application-security
Secure applications against common vulnerabilities. Use when reviewing code for security, implementing security controls, or hardening applications. Covers OWASP Top 10.
Best use case
application-security is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Secure applications against common vulnerabilities. Use when reviewing code for security, implementing security controls, or hardening applications. Covers OWASP Top 10.
Teams using application-security should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/application-security/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How application-security Compares
| Feature / Agent | application-security | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Secure applications against common vulnerabilities. Use when reviewing code for security, implementing security controls, or hardening applications. Covers OWASP Top 10.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Application Security
## OWASP Top 10 (2021)
### 1. Broken Access Control
**Risk**: Users accessing unauthorized resources.
**Prevention**:
- Deny by default
- Implement RBAC/ABAC
- Validate permissions server-side
- Log access failures
### 2. Cryptographic Failures
**Risk**: Sensitive data exposure.
**Prevention**:
- Encrypt data at rest and in transit
- Use strong algorithms (AES-256, RSA-2048+)
- Never store passwords in plaintext
- Use secure key management
### 3. Injection
**Risk**: Malicious input executed as code.
**Prevention**:
```typescript
// BAD - SQL injection
const query = `SELECT * FROM users WHERE id = ${userId}`;
// GOOD - Parameterized query
const query = 'SELECT * FROM users WHERE id = $1';
db.query(query, [userId]);
```
### 4. Insecure Design
**Risk**: Missing security controls by design.
**Prevention**:
- Threat modeling
- Security requirements
- Defense in depth
### 5. Security Misconfiguration
**Risk**: Default or weak configuration.
**Prevention**:
- Disable unnecessary features
- Remove default credentials
- Keep software updated
- Harden server configuration
### 6. Vulnerable Components
**Risk**: Using libraries with known vulnerabilities.
**Prevention**:
- Regular dependency audits
- Keep dependencies updated
- Monitor CVE databases
### 7. Authentication Failures
**Risk**: Weak or broken authentication.
**Prevention**:
- Multi-factor authentication
- Strong password policies
- Secure session management
- Rate limiting on login
### 8. Software & Data Integrity
**Risk**: Untrusted sources for updates.
**Prevention**:
- Verify code signatures
- Use SRI for CDN resources
- Secure CI/CD pipeline
### 9. Logging & Monitoring Failures
**Risk**: Attacks go undetected.
**Prevention**:
- Log security events
- Monitor for anomalies
- Alert on suspicious activity
### 10. Server-Side Request Forgery
**Risk**: Server makes requests to unintended destinations.
**Prevention**:
- Validate URLs
- Use allowlists
- Block internal IPsRelated Skills
Burp Suite Web Application Testing
This skill should be used when the user asks to "intercept HTTP traffic", "modify web requests", "use Burp Suite for testing", "perform web vulnerability scanning", "test with Burp Repeater", "analyze HTTP history", or "configure proxy for web testing". It provides comprehensive guidance for using Burp Suite's core features for web application security testing.
Build Your Cloud Security Skill
Create your cloud security skill in one prompt, then learn to improve it throughout the chapter
azure-security-keyvault-keys-dotnet
Azure Key Vault Keys SDK for .NET. Client library for managing cryptographic keys in Azure Key Vault and Managed HSM. Use for key creation, rotation, encryption, decryption, signing, and verification.
aws-security-audit
Comprehensive AWS security posture assessment using AWS CLI and security best practices
awesome-copilot-root-stackhawk-security-onboarding
Automatically set up StackHawk security testing for your repository with generated configuration and GitHub Actions workflow Use when: the task directly matches stackhawk security onboarding responsibilities within plugin awesome-copilot-root. Do not use when: a more specific framework or task-focused skill is clearly a better match.
astro-security
Security patterns for Astro lead generation websites on Cloudflare. Forms, headers, bot protection, GDPR. Use for any production lead gen site.
architecting-security
Design comprehensive security architectures using defense-in-depth, zero trust principles, threat modeling (STRIDE, PASTA), and control frameworks (NIST CSF, CIS Controls, ISO 27001). Use when designing security for new systems, auditing existing architectures, or establishing security governance programs.
arch-security-review
Use when reviewing code for security vulnerabilities, implementing authorization, or ensuring data protection.
appwrite-security-operations
Production security operations for Appwrite services. Use when defining security quality gates, runtime hardening, API key lifecycle management, dependency vulnerability control, and incident response workflows.
api-security-testing
API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.
agent-security-manager
Agent skill for security-manager - invoke with $agent-security-manager
agent-security-engineer
Expert infrastructure security engineer specializing in DevSecOps, cloud security, and compliance frameworks. Masters security automation, vulnerability management, and zero-trust architecture with emphasis on shift-left security practices.