

2installs

Sourceleavesfly/jimi

Added on2026-02-09

NPX Install

npx skill4agent add leavesfly/jimi security-checklist

SKILL.md Content (Chinese)

View Translation Comparison →

Security Checklist Skill Package

Based on OWASP Top 10, comprehensively ensure application security.

OWASP Top 10 (2021)

A01:2021 – Broken Access Control

Risk: Unauthorized users can access sensitive functions or data

Mitigation Measures:

✓ Deny access by default, implement explicit authorization
✓ Implement Role-Based Access Control (RBAC)
✓ Disable directory listing
✓ Log access control failures and trigger alerts
✓ Limit API access rate

Code Example:

java

@PreAuthorize("hasRole('ADMIN')")
@GetMapping("/admin/users")
public List<User> getUsers() {
    return userService.findAll();
}

A02:2021 – Cryptographic Failures

Risk: Sensitive data is unencrypted or uses weak encryption

Mitigation Measures:

✓ Use HTTPS for all sensitive data transmission
✓ Encrypt static data (databases, files)
✓ Disable weak encryption algorithms (MD5, SHA1)
✓ Use strong password hashing (bcrypt, Argon2)
✓ Key management (regular rotation, secure storage)

Code Example:

java

// Use BCrypt to encrypt password
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
String hashedPassword = encoder.encode(rawPassword);

A03:2021 – Injection

Risk: SQL injection, command injection, LDAP injection, etc.

Mitigation Measures:

SQL Injection Protection

java

// ❌ Unsafe
String query = "SELECT * FROM users WHERE username = '" + username + "'";

// ✓ Safe: Use parameterized queries
String query = "SELECT * FROM users WHERE username = ?";
PreparedStatement stmt = conn.prepareStatement(query);
stmt.setString(1, username);

NoSQL Injection Protection

java

// ✓ Use parameter binding
Query query = new Query(Criteria.where("username").is(username));

Command Injection Protection

java

// ❌ Unsafe
Runtime.getRuntime().exec("ls " + userInput);

// ✓ Safe: Validate and escape
if (userInput.matches("[a-zA-Z0-9]+")) {
    ProcessBuilder pb = new ProcessBuilder("ls", userInput);
    pb.start();
}

A04:2021 – Insecure Design

Risk: Security flaws at the architecture and design level

Mitigation Measures:

✓ Threat modeling
✓ Secure design patterns
✓ Principle of least privilege
✓ Defense in depth
✓ Secure Development Lifecycle (SDLC)

A05:2021 – Security Misconfiguration

Risk: Default configurations, unupdated software, unnecessary features

Mitigation Measures:

✓ Minimal installation (remove unnecessary features)
✓ Disable default accounts and passwords
✓ Error messages do not expose sensitive information
✓ Regular updates and patching
✓ Security configuration reviews

Checklist:

yaml

# application.yml
server:
  error:
    include-stacktrace: never  # Do not expose stack trace in production
spring:
  devtools:
    restart:
      enabled: false  # Disable devtools in production

A06:2021 – Vulnerable and Outdated Components

Risk: Using libraries and frameworks with known vulnerabilities

Mitigation Measures:

✓ Remove unused dependencies
✓ Continuously monitor dependency vulnerabilities
✓ Obtain components from official sources
✓ Use signature verification for component integrity

Tools:

bash

# Maven dependency check
mvn dependency:tree
mvn versions:display-dependency-updates

# OWASP Dependency Check
mvn org.owasp:dependency-check-maven:check

A07:2021 – Identification and Authentication Failures

Risk: Weak passwords, improper session management, credential exposure

Mitigation Measures:

Password Policy

✓ Minimum length of 8 characters
✓ Complexity requirements (uppercase, lowercase, numbers, special characters)
✓ Check for weak and commonly used passwords
✓ Limit login failure attempts
✓ Multi-Factor Authentication (MFA)

Session Management

java

// Session configuration
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) {
    http.sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .maximumSessions(1)
        .maxSessionsPreventsLogin(true);
    return http.build();
}

A08:2021 – Software and Data Integrity Failures

Risk: Insecure CI/CD, automatic updates, deserialization

Mitigation Measures:

✓ Code signing
✓ CI/CD security hardening
✓ Dependency integrity verification
✓ Avoid insecure deserialization

java

// ❌ Insecure deserialization
ObjectInputStream ois = new ObjectInputStream(inputStream);
Object obj = ois.readObject();

// ✓ Use secure formats like JSON
ObjectMapper mapper = new ObjectMapper();
User user = mapper.readValue(json, User.class);

A09:2021 – Security Logging and Monitoring Failures

Risk: Attacks cannot be detected and responded to

Mitigation Measures:

✓ Log all login attempts and access control failures
✓ Audit logs for high-value transactions
✓ Standardized log formats
✓ Centralized log management
✓ Real-time alerts

Log Example:

java

log.warn("Failed login attempt: user={}, ip={}", 
         username, request.getRemoteAddr());
log.info("Password changed: user={}, timestamp={}", 
         username, System.currentTimeMillis());

A10:2021 – Server-Side Request Forgery (SSRF)

Risk: Attackers control requests initiated by the server

Mitigation Measures:

✓ Prohibit user-controlled URLs
✓ URL whitelisting
✓ Disable HTTP redirects
✓ Network layer isolation

java

// ✓ URL validation
private boolean isAllowedUrl(String url) {
    try {
        URL u = new URL(url);
        String host = u.getHost();
        return ALLOWED_HOSTS.contains(host);
    } catch (MalformedURLException e) {
        return false;
    }
}

Additional Security Measures

XSS Protection

java

// Output escaping
String safe = HtmlUtils.htmlEscape(userInput);

// Content Security Policy
response.setHeader("Content-Security-Policy", 
    "default-src 'self'; script-src 'self' 'unsafe-inline'");

CSRF Protection

java

// Spring Security enables CSRF automatically
http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());

Clickjacking Protection

java

// X-Frame-Options
response.setHeader("X-Frame-Options", "DENY");

Security Response Headers

X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'self'

Sensitive Information Detection

Information that should not be hard-coded:

❌ Database passwords
❌ API keys
❌ Encryption keys
❌ Private key certificates
❌ OAuth keys

Correct Approach:

yaml

# application.yml
spring:
  datasource:
    password: ${DB_PASSWORD}  # Read from environment variables

Secure Development Process

1. Requirements Phase

Identify security requirements
Threat modeling

2. Design Phase

Secure architecture design
Secure design review

3. Coding Phase

Secure coding standards
Code review

4. Testing Phase

Security testing
Penetration testing
Vulnerability scanning

5. Deployment Phase

Security configuration check
Deploy with least privilege

6. Operations Phase

Security monitoring
Patch management
Incident response

Recommended Tools

Static Analysis

SpotBugs: Java code defect detection
SonarQube: Code quality and security
Checkmarx: Commercial static analysis tool

Dependency Check

OWASP Dependency-Check: Dependency vulnerability scanning
Snyk: Open source dependency vulnerability detection

Dynamic Testing

OWASP ZAP: Web application security testing
Burp Suite: Penetration testing tool

Key Scanning

git-secrets: Prevent key commits
TruffleHog: Git history key scanning