Break down large prompts into individual patterns

README.md

@@ -2,9 +2,7 @@
 
 **A comprehensive security reference distilled from 150+ sources to help LLMs generate safer code**
 
-[Landing anmd github-pages website](https://arcanum-sec.github.io/sec-context/)
-
-## The Problem
+[Landing and github-pages website](https://arcanum-sec.github.io/sec-context/)
 
 AI coding assistants are everywhere. **97% of developers** now use AI tools, and organizations report **40%+ of their codebase** is AI-generated. But there's a critical gap: AI models consistently reproduce the same dangerous security anti-patterns, with studies showing:
 
@@ -36,6 +34,20 @@ Deep-dive coverage of the **7 highest-priority vulnerabilities** with:
 - Complete mitigation strategies with trade-offs
 - Why AI models generate these specific vulnerabilities
 
+### Modular Pattern Files
+Individual pattern files organized into two directories:
+
+**anti-patterns-breadth/** (61 files)
+- Each security anti-pattern as a standalone markdown file
+- Self-contained with prompts, BAD/GOOD examples, and guidance
+- Quick reference table and navigation included
+- Examples: `sql-injection.md`, `hardcoded-passwords-api-keys.md`, `reflected-xss.md`
+
+**anti-patterns-depth/** (7 files)
+- In-depth coverage of each critical vulnerability
+- Comprehensive examples, edge cases, and testing strategies
+- Examples: `hardcoded-secrets-credential-management.md`, `cross-site-scripting-xss.md`
+
 ---
 
 ## The Top 10 AI Code Anti-Patterns
@@ -89,11 +101,28 @@ Another ideal use case: deploy a dedicated skill in claude code that reviews AI-
 - Returns specific vulnerabilities found with remediation steps
 - Works as a guardrail between AI code generation and production
 
+### Option 5: Modular Pattern Files
+Use individual pattern files for targeted security guidance:
+
+**Usage examples:**
+- Working on SQL queries? Load `anti-patterns-breadth/sql-injection.md`
+- Building authentication? Load `anti-patterns-depth/hardcoded-secrets-credential-management.md`
+- API development? Load `anti-patterns-breadth/command-injection.md` and `anti-patterns-breadth/broken-object-level-authorization.md`
+- Deploying an agent? Configure it to retrieve relevant patterns based on code analysis
+
+**Workflow for agents:**
+1. Analyze code to identify security-relevant areas (user input, database queries, authentication, etc.)
+2. Retrieve corresponding pattern files from the modular directories
+3. Apply pattern checks to identified code sections
+4. Return targeted findings with specific remediation guidance
+
 ```
 ┌─────────────────┐     ┌──────────────────────┐     ┌─────────────┐
 │ AI Code Gen     │────>│ Security Review Agent │────>│ Reviewed    │
-│ (Copilot, etc.) │     │ + Anti-Patterns Guide │     │ Code Output │
-└─────────────────┘     └──────────────────────┘     └─────────────┘
+│ (Copilot, etc.) │     │ + Modular Pattern     │     │ Code Output │
+└─────────────────┘     │ Files (Retrieved     │     └─────────────┘
+                        │ based on context)    │
+                        └──────────────────────┘
 ```
 
 ---
@@ -120,15 +149,21 @@ This guide synthesizes findings from **150+ individual sources** across 6 primar
 
 ```
 ├── ANTI_PATTERNS_BREADTH.md   # Full coverage, 25+ patterns
-├── ANTI_PATTERNS_DEPTH.md     # Deep dive, 7 critical patterns for now
+├── ANTI_PATTERNS_DEPTH.md     # Deep dive, 7 critical patterns
+├── anti-patterns-breadth/     # Individual pattern files (61 files)
+└── anti-patterns-depth/       # In-depth individual patterns (7 files)
 ```
 
