@jgamaraalv/ts-dev-kit 1.0.0

package/skills/owasp-security-review/references/a03-supply-chain-failures.md

@@ -0,0 +1,65 @@
+# A03:2025 Software Supply Chain Failures
+
+Expanded from "Vulnerable and Outdated Components". 6 CWEs, 5.72% avg incidence. Highest average exploit (8.17) and impact (5.23) scores.
+
+## What to look for
+
+**Vulnerable dependencies:**
+
+- Outdated packages with known CVEs (check `package.json`, `requirements.txt`, `Gemfile`, etc.)
+- No lock file (`yarn.lock`, `package-lock.json`) — versions unpinned
+- Lock file not committed to version control
+- No automated vulnerability scanning (Dependabot, Snyk, npm audit, etc.)
+- Transitive dependencies with known vulnerabilities
+
+**Untrusted sources:**
+
+- Packages installed from unofficial registries or URLs
+- Git dependencies pointing to forks or unknown repos
+- Unsigned packages or missing integrity hashes
+- `.npmrc` or pip config pointing to non-standard registries
+
+**Build pipeline risks:**
+
+- CI/CD pipelines without integrity checks
+- Build scripts that `curl | bash` from external URLs
+- No separation of duties (same person writes and deploys code)
+- Secrets in CI config files or build logs
+- Missing branch protection rules
+- No signed commits or artifact signing
+
+**Unmaintained components:**
+
+- Dependencies with no updates in 2+ years
+- Libraries with known EOL (end of life) status
+- No alternative available for deprecated packages
+
+**Post-install scripts:**
+
+- npm `postinstall` scripts that execute arbitrary code
+- pip `setup.py` with network calls or system commands
+
+## Prevention checklist
+
+- [ ] Generate and maintain an SBOM (Software Bill of Materials) — use CycloneDX or SPDX
+- [ ] Track all direct AND transitive dependencies
+- [ ] Run `npm audit` / `yarn audit` / `pip-audit` in CI
+- [ ] Enable Dependabot, Renovate, or similar for automated dependency updates
+- [ ] Pin dependency versions; use lock files; commit lock files
+- [ ] Only use packages from trusted registries with verified publishers
+- [ ] Prefer signed packages; verify checksums
+- [ ] Review and approve dependency updates before merging
+- [ ] Remove unused dependencies to reduce attack surface
+- [ ] Harden CI/CD: enable MFA, lock down IAM, separate duties, sign builds
+- [ ] Use staged rollouts for dependency updates
+- [ ] Monitor CVE databases: NVD, OSV, GitHub Advisory Database
+- [ ] Audit npm postinstall scripts before adding new dependencies
+
+## Key CWEs
+
+| CWE  | Name                                             | Common in           |
+| ---- | ------------------------------------------------ | ------------------- |
+| 1104 | Use of Unmaintained Third Party Components       | Abandoned libraries |
+| 1395 | Dependency on Vulnerable Third-Party Component   | Known CVEs          |
+| 1329 | Reliance on Component That is Not Updateable     | Locked-in versions  |
+| 1357 | Reliance on Insufficiently Trustworthy Component | Unverified sources  |

