secure-coding

# Secure Coding

Comprehensive guidance for writing secure code, covering OWASP Top 10 2025, CWE Top 25, and language-specific security patterns.

## When to Use This Skill

Use this skill when:

- Reviewing code for security vulnerabilities
- Implementing input validation or output encoding
- Learning about common security weaknesses (OWASP, CWE)
- Fixing identified security issues
- Writing security-sensitive code (authentication, authorization, data handling)
- Conducting security code reviews

## OWASP Top 10 2025 Quick Reference

| Rank | Vulnerability | Key Mitigation |
|------|--------------|----------------|
| A01 | Broken Access Control | Server-side access checks, deny by default, CORS restrictions |
| A02 | Security Misconfiguration | Hardened configs, remove defaults, disable unnecessary features |
| A03 | Software Supply Chain Failures | SCA, SBOM, verify dependencies, integrity checks |
| A04 | Cryptographic Failures | Strong encryption (AES-256), TLS 1.2+, no deprecated algorithms |
| A05 | Injection | Parameterized queries, input validation, context-aware encoding |
| A06 | Insecure Design | Threat modeling, secure design patterns, defense in depth |
| A07 | Authentication Failures | MFA, strong passwords, secure session management |
| A08 | Data Integrity Failures | Digital signatures, integrity verification, secure CI/CD |
| A09 | Logging & Alerting Failures | Centralized logging, anomaly detection, audit trails |
| A10 | Mishandling Exceptions | Fail securely, generic error messages, complete exception handling |

**For detailed mitigations:** See [OWASP Top 10 2025 Reference](references/owasp-top-10-2025.md)

## Core Secure Coding Principles

### 1. Input Validation

**Never trust user input.** Validate all inputs on the server side.

```csharp
using System.Text.RegularExpressions;

// Good: Server-side validation with allowlist
public static partial class InputValidation
{
    [GeneratedRegex(@"^[a-zA-Z0-9_]{3,20}$")]
    private static partial