What is a security footgun?

A security footgun is an API design or configuration option that makes it very easy for a developer to accidentally introduce a vulnerability, often because the 'easy path' is the insecure one.

Does this skill work with all programming languages?

Yes, it provides cross-language security principles and specific patterns for popular languages like Go, Rust, Python, JavaScript, and PHP.

How does Sharp Edges differ from standard code review?

While standard review focuses on implementation bugs, Sharp Edges specifically looks at the ergonomics of the design to see if the interface itself encourages mistakes, regardless of the developer's skill level.

When is the best time to use this skill?

Use it during architectural reviews, API design phases, or when auditing security-critical modules like authentication, authorization, and cryptographic implementations.

Sharp Edges Security Analysis

Name: Sharp Edges Security Analysis
Author: trailofbits

bytrailofbits

•

937

安全与测试

Identifies security footguns and error-prone API designs to ensure software is secure by default.

关于

Sharp Edges is a specialized security auditing skill designed to evaluate whether software interfaces, cryptographic libraries, and configuration schemas are resistant to developer misuse. It moves beyond standard bug hunting to identify 'sharp edges'—architectural designs where the easiest path for a developer is an insecure one. By surfacing dangerous defaults, algorithm selection footguns, and silent failure modes, this skill helps engineering teams implement 'secure by default' principles and build systems where the 'pit of success' is the only path forward.

主要功能

Audits for stringly-typed security values that enable injection
Identifies algorithm and mode selection footguns in security APIs
Evaluates API ergonomics against misuse-resistance principles
937 GitHub stars
Detects dangerous configuration defaults and unvalidated parameters
Surfaces silent failure patterns where security checks are bypassed

使用场景

Evaluating cryptographic integrations for common implementation pitfalls and type confusion
Reviewing new library or API designs for security usability before release
Auditing legacy configuration schemas for hidden security risks and dangerous flags

关于

主要功能

Audits for stringly-typed security values that enable injection
Identifies algorithm and mode selection footguns in security APIs
Evaluates API ergonomics against misuse-resistance principles
937 GitHub stars
Detects dangerous configuration defaults and unvalidated parameters
Surfaces silent failure patterns where security checks are bypassed

使用场景

Evaluating cryptographic integrations for common implementation pitfalls and type confusion
Reviewing new library or API designs for security usability before release
Auditing legacy configuration schemas for hidden security risks and dangerous flags