 ---
 
 ## Get Started
 
 1. **Grab the files**
-2. **Choose your approach** based on your context window and use case
+2. **Choose your approach** based on your context window and use case:
+   - **Large context models** (128K+): Use comprehensive ANTI_PATTERNS files
+   - **Smaller context models** or **targeted tasks**: Use modular pattern files
+   - **Agent deployments**: Configure to retrieve modular patterns based on code context
+   - **Learning**: Explore individual patterns to understand specific vulnerabilities
 3. **Integrate** into your AI coding workflow as system prompt, RAG reference, or review agent
 4. **Generate safer code**
 

anti-patterns-breadth/INSTRUCTIONS.md

@@ -0,0 +1,24 @@
+## INSTRUCTIONS FOR AI/LLM
+
+This document contains security anti-patterns you MUST avoid when generating code.
+Each section shows a VULNERABLE pattern (marked BAD) and a SECURE alternative (marked GOOD).
+All examples are in PSEUDOCODE - implement the secure patterns in whatever language
+the developer is using. When in doubt, choose the more secure option.
+
+**Key Statistics:**
+- AI-generated code has an **86% XSS failure rate** (vs 31.6% human code)
+- **5-21% of AI-suggested packages don't exist** (slopsquatting risk)
+- AI code is **2.74x more likely** to have XSS vulnerabilities
+- **21.7% hallucination rate** for package names in some domains
+- SQL injection patterns appeared "thousands of times" in AI training data
+
+**Before generating any code:**
+1. Never hardcode credentials, API keys, or secrets
+2. Always parameterize database queries
+3. Validate and sanitize all user input
+4. Use cryptographically secure random for security tokens
+5. Verify packages exist before suggesting imports
+6. Encode output for the appropriate context (HTML, URL, JS)
+
+---
+

