Security Code Review

# Security Code Review

Perform a comprehensive security-focused code review to identify vulnerabilities, security weaknesses, and recommend security hardening measures.

## Security Review Checklist

### 1. Input Validation and Sanitization

**Injection Vulnerabilities**
- [ ] SQL Injection: All database queries use parameterized statements or ORMs
- [ ] Command Injection: No direct execution of user input
- [ ] LDAP Injection: Input properly escaped for directory services
- [ ] XPath Injection: XML queries use parameterized approaches
- [ ] Template Injection: Template engines configured securely

**Cross-Site Scripting (XSS)**
- [ ] All user input is sanitized before display
- [ ] Output encoding appropriate for context (HTML, JavaScript, URL, CSS)
- [ ] Content Security Policy (CSP) headers implemented
- [ ] Avoid innerHTML; use textContent or framework-specific safe methods
- [ ] Rich text editors sanitize HTML input

**Input Validation**
- [ ] Whitelist validation for all inputs
- [ ] Data type validation enforced
- [ ] Length limits enforced
- [ ] File upload restrictions (type, size, content validation)
- [ ] Regular expressions secure (no ReDoS vulnerabilities)

### 2. Authentication and Session Management

**Password Security**
- [ ] Passwords hashed with strong algorithm (bcrypt, Argon2, PBKDF2)
- [ ] Salt used for password hashing
- [ ] Minimum password strength requirements enforced
- [ ] No password in logs, error messages, or URLs
- [ ] Secure password reset mechanism
- [ ] Account lockout after failed attempts

**Session Security**
- [ ] Session IDs cryptographically random
- [ ] Session timeout implemented
- [ ] Secure and HttpOnly flags on session cookies
- [ ] SameSite cookie attribute configured
- [ ] Session ID regenerated after login
- [ ] Logout functionality properly destroys session
- [ ] No session data in URLs

**Multi-Factor Authentication**
- [ ] MFA available for sensitive operations
- [ ] Backup authentication methods provided
- [ ] Time-based one-time passwords (TOTP) properly implemented

### 3. Authorization and Access Control

**Authorization Checks**
- [ ] Authorization verified on server-side for every request
- [ ] Role-based access control (RBAC) or attribute-based (ABAC) implemented
- [ ] Principle of least privilege applied
- [ ] Direct object references protected (no IDOR vulnerabilities)
- [ ] Resource ownership verified before access
- [ ] Admin functions properly restricted

**API Security**
- [ ] API authentication required
- [ ] Rate limiting implemented
- [ ] API keys rotated regularly
- [ ] Proper CORS configuration
- [ ] API versioning strategy in place

### 4. Data Protection

**Sensitive Data**
- [ ] Sensitive data encrypted at rest
- [ ] Encryption in transit (TLS 1.2+ only)
- [ ] Strong encryption algorithms used (AES-256, RSA-2048+)
- [ ] Encryption keys properly managed (not hardcoded)
- [ ] PII data minimization practiced
- [ ] Data retention policies implemented

**Data Exposure**
- [ ] No sensitive data in logs
- [ ] Error messages don't leak information
- [ ] Debug mode disabled in production
- [ ] Database credentials not in code
- [ ] API keys and secrets in environment variables or secret management
- [ ] Source maps disabled in production

### 5. Cryptography

**Encryption Standards**
- [ ] Strong, standard algorithms only (no custom crypto)
- [ ] Appropriate key lengths (minimum AES-256, RSA-2048)
- [ ] Secure random number generation
- [ ] Proper IV/nonce generation for encryption
- [ ] Key rotation policy in place

**TLS/SSL**
- [ ] TLS 1.2 or higher required
- [ ] Certificate validation not disabled
- [ ] Strong cipher suites configured
- [ ] HSTS header enabled
- [ ] Certificate expiration monitoring

### 6. Error Handling and Logging

**Error Handling**
- [ ] Generic error messages to users
- [ ] Detailed errors logged server-side only
- [ ] No stack traces in production responses
- [ ] Errors don't reveal system information
- [ ] Proper exception handling (no silent failures)

