Skill Wiki
Owasp Appsec Starter
A 27-atom seed set distilled from the OWASP Cheat Sheet Series — the controls a web application must implement before any other security work is meaningful: input validation, authentication, session management, cryptogra…
$ prime install @security/collection-owasp-appsec-starterProjection
Always in _index.xml · the agent never has to ask for this.
OWASP AppSec Starter [collection] v0.1.0
A 27-atom seed set distilled from the OWASP Cheat Sheet Series — the controls a web application must implement before any other security work is meaningful: input validation, authentication, session management, cryptographic storage, SQL injection prevention, XSS prevention, CSRF prevention, secrets management, and the two principles that hold them together (defence in depth, least privilege).
Loaded when retrieval picks the atom as adjacent / supporting.
OWASP AppSec Starter [collection] v0.1.0
A 27-atom seed set distilled from the OWASP Cheat Sheet Series — the controls a web application must implement before any other security work is meaningful: input validation, authentication, session management, cryptographic storage, SQL injection prevention, XSS prevention, CSRF prevention, secrets management, and the two principles that hold them together (defence in depth, least privilege).
Includes
- @security/principle-defense-in-depth
- @security/principle-least-privilege
- @security/persona-security-auditor
- @security/rule-validate-input-server-side
- @security/anti-pattern-trust-client-input
- @security/check-input-canonicalised-before-validation
- @security/value-input-validation-allow-list
- @security/rule-hash-passwords-with-argon2-or-bcrypt
- @security/anti-pattern-store-passwords-reversibly
- @security/check-multi-factor-authentication-enforced
- @security/rule-session-cookie-secure-flags
- @security/check-session-id-rotated-on-login
- @security/anti-pattern-session-id-in-url
- @security/rule-encrypt-data-at-rest-with-aead
- @security/anti-pattern-roll-your-own-crypto
- @security/check-tls-configuration-modern
- @security/rule-parameterize-sql-queries
- @security/anti-pattern-concatenate-sql-strings
- @security/check-no-string-concat-in-queries
- @security/rule-encode-output-by-context
- @security/anti-pattern-render-untrusted-html
- @security/check-csp-header-set
- @security/rule-csrf-token-on-state-changing-requests
- @security/anti-pattern-state-change-on-get
- @security/check-origin-or-referer-validated
- @security/rule-store-secrets-in-vault
- @security/anti-pattern-hardcode-secrets
Target
claude-code
Entry Point
Start with the two principles — defence-in-depth and least-privilege —
they justify every rule that follows. Then read the rule + anti-pattern
+ check triple in each attack-surface group; that triple is the
operational core for that domain.
The persona-security-auditor atom is the load-the-whole-pack entry:
activating it pulls the rules and rejects the anti-patterns so an
AI agent reviewing code thinks like an auditor by default.
Loaded when retrieval picks the atom as a focal / direct hit.
OWASP AppSec Starter [collection] v0.1.0
A 27-atom seed set distilled from the OWASP Cheat Sheet Series — the controls a web application must implement before any other security work is meaningful: input validation, authentication, session management, cryptographic storage, SQL injection prevention, XSS prevention, CSRF prevention, secrets management, and the two principles that hold them together (defence in depth, least privilege).
Includes
- @security/principle-defense-in-depth
- @security/principle-least-privilege
- @security/persona-security-auditor
- @security/rule-validate-input-server-side
- @security/anti-pattern-trust-client-input
- @security/check-input-canonicalised-before-validation
- @security/value-input-validation-allow-list
- @security/rule-hash-passwords-with-argon2-or-bcrypt
- @security/anti-pattern-store-passwords-reversibly
- @security/check-multi-factor-authentication-enforced
- @security/rule-session-cookie-secure-flags
- @security/check-session-id-rotated-on-login
- @security/anti-pattern-session-id-in-url
- @security/rule-encrypt-data-at-rest-with-aead
- @security/anti-pattern-roll-your-own-crypto
- @security/check-tls-configuration-modern
- @security/rule-parameterize-sql-queries
- @security/anti-pattern-concatenate-sql-strings
- @security/check-no-string-concat-in-queries
- @security/rule-encode-output-by-context
- @security/anti-pattern-render-untrusted-html
- @security/check-csp-header-set
- @security/rule-csrf-token-on-state-changing-requests
- @security/anti-pattern-state-change-on-get
- @security/check-origin-or-referer-validated
- @security/rule-store-secrets-in-vault
- @security/anti-pattern-hardcode-secrets
Target
claude-code
Entry Point
Start with the two principles — defence-in-depth and least-privilege —
they justify every rule that follows. Then read the rule + anti-pattern
+ check triple in each attack-surface group; that triple is the
operational core for that domain.
The persona-security-auditor atom is the load-the-whole-pack entry:
activating it pulls the rules and rejects the anti-patterns so an
AI agent reviewing code thinks like an auditor by default.
Source
prime-system/examples/security-appsec/primes/compiled/@security/collection-owasp-appsec-starter/atom.yaml