owasp-security
OWASP Security
Concept of the skill
Application-security review is source-to-sink reasoning over trust boundaries. The reviewer identifies attacker-controlled inputs, privileged operations, sensitive data, external dependencies, configuration, and error paths, then asks whether each path preserves confidentiality, integrity, availability, and authorization under hostile input and partial failure.
Concept of the Skill
What it is. A security-specific review discipline for code, design, and configuration. It uses the current OWASP Top 10:2025 as its primary vocabulary, retains the 2021 mapping for compatibility, and turns each suspected weakness into concrete evidence, impact, mitigation, and tests.
Mental model. Security failures occur at boundaries: user to server, tenant to tenant, client to data store, app to dependency, CI to registry, normal path to error path, log stream to human response. Review every boundary as hostile unless the code proves otherwise.
What it is NOT. It is not a holistic PR review, incident debugging, policy writing, or LLM prompt-injection architecture. It may compose with those skills, but it owns the application-security deep pass.