package/skills/owasp-security-review/references/a04-cryptographic-failures.md

@@ -0,0 +1,82 @@
+# A04:2025 Cryptographic Failures
+
+32 CWEs, 3.80% avg incidence, 1.6M+ occurrences. Leads to sensitive data exposure or system compromise.
+
+## What to look for
+
+**Data in transit:**
+
+- HTTP used instead of HTTPS
+- Missing HSTS header
+- TLS < 1.2 allowed
+- Weak cipher suites (CBC mode, RC4, DES)
+- Self-signed certificates accepted without validation
+- Certificate chain not validated
+- STARTTLS used instead of implicit TLS
+- FTP, SMTP, or other unencrypted protocols for sensitive data
+
+**Data at rest:**
+
+- Sensitive data stored in plaintext (passwords, tokens, PII, credit cards)
+- Database columns with sensitive data not encrypted
+- Backups not encrypted
+- Sensitive data in log files
+
+**Password storage:**
+
+- MD5 or SHA1 used for password hashing
+- Passwords hashed without salt
+- Fast hash functions (SHA-256 without key stretching) for passwords
+- Missing work factor — use Argon2, scrypt, bcrypt, or PBKDF2
+
+**Key management:**
+
+- Hardcoded encryption keys or API keys in source code
+- Keys committed to version control
+- Keys not rotated
+- Weak key generation (predictable seeds, insufficient entropy)
+- Keys stored in plaintext files
+- Same key used across environments
+
+**Weak algorithms:**
+
+- MD5, SHA1 for integrity/signatures
+- DES, 3DES, RC4 for encryption
+- RSA without OAEP padding
+- ECB mode for block ciphers
+- `Math.random()` or similar non-CSPRNG for security purposes
+
+**Missing encryption:**
+
+- Caching of responses containing sensitive data (CDN, Redis, browser)
+- Sensitive data in URL query strings
+- Sensitive data in cookies without encryption
+
+## Prevention checklist
+
+- [ ] Classify data by sensitivity; apply controls per classification
+- [ ] Encrypt all data in transit with TLS >= 1.2, forward secrecy ciphers
+- [ ] Enable HSTS with `includeSubDomains` and `preload`
+- [ ] Encrypt sensitive data at rest
+- [ ] Hash passwords with Argon2, scrypt, or bcrypt (with appropriate work factor)
+- [ ] Use authenticated encryption (AES-GCM, ChaCha20-Poly1305) — never just encryption
+- [ ] Generate keys with CSPRNG; store in HSM or secrets manager
+- [ ] Rotate keys regularly; never hardcode keys in source
+- [ ] Disable caching for responses with sensitive data
+- [ ] Drop support for TLS < 1.2 and CBC ciphers
+- [ ] Don't store sensitive data unnecessarily; discard when no longer needed
+- [ ] Use `crypto.randomUUID()` or `crypto.getRandomValues()` (Node.js) — never `Math.random()`
+- [ ] Validate server certificates and trust chains
+
+## Key CWEs
+
+| CWE | Name                                    | Common in                   |
+| --- | --------------------------------------- | --------------------------- |
+| 327 | Broken or Risky Cryptographic Algorithm | MD5, SHA1, DES usage        |
+| 328 | Reversible One-Way Hash                 | Weak password hashing       |
+| 330 | Use of Insufficiently Random Values     | Predictable tokens          |
+| 338 | Cryptographically Weak PRNG             | Math.random() for secrets   |
+| 321 | Use of Hard-coded Cryptographic Key     | Keys in source code         |
+| 319 | Cleartext Transmission                  | HTTP, unencrypted protocols |
+| 326 | Inadequate Encryption Strength          | Short keys, weak ciphers    |
+| 916 | Password Hash With Insufficient Effort  | Fast hashing for passwords  |