anti-patterns-breadth/README.md

@@ -0,0 +1,115 @@
+# Anti-Patterns Breadth - Comprehensive Security Coverage
+
+This directory contains a comprehensive collection of security anti-patterns extracted from the original ANTI_PATTERNS_BREADTH.md file. Each pattern is now stored as an individual file for easier reference and use.
+
+## Overview
+
+This collection covers 10 major categories of security vulnerabilities with detailed examples of bad practices (BAD) and secure alternatives (GOOD). Each file includes:
+- Description of the vulnerability
+- Common CWE references
+- Severity indicators
+- BAD code examples showing the anti-pattern
+- GOOD code examples showing secure practices
+- Related security considerations
+
+## Quick Reference
+
+- [Quick Reference Table](quick-reference-table.md) - Overview of all patterns
+- [Instructions for AI/LLM](INSTRUCTIONS.md) - How to use these patterns
+
+## Patterns by Category
+
+### 1. Secrets and Credentials Management
+- [Hardcoded Passwords and API Keys](hardcoded-passwords-api-keys.md)
+- [Credentials in Configuration Files](credentials-in-config-files.md)
+- [Secrets in Client-Side Code](secrets-in-client-side-code.md)
+- [Insecure Credential Storage](insecure-credential-storage.md)
+- [Missing Secret Rotation Considerations](missing-secret-rotation.md)
+
+### 2. Injection Vulnerabilities
+- [SQL Injection](sql-injection.md)
+- [Command Injection](command-injection.md)
+- [LDAP Injection](ldap-injection.md)
+- [XPath Injection](xpath-injection.md)
+- [NoSQL Injection](nosql-injection.md)
+- [Template Injection](template-injection.md)
+
+### 3. Cross-Site Scripting (XSS)
+- [Reflected XSS](reflected-xss.md)
+- [Stored XSS](stored-xss.md)
+- [DOM-Based XSS](dom-based-xss.md)
+- [Missing Content-Security-Policy](missing-content-security-policy.md)
+- [Improper Output Encoding](improper-output-encoding.md)
+
+### 4. Authentication and Session Management
+- [Weak Password Requirements](weak-password-requirements.md)
+- [Missing Rate Limiting on Auth Endpoints](missing-rate-limiting-auth.md)
+- [Insecure Session Token Generation](insecure-session-token-generation.md)
+- [Session Fixation Vulnerabilities](session-fixation.md)
+- [JWT Misuse](jwt-misuse.md)
+- [Missing MFA Considerations](missing-mfa.md)
+- [Insecure Password Reset Flows](insecure-password-reset.md)
+
+### 5. Cryptographic Failures
+- [Using Deprecated Algorithms](deprecated-crypto-algorithms.md)
+- [Hardcoded Encryption Keys](hardcoded-encryption-keys.md)
+- [ECB Mode Usage](ecb-mode-usage.md)
+- [Missing or Weak IVs/Nonces](missing-weak-ivs-nonces.md)
+- [Rolling Your Own Crypto](rolling-your-own-crypto.md)
+- [Insecure Random Number Generation](insecure-random-generation.md)
+- [Improper Key Derivation](improper-key-derivation.md)
+
+### 6. Input Validation
+- [Missing Server-Side Validation](missing-server-side-validation.md)
+- [Improper Type Checking](improper-type-checking.md)
+- [Missing Length Limits](missing-length-limits.md)
+- [Regex Denial of Service (ReDoS)](regex-denial-of-service.md)
+- [Accepting and Processing Untrusted Data](accepting-untrusted-data.md)
+- [Missing Canonicalization](missing-canonicalization.md)
+
+### 7. Configuration and Deployment
+- [Debug Mode in Production](debug-mode-in-production.md)
+- [Verbose Error Messages](verbose-error-messages.md)
+- [Default Credentials](default-credentials.md)
+- [Insecure CORS Configuration](insecure-cors-configuration.md)
+- [Missing Security Headers](missing-security-headers.md)
+- [Exposed Admin Interfaces](exposed-admin-interfaces.md)
+- [Unnecessary Open Ports and Services](unnecessary-open-ports.md)
+
+### 8. Dependency and Supply Chain Security
+- [Using Outdated Packages](outdated-packages.md)
+- [Not Pinning Dependency Versions](not-pinning-dependency-versions.md)
+- [Typosquatting and Slopsquatting Risks](typosquatting-risks.md)
+- [Including Unnecessary Dependencies](unnecessary-dependencies.md)
+- [Missing Integrity Checks](missing-integrity-checks.md)
+- [Trusting Transitive Dependencies Blindly](trusting-transitive-dependencies.md)
+
+### 9. API Security
+- [Missing Authentication on Endpoints](missing-authentication-endpoints.md)
+- [Broken Object-Level Authorization (IDOR)](broken-object-level-authorization.md)
+- [Mass Assignment Vulnerabilities](mass-assignment.md)
+- [Excessive Data Exposure](excessive-data-exposure.md)
+- [Missing Rate Limiting](missing-rate-limiting-api.md)
+- [Improper Error Handling in APIs](improper-error-handling-api.md)
+
+### 10. File Handling
+- [Path Traversal Vulnerabilities](path-traversal.md)
+- [Unrestricted File Uploads](unrestricted-file-uploads.md)
+- [Missing File Type Validation](missing-file-type-validation.md)
+- [Insecure Temporary File Handling](insecure-temporary-file-handling.md)
+- [Symlink Vulnerabilities](symlink-vulnerabilities.md)
+- [Unsafe File Permissions](unsafe-file-permissions.md)
+
+## How to Use This Collection
+
+Each file in this directory is self-contained and includes:
+- Pattern description and context
+- BAD examples showing vulnerable code
+- GOOD examples showing secure alternatives
+- Security considerations and best practices
+
+You can reference individual files based on specific security concerns, or use the entire collection as a comprehensive security reference.
+
+## Source
+
+This content was extracted from the original `ANTI_PATTERNS_BREADTH.md` file to provide better organization and easier access to individual patterns.

