Application Security Validator

Validate application security using OWASP Top 10 2021 and API Security Top 10 guidelines with injection prevention and access control checks.

Best use case

Application Security Validator is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Validate application security using OWASP Top 10 2021 and API Security Top 10 guidelines with injection prevention and access control checks.

Teams using Application Security Validator should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/security-appsec-validator/SKILL.md --create-dirs "https://raw.githubusercontent.com/williamzujkowski/cognitive-toolworks/main/skills/security-appsec-validator/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/security-appsec-validator/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How Application Security Validator Compares

Feature / AgentApplication Security ValidatorStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Validate application security using OWASP Top 10 2021 and API Security Top 10 guidelines with injection prevention and access control checks.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

## Purpose & When-To-Use

**Trigger conditions:**
- Application security review before production deployment
- API security validation required
- Post-incident application security assessment
- Compliance requirement for web application security (OWASP alignment)
- Third-party application security questionnaire response

**Not for:**
- Automated SAST/DAST tool execution (provides methodology only)
- Penetration testing (provides control verification only)
- Infrastructure or cloud security (use security-cloud-analyzer)
- Network security assessment (use security-network-validator)

---

## Pre-Checks

**Time normalization:**
- Compute `NOW_ET` using NIST/time.gov semantics (America/New_York, ISO-8601): 2025-10-26T01:33:55-04:00
- Use `NOW_ET` for all citation access dates

**Input validation:**
- `application_identifier` must be non-empty string
- `assessment_scope` must be one of: [web-app, api, mobile-backend]
- `check_level` must be one of: [critical-only, standard, comprehensive]

**Source freshness:**
- OWASP Top 10 2021 (accessed 2025-10-26T01:33:55-04:00): https://owasp.org/www-project-top-ten/
- OWASP API Security Top 10 2023 (accessed 2025-10-26T01:33:55-04:00): https://owasp.org/API-Security/
- OWASP Cheat Sheet Series (accessed 2025-10-26T01:33:55-04:00): https://cheatsheetseries.owasp.org/

---

## Procedure

### Step 1: Critical Controls Check

**For web-app and mobile-backend:**
1. **A01:2021 - Broken Access Control** (accessed 2025-10-26T01:33:55-04:00): https://owasp.org/Top10/A01_2021-Broken_Access_Control/
   - Verify authorization checks on protected resources
   - Check for insecure direct object references (IDOR)
   - Validate access control enforcement at API/backend layer

2. **A03:2021 - Injection** (accessed 2025-10-26T01:33:55-04:00): https://owasp.org/Top10/A03_2021-Injection/
   - SQL injection prevention: parameterized queries or ORM usage
   - XSS protection: output encoding and Content Security Policy
   - Command injection: input validation and safe API usage

3. **A07:2021 - Identification and Authentication Failures** (accessed 2025-10-26T01:33:55-04:00): https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/
   - Multi-factor authentication available for sensitive operations
   - Password policy compliance
   - Session management security (secure cookies, timeout)

**For api scope:**
1. **API1:2023 - Broken Object Level Authorization (BOLA)** (accessed 2025-10-26T01:33:55-04:00): https://owasp.org/API-Security/
   - Object-level authorization on every API endpoint
   - User context validation for resource access

2. **API2:2023 - Broken Authentication**
   - API key/token management and rotation
   - Authentication mechanism strength

3. **API4:2023 - Unrestricted Resource Consumption**
   - Rate limiting implementation
   - Request throttling and quotas

### Step 2: Generate Findings with Severity Scoring

For each failed check:
- Assign CVSS v3.1 score based on exploitability and impact
- Map to OWASP category (A01-A10 or API1-API10)
- Provide specific remediation steps with code examples where applicable

**Token budget:** T1 ≤2k tokens (critical-only), T2 ≤6k tokens (standard), T3 ≤12k tokens (comprehensive)

---

## Decision Rules

**Ambiguity thresholds:**
- If application architecture is unclear → request application documentation
- If authentication mechanism is not documented → flag as unknown risk

**Abort conditions:**
- No application identifier provided → cannot proceed
- Application architecture documentation unavailable → limited to surface-level checks only

**Severity classification:**
- Critical: Immediate exploitation risk (CVSS 9.0-10.0)
- High: Likely exploitation path (CVSS 7.0-8.9)
- Medium: Potential vulnerability (CVSS 4.0-6.9)
- Low: Best practice deviation (CVSS 0.1-3.9)

---

## Output Contract

**Required fields:**
```json
{
  "application_identifier": "string",
  "assessment_scope": "web-app|api|mobile-backend",
  "check_level": "critical-only|standard|comprehensive",
  "timestamp": "ISO-8601 with timezone",
  "findings": [
    {
      "id": "unique identifier",
      "owasp_category": "A01:2021|A02:2021|...|API1:2023|API2:2023|...",
      "severity": "critical|high|medium|low",
      "cvss_score": 0.0,
      "title": "brief description",
      "description": "detailed finding",
      "affected_endpoints": ["list of URLs or API paths"],
      "cwe_id": "CWE-XXX",
      "remediation": "specific fix steps with code examples",
      "references": ["URLs to OWASP guidance"]
    }
  ],
  "owasp_coverage": {
    "categories_assessed": ["A01:2021", "A02:2021", "..."],
    "categories_passed": ["list"],
    "categories_failed": ["list"]
  },
  "summary": {
    "total_findings": 0,
    "critical_count": 0,
    "high_count": 0,
    "medium_count": 0,
    "low_count": 0,
    "overall_risk": "critical|high|medium|low"
  }
}
```