package/skills/owasp-security-review/references/a05-injection.md

@@ -0,0 +1,106 @@
+# A05:2025 Injection
+
+- [What to look for](#what-to-look-for)
+- [Prevention checklist](#prevention-checklist)
+- [Code patterns](#code-patterns)
+- [Key CWEs](#key-cwes)
+
+37 CWEs, 3.08% avg incidence, 1.4M+ occurrences, 62K+ CVEs. Includes XSS (30K+ CVEs) and SQLi (14K+ CVEs).
+
+## What to look for
+
+**SQL Injection:**
+
+- String concatenation in SQL queries: `"SELECT * FROM users WHERE id = " + userId`
+- Template literals in SQL: `` `SELECT * FROM users WHERE id = ${userId}` ``
+- ORM raw queries with user input interpolated
+- Stored procedures that concatenate user input
+- Missing parameterized queries / prepared statements
+
+**Cross-Site Scripting (XSS):**
+
+- User input rendered in HTML without encoding/escaping
+- `dangerouslySetInnerHTML` in React with unsanitized content
+- `innerHTML`, `outerHTML`, `document.write()` with user input
+- URL parameters reflected in page without encoding
+- Missing Content-Security-Policy header
+- SVG or HTML file uploads served inline
+
+**Command Injection:**
+
+- Shell commands built via string concatenation with user input
+- Using `exec()` instead of `execFile()` with argument arrays in Node.js
+- User input passed to `eval()`, `Function()`, `setTimeout(string)`
+- Template engines with unescaped user input (SSTI)
+
+**NoSQL Injection:**
+
+- MongoDB queries with user-controlled operators (`$gt`, `$ne`, `$where`)
+- JSON body parsed directly into query filters without validation
+
+**Other injection types:**
+
+- LDAP queries with unescaped user input
+- XPath queries with string concatenation
+- Header injection (CRLF in user-controlled header values)
+- Log injection (unescaped user input in log messages)
+- Expression Language injection (Spring EL, OGNL)
+
+**LLM Prompt Injection:**
+
+- User input passed directly into LLM prompts without sanitization
+- See OWASP LLM Top 10 for detailed guidance
+
+## Prevention checklist
+
+- [ ] Use parameterized queries / prepared statements for ALL database access
+- [ ] Use ORM methods properly — avoid raw query interpolation
+- [ ] Context-aware output encoding (HTML, JS, URL, CSS contexts)
+- [ ] In React: avoid `dangerouslySetInnerHTML`; if necessary, sanitize with DOMPurify
+- [ ] Set `Content-Security-Policy` header to restrict inline scripts
+- [ ] Use `execFile()` with argument arrays instead of shell string interpolation
+- [ ] Never use `eval()` or `Function()` with user input
+- [ ] Validate and sanitize all input server-side (allowlist preferred over denylist)
+- [ ] For file uploads: validate MIME type, don't serve inline, use Content-Disposition: attachment
+- [ ] Encode user input in log messages to prevent log injection
+- [ ] Use SAST/DAST tools in CI/CD to catch injection flaws early
+
+## Code patterns
+
+**Bad — SQL string concatenation (Node.js):**
+
+```js
+db.query(`SELECT * FROM users WHERE email = '${req.body.email}'`);
+```
+
+**Good — Parameterized query:**
+
+```js
+db.query("SELECT * FROM users WHERE email = $1", [req.body.email]);
+```
+
+**Bad — Shell command with string interpolation:**
+
+```js
+// DANGEROUS: allows command injection
+const cmd = "convert " + req.query.filename + " output.png";
+```
+
+**Good — Argument array (no shell):**
+
+```js
+// SAFE: arguments passed as array, not interpreted by shell
+execFile("convert", [req.query.filename, "output.png"]);
+```
+
+## Key CWEs
+
+| CWE | Name                                 | Common in            |
+| --- | ------------------------------------ | -------------------- |
+| 79  | Cross-site Scripting (XSS)           | Web frontends        |
+| 89  | SQL Injection                        | Database queries     |
+| 78  | OS Command Injection                 | Shell commands       |
+| 94  | Code Injection                       | eval(), dynamic code |
+| 77  | Command Injection                    | Subprocess calls     |
+| 20  | Improper Input Validation            | All input handling   |
+| 116 | Improper Encoding/Escaping of Output | Template rendering   |