anti-patterns-breadth/accepting-untrusted-data.md

@@ -0,0 +1,139 @@
+# Accepting and Processing Untrusted Data
+
+
+```
+// PSEUDOCODE - Implement in your target language
+
+// ========================================
+// BAD: Trusting external data sources
+// ========================================
+FUNCTION process_webhook_unsafe(request):
+    // Vulnerable: No signature verification
+    data = json.parse(request.body)
+
+    // Attacker can spoof webhook requests
+    IF data.event == "payment_completed":
+        mark_order_paid(data.order_id)  // Dangerous!
+    END IF
+END FUNCTION
+
+FUNCTION fetch_and_process_unsafe(url):
+    // Vulnerable: Processing arbitrary external content
+    response = http.get(url)
+    data = json.parse(response.body)
+
+    // No validation of response structure
+    database.insert("external_data", data)
+END FUNCTION
+
+FUNCTION deserialize_unsafe(serialized_data):
+    // Vulnerable: Pickle/eval deserialization of untrusted data
+    // Allows arbitrary code execution!
+    object = pickle.loads(serialized_data)
+    RETURN object
+END FUNCTION
+
+FUNCTION process_xml_unsafe(xml_string):
+    // Vulnerable: XXE (XML External Entity) attack
+    parser = xml.create_parser()
+    doc = parser.parse(xml_string)
+    // Attacker XML: <!ENTITY xxe SYSTEM "file:///etc/passwd">
+    RETURN doc
+END FUNCTION
+
+// ========================================
+// GOOD: Validate and sanitize external data
+// ========================================
+FUNCTION process_webhook_safe(request):
+    // Verify webhook signature
+    signature = request.headers.get("X-Signature")
+    expected = hmac_sha256(WEBHOOK_SECRET, request.raw_body)
+
+    IF NOT constant_time_compare(signature, expected):
+        log.warning("Invalid webhook signature", {ip: request.ip})
+        RETURN {status: 401, error: "Invalid signature"}
+    END IF
+
+    // Validate payload structure
+    data = json.parse(request.body)
+
+    IF NOT validate_webhook_schema(data):
+        RETURN {status: 400, error: "Invalid payload"}
+    END IF
+
+    // Process verified and validated data
+    IF data.event == "payment_completed":
+        // Additional verification: Check with payment provider
+        IF verify_payment_with_provider(data.payment_id):
+            mark_order_paid(data.order_id)
+        END IF
+    END IF
+END FUNCTION
+
+FUNCTION fetch_and_process_safe(url):
+    // Validate URL is from allowed sources
+    parsed_url = url_parser.parse(url)
+    IF parsed_url.host NOT IN ALLOWED_HOSTS:
+        THROW ValidationError("URL host not allowed")
+    END IF
+
+    // Fetch with timeout and size limits
+    response = http.get(url, timeout=10, max_size=1024*1024)
+
+    // Parse and validate structure
+    TRY:
+        data = json.parse(response.body)
+    CATCH JSONError:
+        THROW ValidationError("Invalid JSON response")
+    END TRY
+
+    // Validate against expected schema
+    validated_data = validate_schema(data, EXPECTED_SCHEMA)
+
+    // Sanitize before storing
+    sanitized = sanitize_object(validated_data)
+    database.insert("external_data", sanitized)
+END FUNCTION
+
+FUNCTION deserialize_safe(data, format):
+    // Never use pickle/eval for untrusted data
+    // Use safe serialization formats
+    IF format == "json":
+        RETURN json.parse(data)
+    ELSE IF format == "msgpack":
+        RETURN msgpack.unpack(data)
+    ELSE:
+        THROW Error("Unsupported format")
+    END IF
+END FUNCTION
+
+FUNCTION process_xml_safe(xml_string):
+    // Disable external entities and DTDs
+    parser = xml.create_parser(
+        resolve_entities=FALSE,
+        load_dtd=FALSE,
+        no_network=TRUE
+    )
+
+    TRY:
+        doc = parser.parse(xml_string)
+        RETURN doc
+    CATCH XMLError as e:
+        log.warning("XML parsing failed", {error: e.message})
+        THROW ValidationError("Invalid XML")
+    END TRY
+END FUNCTION
+
+// Schema validation helper
+FUNCTION validate_schema(data, schema):
+    // Use JSON Schema or similar validation library
+    validator = JsonSchemaValidator(schema)
+
+    IF NOT validator.is_valid(data):
+        errors = validator.get_errors()
+        THROW ValidationError("Schema validation failed: " + errors.join(", "))
+    END IF
+
+    RETURN data
+END FUNCTION
+```