**Type constraints:**
- CVSS scores: Float 0.0-10.0 (CVSSv3.1)
- Severity: Must be one of [critical, high, medium, low]
- Timestamps: ISO-8601 with timezone

---

## Examples

**Example: API Security Check**

```yaml
# Input
application_identifier: "payment-api-v2"
assessment_scope: "api"
check_level: "standard"

# Output (abbreviated)
{
  "application_identifier": "payment-api-v2",
  "assessment_scope": "api",
  "findings": [
    {
      "id": "APPSEC-001",
      "owasp_category": "API1:2023-BOLA",
      "severity": "high",
      "cvss_score": 8.1,
      "title": "Missing object-level authorization on /api/transactions/{id}",
      "remediation": "Add user ownership check before returning transaction data"
    }
  ],
  "summary": {
    "critical_count": 0,
    "high_count": 1,
    "overall_risk": "high"
  }
}
```

---

## Quality Gates

**Token budgets:**
- Critical-only: ≤2k tokens (top 3 OWASP categories only)
- Standard: ≤6k tokens (all critical + high severity checks)
- Comprehensive: ≤12k tokens (full OWASP Top 10 coverage with examples)

**Safety:**
- No credential exposure in findings
- No exploitation code provided

**Auditability:**
- All findings cite OWASP categories with access dates
- CVSS scores follow CVSSv3.1 methodology

**Determinism:**
- Same application state + inputs = consistent findings
- OWASP category mappings are stable

---

## Resources

**OWASP Top 10 2021:**
- A01:2021 - Broken Access Control: https://owasp.org/Top10/A01_2021-Broken_Access_Control/ (accessed 2025-10-26T01:33:55-04:00)
- A02:2021 - Cryptographic Failures: https://owasp.org/Top10/A02_2021-Cryptographic_Failures/ (accessed 2025-10-26T01:33:55-04:00)
- A03:2021 - Injection: https://owasp.org/Top10/A03_2021-Injection/ (accessed 2025-10-26T01:33:55-04:00)
- Full Top 10: https://owasp.org/www-project-top-ten/ (accessed 2025-10-26T01:33:55-04:00)

**OWASP API Security:**
- API Security Top 10 2023: https://owasp.org/API-Security/ (accessed 2025-10-26T01:33:55-04:00)
- API Security Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html (accessed 2025-10-26T01:33:55-04:00)

**Additional Resources:**
- OWASP Cheat Sheet Series: https://cheatsheetseries.owasp.org/ (accessed 2025-10-26T01:33:55-04:00)
- CWE Top 25: https://cwe.mitre.org/top25/ (accessed 2025-10-26T01:33:55-04:00)

Related Skills

Service Level Objective Validator

5
from williamzujkowski/cognitive-toolworks

Validate SLO definitions against actual metrics, generate alerting rules, and design error budget policies with burn rate calculations.

Software Supply Chain Security Validator

5
from williamzujkowski/cognitive-toolworks

Validate software supply chain security with SBOM generation, dependency scanning, provenance verification, and SLSA attestation.

Operating System Security Hardening Checker

5
from williamzujkowski/cognitive-toolworks

Verify operating system hardening using CIS benchmarks with patch management, kernel hardening, and host-based firewall validation.

Network Security Architecture Validator

5
from williamzujkowski/cognitive-toolworks

Validate network security architecture with firewall rule analysis, segmentation verification, and defense-in-depth assessment.

IAM Security Reviewer

5
from williamzujkowski/cognitive-toolworks

Review identity and access management using NIST SP 800-63B guidelines with MFA enforcement, password policy, and least privilege validation.

Cryptographic Security Validator

5
from williamzujkowski/cognitive-toolworks

Validate cryptographic implementations using NIST standards with TLS configuration, cipher suite analysis, and certificate lifecycle checks.

Container Security Checker

5
from williamzujkowski/cognitive-toolworks

Validate container and Kubernetes security using CIS benchmarks with pod security standards, RBAC review, and image vulnerability checks.

Cloud Security Posture Analyzer

5
from williamzujkowski/cognitive-toolworks

Evaluate cloud security posture across AWS, Azure, and GCP with storage exposure checks, IAM policy review, and encryption validation.

Security Assessment Orchestrator

5
from williamzujkowski/cognitive-toolworks

Comprehensive security assessment across application, cloud, container, IAM, network, OS, supply chain, and zero trust using NIST CSF 2.0.

UX Design System Validator

5
from williamzujkowski/cognitive-toolworks

Validate design systems for accessibility (WCAG), responsive design, and component consistency with design token analysis.

Frontend Accessibility Validator

5
from williamzujkowski/cognitive-toolworks

Validate WCAG 2.2 compliance (A/AA/AAA) with ARIA, color contrast, keyboard navigation, screen readers, and automated testing via axe-core/Pa11y.

OSCAL SSP Validator

5
from williamzujkowski/cognitive-toolworks

Validates OSCAL System Security Plan documents against schemas, profiles, and cross-reference requirements with tiered validation depth.