package/skills/owasp-security-review/references/a06-insecure-design.md

@@ -0,0 +1,76 @@
+# A06:2025 Insecure Design
+
+39 CWEs, 1.86% avg incidence. Focuses on design and architecture flaws — not implementation bugs.
+
+## What to look for
+
+**Missing threat modeling:**
+
+- No documented threat model for the application
+- Security requirements not part of user stories
+- No abuse/misuse cases defined
+- Business logic not validated against adversarial use
+
+**Business logic flaws:**
+
+- No rate limiting on high-value operations (purchases, transfers, account creation)
+- Price/quantity manipulation possible via client-side values
+- Multi-step workflows that can be skipped or replayed
+- State transitions not validated (e.g., order status jumps from "pending" to "shipped")
+- Race conditions in concurrent operations (double-spend, TOCTOU)
+
+**Missing security controls by design:**
+
+- Client-side-only enforcement of security rules
+- No server-side validation of business rules
+- Trust boundary violations (trusting client-sent data as authoritative)
+- No separation of concerns between public/private/admin functionality
+- Insufficient tenant isolation in multi-tenant systems
+
+**Credential handling:**
+
+- Unprotected storage of credentials
+- Knowledge-based recovery ("security questions")
+- Credentials sent via insecure channels
+
+**File upload issues:**
+
+- No file type validation (server-side)
+- Dangerous file types accepted (.exe, .php, .jsp)
+- File content not inspected (MIME type spoofing)
+- Uploaded files stored in web-accessible directories
+- No file size limits
+
+**Insufficient compartmentalization:**
+
+- Monolithic permissions (all-or-nothing access)
+- No network segmentation between tiers
+- Single failure point brings down entire system
+
+## Prevention checklist
+
+- [ ] Perform threat modeling for critical flows (auth, payments, data access)
+- [ ] Define security requirements in user stories
+- [ ] Write misuse cases alongside use cases
+- [ ] Validate all business logic server-side — never trust the client
+- [ ] Rate-limit high-value operations
+- [ ] Validate state transitions (only allow legal state changes)
+- [ ] Implement proper tenant isolation in multi-tenant systems
+- [ ] Segregate application tiers on network level
+- [ ] Validate file uploads: type, size, content; store outside web root
+- [ ] Use secure design patterns from OWASP library
+- [ ] Test critical flows for race conditions
+- [ ] Replace security questions with secure recovery methods (email/SMS link)
+
+## Key CWEs
+
+| CWE | Name                                            | Common in              |
+| --- | ----------------------------------------------- | ---------------------- |
+| 434 | Unrestricted Upload of File with Dangerous Type | File uploads           |
+| 269 | Improper Privilege Management                   | Role systems           |
+| 501 | Trust Boundary Violation                        | Client/server boundary |
+| 522 | Insufficiently Protected Credentials            | Password storage       |
+| 362 | Race Condition                                  | Concurrent operations  |
+| 602 | Client-Side Enforcement of Server-Side Security | Frontend-only checks   |
+| 799 | Improper Control of Interaction Frequency       | Missing rate limiting  |
+| 841 | Improper Enforcement of Behavioral Workflow     | Skippable steps        |

package/skills/owasp-security-review/references/a07-authentication-failures.md

@@ -0,0 +1,83 @@
+# A07:2025 Authentication Failures
+
+36 CWEs, 2.92% avg incidence, 1.1M+ occurrences.
+
+## What to look for
+
+**Credential attacks not mitigated:**
+
+- No rate limiting on login attempts
+- No account lockout or progressive delays after failed attempts
+- No detection of credential stuffing or password spray attacks
+- No CAPTCHA or bot protection on login forms
+
+**Weak password policies:**
+
+- No minimum password length (NIST recommends >= 8 chars, allow up to 64+)
+- Forcing complexity rules instead of checking against breached password lists
+- Forced periodic password rotation (counterproductive per NIST 800-63b)
+- Not checking passwords against known breached lists (haveibeenpwned.com)
+- Allowing commonly used passwords ("password", "123456", "admin")
+
+**Missing MFA:**
+
+- No multi-factor authentication option
+- MFA easily bypassed via fallback mechanisms
+- SMS-only MFA without stronger alternatives (TOTP, WebAuthn)
+
+**Session management issues:**
+
+- Session ID not regenerated after login (session fixation)
+- Session ID in URL or hidden fields
+- Sessions not invalidated on logout
+- No idle timeout or absolute timeout
+- SSO logout doesn't invalidate all sessions (missing SLO)
+
+**Hardcoded credentials:**
+
+- Default passwords in code or config
+- API keys or service account credentials in source code
+- Test/admin accounts with known passwords in production
+
+**Account enumeration:**
+
+- Different error messages for "user not found" vs "wrong password"
+- Registration form reveals if an email is already registered
+- Password reset reveals if an email exists
+- Timing differences between existing/non-existing users
+
+**JWT issues:**
+
+- Missing signature validation
+- `alg: none` accepted
+- Weak signing keys
+- No `aud` or `iss` claim validation
+- Token not checked for expiry
+
+## Prevention checklist
+
+- [ ] Implement MFA for all users; enforce for admin accounts
+- [ ] Rate-limit login attempts with progressive delays
+- [ ] Check passwords against top 10K worst passwords + breached credential lists
+- [ ] Follow NIST 800-63b: min 8 chars, allow 64+, no forced rotation, no complexity rules
+- [ ] Use the same error message for all login failures ("Invalid credentials")
+- [ ] Regenerate session ID after successful login
+- [ ] Invalidate sessions server-side on logout; set idle + absolute timeouts
+- [ ] Never hardcode credentials; use secrets managers
+- [ ] Remove default accounts or force password change on first login
+- [ ] Validate JWT claims: `aud`, `iss`, `exp`, `nbf`; reject `alg: none`
+- [ ] Use well-tested auth libraries/frameworks instead of custom implementations
+- [ ] Log all authentication failures; alert on patterns (stuffing, brute force)
+
+## Key CWEs
+
+| CWE | Name                                            | Common in               |
+| --- | ----------------------------------------------- | ----------------------- |
+| 287 | Improper Authentication                         | Custom auth logic       |
+| 307 | Improper Restriction of Excessive Auth Attempts | Missing rate limiting   |
+| 384 | Session Fixation                                | Session not regenerated |
+| 521 | Weak Password Requirements                      | Poor password policy    |
+| 798 | Use of Hard-coded Credentials                   | Creds in source code    |
+| 613 | Insufficient Session Expiration                 | Long-lived sessions     |
+| 306 | Missing Authentication for Critical Function    | Unprotected endpoints   |
+| 640 | Weak Password Recovery Mechanism                | Security questions      |

