playbooks

home / skills / baz-scm / awesome-reviewers / secure-coding

secure-coding skill

/_skills/secure-coding

This skill helps you embed secure coding practices across the development lifecycle, reducing vulnerabilities and protecting user data from common exploits.

npx playbooks add skill baz-scm/awesome-reviewers --skill secure-coding

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
1.7 KB
---
name: secure-coding
description: Incorporating security at every step of software development – writing code that defends against vulnerabilities and protects user data.
version: '1.0'
---
# Secure Coding Practices

In the age of constant cyber threats, security is everyone’s job. Developers are on the front lines of safeguarding applications, from locking down APIs to securing cloud deployments. This skill means anticipating how code could be exploited and coding defensively. With a majority of organizations attributing breaches to lack of cyber skills, there’s high demand for developers who can build secure systems from the ground up.

## Examples
- Validating all inputs and encoding outputs to prevent injection attacks (SQL injection, XSS, etc.).
- Using secure libraries and protocols (HTTPS, OAuth) and storing sensitive data (passwords, API keys) in encrypted form or secret managers.

## Guidelines
- **Follow Security Best Practices:** Adhere to well-known secure coding standards like the OWASP Top 10. Validate inputs, use proper authentication and error handling, and keep dependencies up to date to patch known vulnerabilities. These habits prevent common exploits.
- **DevSecOps Mindset:** Integrate security checks into development. Perform code reviews and use automated tools (scanners, dependency checks) to catch flaws early. For example, run static analysis to detect insecure code patterns before they reach production.
- **Cloud & API Security:** Be aware of security for the platforms you use. Protect cloud infrastructure with appropriate configurations and services and secure your APIs with authentication, authorization, and rate-limiting. Understanding cloud security is now essential for developers, not just dedicated security teams.

Overview

This skill teaches developers to build security into every stage of software development, from writing safe code to securing deployments. It focuses on defensive coding, threat awareness, and practical controls that reduce common vulnerabilities. The goal is to make secure choices routine so applications and user data remain protected.

How this skill works

The skill inspects code and development practices for common security weaknesses and recommends concrete fixes based on proven standards like the OWASP Top 10. It emphasizes automated checks (static analysis, dependency scanning) and peer review patterns, plus cloud and API hardening steps. Outputs include prioritized findings, remediation steps, and configuration guidance to close gaps quickly.

When to use it

  • During pull request reviews to catch insecure patterns before merge
  • When onboarding developers to enforce consistent secure coding habits
  • Before production deployments to validate cloud and API configurations
  • When integrating security into CI/CD pipelines with automated gates
  • When evaluating third-party libraries or dependencies for risk

Best practices

  • Validate all inputs and encode outputs to prevent injection and XSS
  • Follow OWASP Top 10 and language-specific secure coding standards
  • Use strong authentication, authorization, and least-privilege design
  • Automate static analysis and dependency scanning in CI pipelines
  • Store secrets in secret managers and use TLS/HTTPS for transport

Example use cases

  • Agentic code review flags unsafe string concatenation used in SQL queries and suggests parameterized queries
  • CI pipeline run fails a build when known vulnerable dependency versions are detected
  • Pre-deployment checklist verifies API tokens are not hard-coded and recommends secrets manager integration
  • Pull request guidance adds input validation and output encoding for user-supplied fields
  • Cloud configuration review identifies overly permissive IAM roles and provides least-privilege replacements

FAQ

Is this skill a substitute for a security team?

No. This skill empowers developers to reduce common risks and shift security left, but it complements — not replaces — dedicated security experts for threat modeling, incident response, and compliance.

Which tools should I add to CI for best coverage?

Combine static application security testing (SAST), dependency vulnerability scanners, and secret detection. Add runtime monitoring and infrastructure-as-code scanners for cloud environments.