Security Audit Skill
Reusable workflow extracted from luca-security-expert expertise.
Purpose
Conduct comprehensive security assessments to identify vulnerabilities, assess risks, and provide remediation strategies aligned with OWASP, zero-trust principles, and compliance requirements.
When to Use
- •Pre-release security validation
- •Post-incident security review
- •Compliance audit preparation (SOC2, ISO27001, GDPR)
- •Third-party vendor security assessment
- •Penetration testing planning
- •Security architecture review
- •Incident response and forensics
- •Security posture assessment
Workflow Steps
- •
Scope Definition
- •Identify assets in scope (applications, infrastructure, data)
- •Define assessment boundaries
- •Establish testing authorization and rules of engagement
- •Identify compliance requirements (GDPR, HIPAA, PCI-DSS)
- •Set testing timeline and constraints
- •
Information Gathering
- •Map attack surface (endpoints, services, dependencies)
- •Inventory assets and technologies
- •Review architecture and data flow diagrams
- •Collect existing security documentation
- •Identify critical business functions
- •
Threat Modeling
- •Apply STRIDE methodology (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege)
- •Identify threat actors and motivations
- •Map potential attack vectors
- •Prioritize threats by likelihood and impact
- •Create attack scenarios
- •
Vulnerability Assessment
- •OWASP Top 10 verification
- •Authentication/authorization testing
- •Input validation and injection testing
- •Session management review
- •Cryptography assessment
- •API security testing
- •Infrastructure configuration review
- •Dependency vulnerability scanning
- •
Risk Analysis
- •Calculate risk scores (Likelihood × Impact)
- •Classify vulnerabilities by severity
- •Assess business impact of each vulnerability
- •Identify compensating controls
- •Prioritize remediation efforts
- •
Penetration Testing (if authorized)
- •Manual security testing
- •Automated scanning (Burp Suite, OWASP ZAP)
- •Exploitation attempts (in controlled manner)
- •Privilege escalation testing
- •Lateral movement simulation
- •
Remediation Planning
- •Create prioritized remediation roadmap
- •Provide specific fix recommendations
- •Suggest compensating controls for deferred fixes
- •Estimate effort and timeline
- •Define validation criteria
- •
Reporting & Validation
- •Document findings with evidence
- •Create executive summary for leadership
- •Provide technical details for developers
- •Re-test after remediation
- •Update security baseline
Inputs Required
- •Scope: Systems, applications, infrastructure to assess
- •Authorization: Written permission for security testing
- •Access: Test credentials, environment access
- •Documentation: Architecture diagrams, tech stack, existing security docs
- •Compliance: Regulatory requirements (GDPR, HIPAA, PCI-DSS, etc.)
- •Constraints: Testing windows, off-limits areas
Outputs Produced
- •Security Assessment Report: Comprehensive findings with evidence
- •Risk Register: Vulnerabilities ranked by severity and impact
- •Remediation Roadmap: Prioritized fixes with timelines
- •Executive Summary: High-level risk overview for leadership
- •Technical Details: Exploitation steps and fix guidance for developers
- •Compliance Gap Analysis: Gaps vs required standards
OWASP Top 10 Checklist
A01:2021 - Broken Access Control
- • Authentication required for all sensitive operations
- • Authorization checks on server-side (not just client)
- • Principle of least privilege enforced
- • No direct object references without validation
- • CORS configured properly
A02:2021 - Cryptographic Failures
- • Sensitive data encrypted at rest
- • TLS/HTTPS enforced for data in transit
- • Strong cryptographic algorithms (AES-256, RSA-2048+)
- • Secrets not hardcoded in source code
- • Proper key management and rotation
A03:2021 - Injection
- • All inputs validated and sanitized
- • Parameterized queries used (no string concatenation)
- • ORM used correctly (no raw SQL injection)
- • Command injection prevention
- • NoSQL injection prevention
A04:2021 - Insecure Design
- • Threat modeling conducted
- • Security requirements defined
- • Secure design patterns applied
- • Security by design, not as afterthought
A05:2021 - Security Misconfiguration
- • Default credentials changed
- • Error messages don't leak sensitive info
- • Security headers configured (CSP, HSTS, X-Frame-Options)
- • Unnecessary features/services disabled
- • Software up to date with security patches
A06:2021 - Vulnerable and Outdated Components
- • Dependency inventory maintained (SBOM)
- • Automated vulnerability scanning
- • Regular updates applied
- • No known CVEs in dependencies
A07:2021 - Identification and Authentication Failures
