AgentSkillsCN

security-audit

安全审计

SKILL.md

Security Audit Skill

Reusable workflow extracted from luca-security-expert expertise.

Purpose

Conduct comprehensive security assessments to identify vulnerabilities, assess risks, and provide remediation strategies aligned with OWASP, zero-trust principles, and compliance requirements.

When to Use

  • Pre-release security validation
  • Post-incident security review
  • Compliance audit preparation (SOC2, ISO27001, GDPR)
  • Third-party vendor security assessment
  • Penetration testing planning
  • Security architecture review
  • Incident response and forensics
  • Security posture assessment

Workflow Steps

  1. Scope Definition

    • Identify assets in scope (applications, infrastructure, data)
    • Define assessment boundaries
    • Establish testing authorization and rules of engagement
    • Identify compliance requirements (GDPR, HIPAA, PCI-DSS)
    • Set testing timeline and constraints
  2. Information Gathering

    • Map attack surface (endpoints, services, dependencies)
    • Inventory assets and technologies
    • Review architecture and data flow diagrams
    • Collect existing security documentation
    • Identify critical business functions
  3. Threat Modeling

    • Apply STRIDE methodology (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege)
    • Identify threat actors and motivations
    • Map potential attack vectors
    • Prioritize threats by likelihood and impact
    • Create attack scenarios
  4. Vulnerability Assessment

    • OWASP Top 10 verification
    • Authentication/authorization testing
    • Input validation and injection testing
    • Session management review
    • Cryptography assessment
    • API security testing
    • Infrastructure configuration review
    • Dependency vulnerability scanning
  5. Risk Analysis

    • Calculate risk scores (Likelihood × Impact)
    • Classify vulnerabilities by severity
    • Assess business impact of each vulnerability
    • Identify compensating controls
    • Prioritize remediation efforts
  6. Penetration Testing (if authorized)

    • Manual security testing
    • Automated scanning (Burp Suite, OWASP ZAP)
    • Exploitation attempts (in controlled manner)
    • Privilege escalation testing
    • Lateral movement simulation
  7. Remediation Planning

    • Create prioritized remediation roadmap
    • Provide specific fix recommendations
    • Suggest compensating controls for deferred fixes
    • Estimate effort and timeline
    • Define validation criteria
  8. Reporting & Validation

    • Document findings with evidence
    • Create executive summary for leadership
    • Provide technical details for developers
    • Re-test after remediation
    • Update security baseline

Inputs Required

  • Scope: Systems, applications, infrastructure to assess
  • Authorization: Written permission for security testing
  • Access: Test credentials, environment access
  • Documentation: Architecture diagrams, tech stack, existing security docs
  • Compliance: Regulatory requirements (GDPR, HIPAA, PCI-DSS, etc.)
  • Constraints: Testing windows, off-limits areas

Outputs Produced

  • Security Assessment Report: Comprehensive findings with evidence
  • Risk Register: Vulnerabilities ranked by severity and impact
  • Remediation Roadmap: Prioritized fixes with timelines
  • Executive Summary: High-level risk overview for leadership
  • Technical Details: Exploitation steps and fix guidance for developers
  • Compliance Gap Analysis: Gaps vs required standards

OWASP Top 10 Checklist

A01:2021 - Broken Access Control

  • Authentication required for all sensitive operations
  • Authorization checks on server-side (not just client)
  • Principle of least privilege enforced
  • No direct object references without validation
  • CORS configured properly

A02:2021 - Cryptographic Failures

  • Sensitive data encrypted at rest
  • TLS/HTTPS enforced for data in transit
  • Strong cryptographic algorithms (AES-256, RSA-2048+)
  • Secrets not hardcoded in source code
  • Proper key management and rotation

A03:2021 - Injection

  • All inputs validated and sanitized
  • Parameterized queries used (no string concatenation)
  • ORM used correctly (no raw SQL injection)
  • Command injection prevention
  • NoSQL injection prevention

A04:2021 - Insecure Design

  • Threat modeling conducted
  • Security requirements defined
  • Secure design patterns applied
  • Security by design, not as afterthought

A05:2021 - Security Misconfiguration

  • Default credentials changed
  • Error messages don't leak sensitive info
  • Security headers configured (CSP, HSTS, X-Frame-Options)
  • Unnecessary features/services disabled
  • Software up to date with security patches

A06:2021 - Vulnerable and Outdated Components

  • Dependency inventory maintained (SBOM)
  • Automated vulnerability scanning
  • Regular updates applied
  • No known CVEs in dependencies

A07:2021 - Identification and Authentication Failures

  • Multi-factor authentication available
  • Password complexity requirements enforced
  • Rate limiting on login attempts
  • Session management secure (timeout, regeneration)
  • Credential stuffing prevention