package/skills/owasp-security-review/references/a08-integrity-failures.md

@@ -0,0 +1,72 @@
+# A08:2025 Software or Data Integrity Failures
+
+14 CWEs, 2.75% avg incidence, 501K+ occurrences. Focuses on trust boundaries and integrity verification.
+
+## What to look for
+
+**Insecure deserialization:**
+
+- Deserializing data from untrusted sources (user input, cookies, APIs)
+- Java `ObjectInputStream` on untrusted data
+- Python: using unsafe deserialization (e.g., `pickle`) on untrusted data — use JSON instead
+- PHP `unserialize()` on user input
+- Node.js YAML deserialization of untrusted data
+- JSON with type coercion enabling prototype pollution
+
+**Untrusted code inclusion:**
+
+- Scripts loaded from third-party CDNs without Subresource Integrity (SRI) hashes
+- `<script src="...">` without `integrity` attribute
+- Dynamic import of modules from user-controlled paths
+- iframes loading content from untrusted domains
+
+**Unsigned updates:**
+
+- Auto-update mechanisms that don't verify signatures
+- Firmware/software updates downloaded over HTTP
+- Package installations without checksum verification
+- Docker images pulled without digest verification
+
+**CI/CD integrity:**
+
+- Build artifacts not signed or verified
+- Pipeline pulls code/artifacts from untrusted sources
+- No separation between build and deploy permissions
+- Build environment not isolated
+
+**Cookie/data integrity:**
+
+- Cookies used for authorization decisions without server-side validation
+- Client-side data (hidden fields, local storage) trusted for security decisions
+- API responses cached and reused without revalidation
+
+**Prototype pollution (JavaScript):**
+
+- Recursive merge of user input into objects
+- `Object.assign()` or lodash `_.merge()` with untrusted data
+- `__proto__`, `constructor`, `prototype` not filtered from input
+
+## Prevention checklist
+
+- [ ] Use digital signatures to verify software/data integrity
+- [ ] Add Subresource Integrity (SRI) hashes to all CDN scripts/styles
+- [ ] Verify checksums/signatures for all downloaded packages and updates
+- [ ] Use trusted, vetted package registries; consider internal mirrors
+- [ ] Implement code review for all changes before deployment
+- [ ] Ensure CI/CD has proper segregation, access control, and audit logging
+- [ ] Never deserialize untrusted data with unsafe serializers; use JSON with schema validation
+- [ ] Validate all serialized data with integrity checks before processing
+- [ ] Filter `__proto__`, `constructor`, `prototype` from user input in JavaScript
+- [ ] Pin Docker image versions by digest, not just tag
+- [ ] Sign build artifacts and verify before deployment
+
+## Key CWEs
+
+| CWE | Name                                                            | Common in             |
+| --- | --------------------------------------------------------------- | --------------------- |
+| 502 | Deserialization of Untrusted Data                               | API payloads, cookies |
+| 829 | Inclusion of Functionality from Untrusted Sphere                | CDN scripts           |
+| 494 | Download of Code Without Integrity Check                        | Auto-updates          |
+| 345 | Insufficient Verification of Data Authenticity                  | Unsigned artifacts    |
+| 915 | Improperly Controlled Modification of Dynamic Object Attributes | Prototype pollution   |
+| 565 | Reliance on Cookies without Validation                          | Auth cookies          |

