Run comprehensive security audits with houtini-lm

Quick Start

Jump straight into security analysis with these ready-to-use prompts:

Run a comprehensive security audit on my project at C:/web-app

Please audit this auth file for security issues: C:/api/auth/LoginController.php

Check my WordPress plugin for security vulnerabilities: C:/wp-plugin

What It Does

Think of this as having a security consultant review your entire codebase whilst you focus on features. security_audit performs comprehensive vulnerability analysis across entire projects, examining data flows, authentication chains, and cross-file security patterns that single-file analysis might miss.

It goes far beyond basic static analysis by understanding how security vulnerabilities can chain together across multiple files and systems. This isn't just about finding obvious SQL injection opportunities - it's about understanding your application's complete security posture.

The audit examines your code through multiple security lenses:

• OWASP Top 10 Compliance - Industry-standard vulnerability categories
• Authentication & Authorization - Login systems, permission checks, session handling
• Input Validation & Sanitization - XSS prevention, SQL injection, data validation
• Data Flow Security - How sensitive data moves through your application
• Cross-File Vulnerability Chains - Security issues that span multiple components
• Framework-Specific Security - Laravel, WordPress, React security patterns

The analysis is conservative and professional - it focuses on genuine security risks rather than theoretical vulnerabilities, providing actionable findings suitable for security review documentation.

Parameters

Configure your security audit to focus on exactly what matters for your project:

*Either projectPath or filePath is required - choose based on the scope of your security review

Real-World Security Audits

Here's how to run security audits for different scenarios:

Full Application Security Review

houtini-lm:security_audit with:
- projectPath: "C:/my-web-app"
- auditDepth: "comprehensive"
- includeOwasp: true
- focusAreas: ["authentication", "data-flow", "input-validation"]

API Endpoint Security Check

houtini-lm:security_audit with:
- filePath: "C:/api/routes/payment.js"
- auditDepth: "comprehensive"
- focusAreas: ["input-validation", "data-flow"]
- projectType: "node-api"

WordPress Plugin Security Review

houtini-lm:security_audit with:
- projectPath: "C:/wordpress-plugins/my-plugin"
- projectType: "wordpress-plugin"
- auditDepth: "comprehensive"
- includeOwasp: true

React Application Security Scan

houtini-lm:security_audit with:
- projectPath: "C:/react-dashboard"
- projectType: "react-app"
- focusAreas: ["authentication", "input-validation"]
- auditDepth: "standard"

Security Findings You'll Receive

The audit delivers professional-grade security insights ready for security reviews and compliance documentation:

🛡️ OWASP Top 10 Compliance Analysis

Industry-standard vulnerability assessment covering:

• A01: Broken Access Control - Unauthorised access vulnerabilities
• A02: Cryptographic Failures - Weak encryption and data exposure
• A03: Injection - SQL injection, XSS, command injection
• A04: Insecure Design - Architecture-level security flaws
• A05: Security Misconfiguration - Default configs, exposed endpoints
• Plus comprehensive coverage of remaining OWASP categories

🔐 Authentication & Authorization Assessment

• Session Management - Token handling, session security, logout procedures
• Password Security - Hashing algorithms, complexity requirements, storage
• Multi-factor Authentication - Implementation patterns and bypass risks
• Permission Checks - Role-based access controls and privilege escalation
• API Authentication - Token validation, rate limiting, endpoint security

⚠️ Input Validation & Sanitization Review

• XSS Prevention - Cross-site scripting vulnerabilities and prevention
• SQL Injection Analysis - Database query security and parameterization
• File Upload Security - Upload validation, type checking, path traversal
• Form Validation - Client-side vs server-side validation gaps
• API Parameter Validation - Request validation and error handling

📊 Data Flow Security Analysis

• Sensitive Data Tracking - How personal data moves through your system
• Data Exposure Risks - Logs, error messages, debugging information
• Encryption in Transit - HTTPS implementation, certificate validation
• Database Security - Connection security, query patterns, access controls
• Third-party Integrations - External API security and data sharing