A08:2021 - Software and Data Integrity Failures

  • Code signing implemented
  • CI/CD pipeline secured
  • Dependency integrity verified (checksums)
  • Auto-update mechanism secured

A09:2021 - Security Logging and Monitoring Failures

  • Security events logged (login, access control)
  • Logs protected from tampering
  • Real-time alerting for anomalies
  • Log retention policy defined
  • SIEM integration

A10:2021 - Server-Side Request Forgery (SSRF)

  • URL validation and allowlisting
  • Network segmentation
  • Disable unused URL schemas
  • Response validation

Risk Rating Matrix

SeverityLikelihoodImpactAction Required
CriticalHigh + HighData breach, system compromiseFix within 24 hours
HighHigh + Medium or Medium + HighSignificant security riskFix within 7 days
MediumMedium + Medium or Low + HighModerate security concernFix within 30 days
LowLow + Low or Low + MediumMinor security issueFix in next release

Risk Calculation

  • Likelihood: How probable is exploitation? (Low, Medium, High)
  • Impact: What damage if exploited? (Low, Medium, High, Critical)
  • Risk Score: Likelihood × Impact = Priority

Example Usage

code
Input: Pre-release security audit for financial application

Workflow Execution:
1. Scope: Web app + API + Database, PCI-DSS compliance required
2. Information: React frontend, Node.js API, PostgreSQL, AWS hosting
3. Threat Model: STRIDE analysis identifies data exposure and injection risks
4. Vulnerabilities Found:
   - 🔴 CRITICAL: SQL injection in payment endpoint
   - 🔴 CRITICAL: JWT tokens never expire
   - 🟠 HIGH: Weak password policy (6 chars, no complexity)
   - 🟡 MEDIUM: Missing rate limiting on API
   - 🟢 LOW: Security headers not optimized
5. Risk Analysis: SQL injection = HIGH likelihood + CRITICAL impact = P0
6. Remediation:
   - P0: Parameterized queries, token expiration (24h immediate)
   - P1: Password policy update, rate limiting (7 days)
   - P2: Security headers (next sprint)
7. Report: Executive summary + technical details + remediation roadmap
8. Validation: Re-test after fixes applied

Output:
BLOCKED for release - 2 critical vulnerabilities must be fixed first
Remediation roadmap provided with 24h timeline for critical fixes

Security Testing Tools

Vulnerability Scanning

  • OWASP ZAP: Web application scanner
  • Burp Suite: Penetration testing toolkit
  • Nmap: Network scanning
  • Nikto: Web server scanner

Code Analysis

  • SonarQube: Static code analysis
  • Snyk: Dependency vulnerability scanning
  • Semgrep: Pattern-based code scanning
  • GitHub Advanced Security: CodeQL scanning

Infrastructure

  • Trivy: Container/IaC scanning
  • Checkov: Infrastructure as Code scanner
  • AWS Security Hub: Cloud security posture
  • Prowler: AWS security assessment

Authentication Testing

  • Hydra: Brute force testing
  • John the Ripper: Password cracking
  • Hashcat: Hash cracking

Zero-Trust Security Principles

  1. Verify Explicitly: Always authenticate and authorize
  2. Least Privilege Access: Minimal permissions required
  3. Assume Breach: Design for compromise, limit blast radius
  4. Microsegmentation: Isolate workloads and networks
  5. Continuous Monitoring: Real-time threat detection

Compliance Frameworks

GDPR (Data Privacy)

  • Data protection by design and by default
  • Right to erasure (delete user data)
  • Data breach notification (72 hours)
  • Privacy impact assessments

SOC2 (Security Controls)

  • Security, availability, processing integrity
  • Confidentiality, privacy
  • Annual audits required

ISO27001 (Information Security)

  • 114 security controls across 14 domains
  • Risk management framework
  • Continuous improvement cycle

PCI-DSS (Payment Card)

  • Build and maintain secure network
  • Protect cardholder data
  • Vulnerability management program
  • Regular monitoring and testing

Related Agents

  • luca-security-expert - Full agent with reasoning and threat analysis
  • rex-code-reviewer - Code-level security review
  • baccio-tech-architect - Security architecture validation
  • marco-devops-engineer - Infrastructure security
  • elena-legal-compliance-expert - Regulatory compliance guidance

ISE Engineering Fundamentals Alignment

  • Threat modeling (STRIDE/DREAD) for all features
  • Static and dynamic security testing in CI/CD
  • Shift-left security: checks early in pipeline
  • Dependency scanning automated
  • Container security: image scanning, runtime protection
  • Secret management: vault-based, no secrets in code
  • Security code review checklist for every PR