- • Multi-factor authentication available
- • Password complexity requirements enforced
- • Rate limiting on login attempts
- • Session management secure (timeout, regeneration)
- • Credential stuffing prevention
A08:2021 - Software and Data Integrity Failures
- • Code signing implemented
- • CI/CD pipeline secured
- • Dependency integrity verified (checksums)
- • Auto-update mechanism secured
A09:2021 - Security Logging and Monitoring Failures
- • Security events logged (login, access control)
- • Logs protected from tampering
- • Real-time alerting for anomalies
- • Log retention policy defined
- • SIEM integration
A10:2021 - Server-Side Request Forgery (SSRF)
- • URL validation and allowlisting
- • Network segmentation
- • Disable unused URL schemas
- • Response validation
Risk Rating Matrix
| Severity | Likelihood | Impact | Action Required |
|---|---|---|---|
| Critical | High + High | Data breach, system compromise | Fix within 24 hours |
| High | High + Medium or Medium + High | Significant security risk | Fix within 7 days |
| Medium | Medium + Medium or Low + High | Moderate security concern | Fix within 30 days |
| Low | Low + Low or Low + Medium | Minor security issue | Fix in next release |
Risk Calculation
- •Likelihood: How probable is exploitation? (Low, Medium, High)
- •Impact: What damage if exploited? (Low, Medium, High, Critical)
- •Risk Score: Likelihood × Impact = Priority
Example Usage
code
Input: Pre-release security audit for financial application Workflow Execution: 1. Scope: Web app + API + Database, PCI-DSS compliance required 2. Information: React frontend, Node.js API, PostgreSQL, AWS hosting 3. Threat Model: STRIDE analysis identifies data exposure and injection risks 4. Vulnerabilities Found: - 🔴 CRITICAL: SQL injection in payment endpoint - 🔴 CRITICAL: JWT tokens never expire - 🟠 HIGH: Weak password policy (6 chars, no complexity) - 🟡 MEDIUM: Missing rate limiting on API - 🟢 LOW: Security headers not optimized 5. Risk Analysis: SQL injection = HIGH likelihood + CRITICAL impact = P0 6. Remediation: - P0: Parameterized queries, token expiration (24h immediate) - P1: Password policy update, rate limiting (7 days) - P2: Security headers (next sprint) 7. Report: Executive summary + technical details + remediation roadmap 8. Validation: Re-test after fixes applied Output: BLOCKED for release - 2 critical vulnerabilities must be fixed first Remediation roadmap provided with 24h timeline for critical fixes
Security Testing Tools
Vulnerability Scanning
- •OWASP ZAP: Web application scanner
- •Burp Suite: Penetration testing toolkit
- •Nmap: Network scanning
- •Nikto: Web server scanner
Code Analysis
- •SonarQube: Static code analysis
- •Snyk: Dependency vulnerability scanning
- •Semgrep: Pattern-based code scanning
- •GitHub Advanced Security: CodeQL scanning
Infrastructure
- •Trivy: Container/IaC scanning
- •Checkov: Infrastructure as Code scanner
- •AWS Security Hub: Cloud security posture
- •Prowler: AWS security assessment
Authentication Testing
- •Hydra: Brute force testing
- •John the Ripper: Password cracking
- •Hashcat: Hash cracking
Zero-Trust Security Principles
- •Verify Explicitly: Always authenticate and authorize
- •Least Privilege Access: Minimal permissions required
- •Assume Breach: Design for compromise, limit blast radius
- •Microsegmentation: Isolate workloads and networks
- •Continuous Monitoring: Real-time threat detection
Compliance Frameworks
GDPR (Data Privacy)
- •Data protection by design and by default
- •Right to erasure (delete user data)
- •Data breach notification (72 hours)
- •Privacy impact assessments
SOC2 (Security Controls)
- •Security, availability, processing integrity
- •Confidentiality, privacy
- •Annual audits required
ISO27001 (Information Security)
- •114 security controls across 14 domains
- •Risk management framework
- •Continuous improvement cycle
PCI-DSS (Payment Card)
- •Build and maintain secure network
- •Protect cardholder data
- •Vulnerability management program
- •Regular monitoring and testing
Related Agents
- •luca-security-expert - Full agent with reasoning and threat analysis
- •rex-code-reviewer - Code-level security review
- •baccio-tech-architect - Security architecture validation
- •marco-devops-engineer - Infrastructure security
- •elena-legal-compliance-expert - Regulatory compliance guidance
ISE Engineering Fundamentals Alignment
- •Threat modeling (STRIDE/DREAD) for all features
- •Static and dynamic security testing in CI/CD
- •Shift-left security: checks early in pipeline
- •Dependency scanning automated
- •Container security: image scanning, runtime protection
- •Secret management: vault-based, no secrets in code
- •Security code review checklist for every PR