🔗 Cross-File Vulnerability Chains

Advanced analysis that identifies security issues spanning multiple files:

• Authentication Bypass Chains - Multi-step vulnerabilities across components
• Data Injection Paths - How unsanitized data flows between systems
• Privilege Escalation Routes - Permission check gaps across modules
• Session Handling Inconsistencies - Security policy variations

Security Focus Areas

Tailor your audit to concentrate on specific security concerns:

🔑 Authentication Focus

Deep dive into login systems, session management, and user verification:

• Multi-factor authentication implementation
• Session timeout and renewal policies
• Password reset and recovery mechanisms
• OAuth and SSO integration security
• API key management and rotation

📝 Input Validation Focus

Comprehensive review of data sanitization and validation:

• Form input sanitization and escaping
• File upload security and type validation
• API parameter validation and error handling
• Database query parameterization
• Content Security Policy implementation

🏛️ Authorization Focus

Role-based access controls and permission systems:

• Role assignment and privilege validation
• Resource-level access controls
• Administrative privilege protection
• API endpoint authorization
• Database-level permission enforcement

🌊 Data Flow Focus

Track sensitive information throughout your application:

• Personal data handling and GDPR compliance
• Payment information security (PCI DSS)
• Logging and monitoring data protection
• Third-party data sharing security
• Data retention and deletion policies

When Security Audits Save the Day

Here's when this function becomes your security guardian angel:

🚀 Pre-Deployment Security Check

Run comprehensive audits before pushing to production. Catch vulnerabilities in your development environment rather than discovering them through security incident reports or penetration test results.

🏢 Compliance Preparation

Prepare for security audits, compliance reviews, or client security questionnaires. Generate professional security assessment documentation that demonstrates due diligence.

🔄 Legacy System Assessment

Inherited an older codebase? Understand its security posture before making changes. Identify the most critical vulnerabilities and create a prioritized remediation plan.

🛡️ Third-Party Integration Security

Before integrating with external APIs, payment processors, or data sources, ensure your integration points don't introduce new vulnerabilities or expose sensitive information.

📋 Security Code Reviews

Enhance your code review process with automated security analysis. Catch security issues that might be missed during feature-focused reviews.

🎯 Incident Response Analysis

After a security incident, audit related code paths to identify potential attack vectors and ensure comprehensive remediation.

🏆 Security Training & Learning

Use audit results to understand common security patterns, learn about vulnerabilities in your specific technology stack, and improve your security development practices.

Security Audit Best Practices

Get the most comprehensive security insights with these expert recommendations:

🎯 Choose the Right Audit Scope

Match your audit scope to your security concerns:

• Single File - Authentication systems, payment processing, user input handlers
• Full Project - Pre-deployment reviews, compliance audits, comprehensive security assessment
• Specific Components - API endpoints, admin panels, data processing pipelines

⚡ Set Appropriate Audit Depth

• "basic" - Quick security overview, initial vulnerability screening
• "standard" - Comprehensive security review, suitable for most production systems
• "comprehensive" - Deep security analysis for critical systems, compliance requirements

🔍 Focus Areas Strategy

Use focus areas to address specific security concerns:

• New Features - Focus on "input-validation" and "authentication"
• API Development - Emphasize "authorization" and "data-flow"
• Legacy Systems - Use comprehensive review without focus limitations
• Compliance Reviews - Always include OWASP Top 10 analysis

📋 Integration with Development Workflow

Make security audits part of your regular development process:

• Run audits on authentication and authorization code before code reviews
• Audit API endpoints before deployment
• Review payment and sensitive data handling paths regularly
• Include security audit results in deployment checklists
• Use audit findings to create security-focused unit tests

🏆 Professional Security Practices

• Document Findings - Keep audit results for compliance and incident response
• Prioritize Remediation - Address high-severity findings first
• Validate Fixes - Re-audit after implementing security improvements
• Share Knowledge - Use findings to educate your development team
• Track Progress - Monitor security improvement trends over time

Troubleshooting

Resolve common security audit challenges: