Prompt for discovering security vulnerabilities on your app
Hi All,
Hope you've keeping well,
Try out this prompt and let me know if it helps ✌️
"You are acting as a senior enterprise software architect, cybersecurity auditor, privacy/compliance specialist, application security engineer, DevSecOps reviewer, cloud security consultant, and systems reliability engineer.
I need you to perform a FULL PROFESSIONAL SECURITY, COMPLIANCE, ARCHITECTURE, AND PRODUCTION-READINESS AUDIT of this entire application/platform.
Review:
- the full codebase
- frontend implementation
- backend architecture
- APIs
- authentication & authorization systems
- database structure
- file/document storage
- cloud infrastructure
- CI/CD pipelines
- edge/serverless functions
- AI integrations
- third-party services
- permissions architecture
- session handling
- business logic
- deployment configuration
- logging & monitoring
- security configuration
- secrets management
- scalability architecture
- data processing flows
Assume this platform may process:
- personal data
- financial data
- business data
- user-generated content
- authentication credentials
- uploaded files/documents
- AI interactions
- API integrations
- customer records
- sensitive operational information
The platform MUST be evaluated to enterprise-grade standards for:
- Security
- Privacy
- Compliance
- Reliability
- Availability
- Auditability
- Scalability
- Maintainability
- Access control
- Data protection
- AI governance
- Disaster recovery
- Production readiness
I want you to conduct an EXTREMELY CRITICAL review and identify:
SECURITY RISKS
- Security vulnerabilities
- Authentication flaws
- Authorization flaws
- Broken access control
- Privilege escalation risks
- Insecure session handling
- Weak JWT/token implementation
- OTP abuse risks
- Missing MFA protections
- API exposure risks
- Missing rate limiting
- CORS misconfigurations
- CSRF risks
- XSS risks
- SSRF risks
- SQL injection risks
- NoSQL injection risks
- Command injection risks
- Path traversal risks
- File upload vulnerabilities
- Insecure deserialization
- Open redirects
- Sensitive data exposure
- Public storage exposure
- Secrets leakage
- Weak encryption handling
- Weak password handling
- Weak webhook validation
- Missing security headers
- Missing CSP
- Dangerous client-side processing
- Insecure AI integrations
- Prompt injection risks
- Supply-chain/dependency risks
ARCHITECTURE RISKS
- Unsafe coding patterns
- Monolithic architecture issues
- Poor separation of concerns
- Tight coupling
- Technical debt
- Scalability bottlenecks
- Single points of failure
- Race conditions
- Concurrency issues
- Missing retry logic
- Fragile integrations
- State management issues
- Data consistency risks
- Incomplete deletion flows
- Orphaned data risks
- Infrastructure weaknesses
- Weak cloud configuration
- Weak DevOps practices
- Weak CI/CD security
- Lack of observability
- Weak logging/audit trails
- Missing backup/disaster recovery strategy
COMPLIANCE & PRIVACY RISKS
- GDPR risks
- POPIA risks
- CCPA/privacy risks
- AI/privacy risks
- Data retention issues
- Missing consent enforcement
- Incomplete account deletion
- Excessive data collection
- Cross-border data transfer risks
- Missing auditability
- Weak breach-response readiness
- Third-party processor risks
- Data minimization failures
“VIBE CODING” RISK INDICATORS
- AI-generated insecure patterns
- Frontend-only validation
- Disabled security protections
- Hardcoded secrets
- Overly permissive access
- Debug code left in production
- Massive unmaintainable components/files
- Copy-pasted security logic
- Inconsistent validation
- Missing architectural discipline
- “Make it work first” shortcuts
- Overuse of admin/service-role access
- Lack of engineering standards
- Lack of testing
- Lack of code review patterns
Evaluate the platform against:
- OWASP Top 10
- OWASP API Security Top 10
- Zero-trust security principles
- Enterprise SaaS architecture principles
- Modern cloud security practices
- Secure authentication standards
- Secure file storage practices
- DevSecOps best practices
- Modern frontend/backend security standards
- Privacy-by-design principles
- AI governance best practices
Then generate a PROFESSIONAL STRUCTURED REPORT with these sections:
Executive Summary
Critical Security Vulnerabilities
High-Risk Compliance & Privacy Issues
Authentication & Authorization Review
API & Backend Security Review
Database & Storage Security Review
File Upload & Document Security Review
Frontend Security Review
AI Integration & Privacy Review
Cloud Infrastructure & DevOps Review
Business Logic Risks
Session & Token Security Review
Data Retention & Account Deletion Review
Logging, Monitoring & Auditability Review
Backup & Disaster Recovery Review
Scalability & Reliability Review
Code Quality & Maintainability Review
“Vibe Coding” Risk Indicators
Recommended Immediate Fixes
Recommended Medium-Term Improvements
Recommended Enterprise-Grade Upgrades
For EVERY issue found:
- Explain the vulnerability/risk clearly
- Explain how it could realistically be abused
- Explain business impact
- Explain legal/compliance implications where relevant
- Provide severity:
- Critical
- High
- Medium
- Low
- Provide remediation guidance
- Provide code-level recommendations where applicable
- Explain whether the issue is architectural, implementation-level, or operational
IMPORTANT:
- Be brutally honest and highly critical
- Assume attackers WILL target this platform
- Assume regulators MAY audit this platform
- Assume investors MAY perform technical due diligence
- Assume this platform may eventually scale to millions of users
- Do NOT give generic advice
- Review actual implementation details
- Identify technical debt
- Identify insecure assumptions
- Identify hidden scaling risks
- Identify weak engineering practices
- Identify architectural anti-patterns
- Identify areas requiring refactoring
- Identify areas that would fail enterprise security review
- Identify areas that would fail production-readiness review
Additionally:
Create a final “Production Readiness Score” out of 100 for:
- Security
- Compliance
- Architecture
- Scalability
- Reliability
- Maintainability
- Enterprise Readiness
Then provide a prioritized remediation roadmap for:
- Immediate fixes (0–30 days)
- Short-term fixes (1–3 months)
- Medium-term improvements (3–6 months)
- Long-term enterprise upgrades (6–12 months)
Your goal is to review this application to the standard expected of:
- enterprise SaaS platforms
- fintech systems
- healthcare systems
- legal-tech systems
- identity-management systems
- cloud-native enterprise applications
Do NOT sugarcoat anything.
If something appears unsafe, incomplete, fragile, amateurish, or “vibe coded,” explicitly say so and explain why."