- Home
- Skills
- Kousen
- Claude Code Training
- Security Review Skill
security-review-skill_skill
- Java
132
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill kousen/claude-code-training --skill security-review-skill- SKILL.md10.7 KB
Overview
This skill performs security-focused code reviews for Java codebases, identifying common vulnerabilities and recommending secure coding practices. It maps findings to OWASP Top 10 categories, cryptography and API security rules, and produces actionable remediation steps and severity guidance.
How this skill works
I scan code for patterns that indicate insecure constructs (e.g., string-built SQL, unsafe deserialization, hardcoded secrets, missing auth checks). For each issue I explain the risk, point to secure alternatives or APIs, and suggest concrete fixes and configuration changes. I also produce checklist items and remediation priority to guide fixes and testing.
When to use it
- During pull request reviews for backend Java services
- When auditing authentication, session or authorization logic
- Before releasing to production or changing dependency versions
- When assessing API endpoints for exposure and rate limiting
- When evaluating cryptography, secrets, or serialization code
Best practices
- Prefer parameterized queries (PreparedStatement) over string concatenation to prevent injection
- Hash passwords with bcrypt/Argon2 and generate cryptographically secure session IDs
- Avoid logging secrets; load keys from environment or vault and use secure storage
- Enable XXE protections on XML parsers and validate all deserialized types
- Enforce authorization checks, validate file paths, and normalize inputs to prevent path traversal
- Use dependency scanning in CI, keep libraries updated, and monitor advisories
Example use cases
- Identify SQL injection in a user search endpoint and provide a PreparedStatement patch
- Find hardcoded API keys and show how to switch to environment variables or a secrets vault
- Detect insecure XML parsing and add parser feature flags to disable external entities
- Audit authentication flow for missing MFA, weak session IDs, or plain-text password storage
- Review API controllers for missing rate limiting, excessive data exposure, and input validation
FAQ
Yes — each finding includes impact, recommended fixes and a remediation priority (e.g., Immediate for injection or broken auth).
Can you check dependencies for known vulnerabilities?
Yes — I recommend running tools like Maven dependency-check, mvn versions, npm audit or pip-audit and integrating scanners in CI.