package/skills/owasp-security-review/references/a09-logging-alerting-failures.md

@@ -0,0 +1,76 @@
+# A09:2025 Security Logging & Alerting Failures
+
+5 CWEs, 3.91% avg incidence. Underrepresented in data but critical for incident detection.
+
+## What to look for
+
+**Missing audit logs:**
+
+- Login attempts (successful AND failed) not logged
+- Access control failures not logged
+- High-value transactions not logged
+- Admin actions not logged
+- Password changes/resets not logged
+- Input validation failures not logged
+
+**Insufficient log context:**
+
+- Logs missing timestamp, user ID, IP address, action performed
+- Logs missing request ID for correlation
+- Error logs without stack traces (in backend logs, not user-facing)
+- No distinction between security events and operational events
+
+**Log integrity issues:**
+
+- Logs stored only locally (no centralized log management)
+- Logs not protected from tampering (mutable storage)
+- No backup of log files
+- Log retention too short for forensic analysis
+
+**Log injection vulnerabilities:**
+
+- User input written to logs without encoding/escaping
+- Newlines in user input can forge log entries
+- Special characters that manipulate log viewers (ANSI escape codes)
+
+**Sensitive data in logs:**
+
+- Passwords, tokens, API keys logged in plaintext
+- Credit card numbers, SSNs, or PII in log entries
+- Session IDs logged
+- Request bodies with sensitive fields logged without redaction
+
+**Missing alerting:**
+
+- No alerts on repeated failed login attempts
+- No alerts on access control violations
+- No alerts on unusual patterns (geographic anomalies, time-based anomalies)
+- DAST/pentest scans don't trigger alerts
+- No incident response plan or playbook
+- Alert fatigue from too many false positives
+
+## Prevention checklist
+
+- [ ] Log all authentication events (login, logout, failed attempts, MFA events)
+- [ ] Log all access control failures with user context
+- [ ] Log all input validation failures
+- [ ] Include: timestamp, user ID, IP, action, resource, outcome in every log entry
+- [ ] Encode/escape user input in log messages (prevent log injection)
+- [ ] Never log passwords, tokens, credit cards, or other secrets
+- [ ] Redact sensitive fields before logging (mask PII)
+- [ ] Send logs to centralized, append-only log management (ELK, Datadog, etc.)
+- [ ] Protect log integrity — use append-only storage, monitor for tampering
+- [ ] Set up alerting for: repeated auth failures, access control violations, unusual patterns
+- [ ] Create and test incident response playbooks
+- [ ] Set appropriate log retention (regulatory requirements vary)
+- [ ] Use structured logging (JSON) for machine-parseable log entries
+- [ ] Add honeytokens to detect unauthorized access with near-zero false positives
+
+## Key CWEs
+
+| CWE | Name                                      | Common in                |
+| --- | ----------------------------------------- | ------------------------ |
+| 778 | Insufficient Logging                      | Missing audit trail      |
+| 532 | Sensitive Information in Log File         | Logging passwords/tokens |
+| 117 | Improper Output Neutralization for Logs   | Log injection            |
+| 223 | Omission of Security-relevant Information | Incomplete logs          |