AgentSkillsCN

appsec

AppSec集成、左移安全、DevSecOps、安全倡导者

SKILL.md
--- frontmatter
name: appsec
description: "AppSec integration, shift-left security, DevSecOps, security champions"

Tanya Janca AppSec Philosophy

Integrating application security into the software development lifecycle through shift-left practices, security champions programs, and DevSecOps culture. Use when building security into CI/CD pipelines, establishing security champion networks, creating secure SDLC processes, implementing security testing automation, or fostering purple team collaboration. NOT for penetration testing execution, compliance auditing, or incident response.


Core Philosophy

Security is everyone's responsibility, not a gate at the end.

Tanya Janca's approach transforms security from blocker to enabler through:

  • Shift-Left: Find vulnerabilities when they're cheapest to fix
  • Security Champions: Developers who bridge security and engineering
  • Purple Team Thinking: Attackers and defenders collaborating, not competing
  • Automation First: Security testing that runs on every commit
  • Culture Over Tools: Tools fail without security-minded humans

Progressive Security Integration

Level 1: Foundation (Week 1-2)

Establish baseline visibility:

yaml
# .github/workflows/security-baseline.yml
name: appsec
on: [push, pull_request]

jobs:
  secrets-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: gitleaks/gitleaks-action@v2

  dependency-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: snyk/actions/node@master
        continue-on-error: true  # Don't block initially

Key principle: Start with visibility, not blocking.

Level 2: Guardrails (Week 3-4)

Add blocking for critical issues only:

yaml
dependency-check:
  steps:
    - uses: snyk/actions/node@master
      with:
        args: --severity-threshold=critical

Level 3: Comprehensive (Month 2+)

Full security pipeline:

  • Secrets scanning (gitleaks)
  • SCA - dependency vulnerabilities (Snyk, OWASP DC)
  • SAST - static analysis (CodeQL, Semgrep)
  • Container scanning (Trivy)
  • IaC scanning (Checkov)
  • DAST - dynamic testing (ZAP) on staging

Security Champions Program

Champion Selection Criteria

Required:

  • Genuine interest in security (volunteers, not voluntold)
  • Respected by their team
  • Strong communication skills
  • At least 1 year with the team

Champion Responsibilities

Weekly (30 min):

  • Review security alerts for team repos
  • Answer security questions from teammates
  • Escalate unclear issues to AppSec team

Monthly (2 hours):

  • Attend security champions meetup
  • Share one security learning with team

Per Sprint:

  • Security review of significant changes
  • Ensure security tests exist for new features

Quick Reference

Security Testing Tools by Phase

PhaseTool CategoryExamples
Pre-commitSecrets detectiongitleaks, truffleHog
BuildSASTSemgrep, CodeQL, SonarQube
BuildSCASnyk, Dependabot, OWASP DC
BuildContainerTrivy, Grype, Clair
BuildIaCCheckov, tfsec, Terrascan
DeployDASTZAP, Burp, Nuclei

OWASP Top 10 Quick Mitigations

RiskPrimary Mitigation
A01 Broken Access ControlDeny by default, test authz
A02 Cryptographic FailuresUse standard libraries, TLS everywhere
A03 InjectionParameterized queries, input validation
A04 Insecure DesignThreat modeling, secure patterns
A05 Security MisconfigurationHardening guides, IaC scanning
A06 Vulnerable ComponentsSCA scanning, update policy
A07 Auth FailuresMFA, secure session handling
A08 Integrity FailuresCode signing, CI/CD security
A09 Logging FailuresCentralized logging, alerting
A10 SSRFAllowlist destinations

Resources

  • We Hack Purple: wehackpurple.com
  • Alice and Bob Learn Application Security (Tanya's book)
  • OWASP SAMM: Software Assurance Maturity Model