AgentSkillsCN

security-analysis

采用 STRIDE 威胁建模、OWASP Top 10 以及 CVSS 评分,进行安全评估。适用于安全审查、威胁建模,以及安全编码指导时使用。

SKILL.md
--- frontmatter
name: security-analysis
description: Security assessment using STRIDE threat modeling, OWASP Top 10, and CVSS scoring. Use for security reviews, threat modeling, and secure coding guidance.
metadata: {"clawdbot":{"requires":{"env":[]}}}
user-invocable: true

Security Analysis

Comprehensive security assessment framework.

Frameworks Included

STRIDE Threat Modeling

Categorize threats by type:

ThreatDescriptionExample
SpoofingImpersonating something/someoneFake login page
TamperingModifying data/codeSQL injection
RepudiationDenying actionsMissing audit logs
Information DisclosureExposing dataError message leaks
Denial of ServiceDisrupting availabilityResource exhaustion
Elevation of PrivilegeGaining unauthorized accessBroken access control

OWASP Top 10 (2021)

Check for common vulnerabilities:

  1. A01: Broken Access Control
  2. A02: Cryptographic Failures
  3. A03: Injection
  4. A04: Insecure Design
  5. A05: Security Misconfiguration
  6. A06: Vulnerable Components
  7. A07: Auth Failures
  8. A08: Integrity Failures
  9. A09: Logging Failures
  10. A10: SSRF

CVSS Scoring

Rate vulnerability severity:

ScoreSeverityAction
9.0-10.0CriticalFix immediately
7.0-8.9HighFix within days
4.0-6.9MediumFix within weeks
0.1-3.9LowFix when convenient

Security Review Process

Phase 1: Attack Surface Mapping

Identify all entry points:

  • API endpoints
  • User inputs
  • File uploads
  • External integrations
  • Authentication flows

Phase 2: STRIDE Analysis

For each entry point, check all STRIDE categories.

Phase 3: OWASP Checklist

Verify protection against Top 10.

Phase 4: Risk Scoring

Apply CVSS to findings.

Phase 5: Remediation Plan

Prioritize fixes by severity.

Output Template

markdown
## Security Analysis: [Component/Feature]

### Attack Surface
| Entry Point | Type | Trust Level |
|-------------|------|-------------|
| [endpoint] | API | Untrusted |
| [input] | User | Untrusted |

### STRIDE Assessment

#### Spoofing
- Risk: [description]
- Mitigation: [control]
- Status: [Mitigated/Open]

#### Tampering
...

### OWASP Top 10 Check
| Category | Status | Notes |
|----------|--------|-------|
| A01 Broken Access Control | ✓/✗ | |
| A02 Crypto Failures | ✓/✗ | |
| A03 Injection | ✓/✗ | |
...

### Vulnerabilities Found
| ID | Description | CVSS | Severity |
|----|-------------|------|----------|
| V1 | [description] | X.X | High |
| V2 | [description] | X.X | Medium |

### Remediation Plan
1. **[V1]**: [fix] - Priority: Immediate
2. **[V2]**: [fix] - Priority: This sprint

### Security Posture
**Overall Risk: [Low/Medium/High/Critical]**

Quick Security Checklist

For rapid review:

  • Input validation on all user data
  • Output encoding to prevent XSS
  • Parameterized queries (no SQL concatenation)
  • Authentication on sensitive endpoints
  • Authorization checks (not just auth)
  • HTTPS everywhere
  • Secrets not in code
  • Error messages don't leak info
  • Logging without sensitive data
  • Dependencies updated

Secure Coding Patterns

Input Validation

python
# Always validate and sanitize
def process_input(user_input):
    if not isinstance(user_input, str):
        raise ValueError("Invalid input type")
    if len(user_input) > MAX_LENGTH:
        raise ValueError("Input too long")
    sanitized = escape_html(user_input)
    return sanitized

SQL Injection Prevention

python
# NEVER concatenate
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")  # BAD

# ALWAYS parameterize
cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))  # GOOD