**Logging**
- [ ] Security events logged (login attempts, access denials, etc.)
- [ ] Logs include timestamp, user, action, outcome
- [ ] No sensitive data in logs (passwords, tokens, PII)
- [ ] Log integrity protected
- [ ] Logs monitored for security events
- [ ] Log retention policy compliant

### 7. Dependencies and Third-Party Code

**Dependency Management**
- [ ] All dependencies up to date
- [ ] Known vulnerabilities patched (run `npm audit`, `safety`, etc.)
- [ ] Dependency integrity verified (lock files, SRI)
- [ ] Minimal dependency footprint
- [ ] Dependencies from trusted sources
- [ ] License compliance checked

**Third-Party Integrations**
- [ ] Third-party scripts integrity verified (SRI tags)
- [ ] API integrations use secure authentication
- [ ] Third-party data validated
- [ ] Proper error handling for external failures

### 8. File Upload Security

**Upload Validation**
- [ ] File type validation (content-based, not just extension)
- [ ] File size limits enforced
- [ ] Filename sanitization
- [ ] Malware scanning for uploads
- [ ] Uploaded files stored outside webroot
- [ ] Access controls on uploaded files
- [ ] Virus scanning integrated

### 9. API and Web Service Security

**API Hardening**
- [ ] Authentication required for all endpoints
- [ ] Input validation on all parameters
- [ ] Rate limiting per user/IP
- [ ] Request size limits
- [ ] Proper HTTP methods used
- [ ] CSRF protection for state-changing operations
- [ ] API versioning and deprecation policy

**GraphQL Security** (if applicable)
- [ ] Query depth limiting
- [ ] Query complexity analysis
- [ ] Disable introspection in production
- [ ] Proper authorization on resolvers
- [ ] Rate limiting per query cost

### 10. Security Headers

Required Security Headers:

• Content-Security-Policy
• X-Frame-Options: DENY
• X-Content-Type-Options: nosniff
• X-XSS-Protection: 1; mode=block
• Strict-Transport-Security
• Referrer-Policy: no-referrer-when-downgrade
• Permissions-Policy (formerly Feature-Policy)

## Vulnerability Severity Classification

**Critical**
- Remote code execution
- Authentication bypass
- Privilege escalation
- SQL injection with data access
- Exposure of sensitive data at scale

**High**
- XSS with admin access
- CSRF on critical operations
- Weak cryptography on sensitive data
- Authorization bypass
- Insecure direct object references

**Medium**
- XSS on limited scope
- Information disclosure (limited)
- Weak session management
- Missing security headers
- Insecure dependencies

**Low**
- Minor information disclosure
- Missing best practices
- Defense-in-depth improvements
- Non-critical misconfigurations

## Output Format

### Security Review Report

**Executive Summary**
- Total issues found by severity
- Critical risks requiring immediate attention
- Overall security posture assessment

**Detailed Findings**

For each vulnerability:

[Vulnerability Name] - [Severity]

Location: [File:Line or Endpoint]

Description: [Clear explanation of the vulnerability]

Risk: [Potential impact if exploited]

Affected Code:

[vulnerable code snippet]

Recommended Fix:

[secure code example]

References:

• [OWASP reference]
• [CWE reference]
• [Additional resources]

Priority: [Immediate/Short-term/Long-term]

## Remediation Recommendations

- Implement automated security scanning in CI/CD
- Regular dependency updates and vulnerability scanning
- Security training for development team
- Establish secure coding guidelines
- Code review checklist for security
- Penetration testing schedule
- Incident response plan
- Security monitoring and alerting

## Best Practices

- Review authentication and authorization logic thoroughly
- Pay special attention to user input handling
- Check for use of deprecated or weak cryptography
- Verify all sensitive data is protected
- Ensure proper error handling doesn't leak information
- Check security configurations (TLS, headers, CORS)
- Validate third-party dependencies are secure and updated
- Test for common OWASP Top 10 vulnerabilities
- Consider attack surface and threat modeling
- Document security assumptions and constraints