AgentSkillsCN

security

保护后端应用免受OWASP威胁。实施认证、加密、扫描、合规和事件响应程序。

SKILL.md
--- frontmatter
name: security
description: Secure backend applications against OWASP threats. Implement authentication, encryption, scanning, compliance, and incident response procedures.
sasmp_version: "2.0.0"
bonded_agent: 07-testing-security
bond_type: PRIMARY_BOND

# === PRODUCTION-GRADE SKILL CONFIG (SASMP v2.0.0) ===

atomic_operations:
  - VULNERABILITY_SCAN
  - AUTH_IMPLEMENTATION
  - ENCRYPTION_CONFIG
  - COMPLIANCE_CHECK

parameter_validation:
  query:
    type: string
    required: true
    minLength: 5
    maxLength: 2500
  security_focus:
    type: string
    enum: [owasp, compliance, scanning, auth]
    required: false
  compliance_framework:
    type: string
    enum: [gdpr, hipaa, pci-dss, soc2]
    required: false

retry_logic:
  max_attempts: 2
  backoff: exponential
  initial_delay_ms: 1500

logging_hooks:
  on_invoke: "skill.security.invoked"
  on_success: "skill.security.completed"
  on_error: "skill.security.failed"

exit_codes:
  SUCCESS: 0
  INVALID_INPUT: 1
  CRITICAL_VULNERABILITY: 2
  COMPLIANCE_VIOLATION: 3

Security Skill

Bonded to: testing-security-agent


Quick Start

bash
# Invoke security skill
"Check my code for OWASP vulnerabilities"
"Implement JWT authentication securely"
"Prepare for GDPR compliance audit"

Instructions

  1. Assess Risks: Identify threats and vulnerabilities
  2. Implement Controls: Add authentication, encryption
  3. Configure Scanning: Set up SAST, DAST, SCA
  4. Ensure Compliance: Meet regulatory requirements
  5. Prepare Response: Create incident response plan

OWASP Top 10 (2025)

#VulnerabilityPreventionSeverity
1Broken Access ControlRBAC, least privilegeCritical
2Cryptographic FailuresStrong encryption, TLSCritical
3InjectionParameterized queriesCritical
4Insecure DesignThreat modelingHigh
5Security MisconfigurationHardeningHigh
6Vulnerable ComponentsSCA scanningHigh
7Auth FailuresMFA, secure sessionsHigh
8Data Integrity FailuresSignaturesMedium
9Logging FailuresAudit loggingMedium
10SSRFInput validationMedium

Security Scanning Tools

TypePurposeTools
SASTStatic codeSonarQube, Semgrep
DASTDynamic testingOWASP ZAP, Burp
SCADependenciesSnyk, Dependabot
ContainerImagesTrivy, Grype
SecretsDetectionGitLeaks, TruffleHog

Examples

Example 1: Secure Authentication

python
from fastapi import Depends, HTTPException
from fastapi.security import OAuth2PasswordBearer
from passlib.context import CryptContext
from jose import jwt
import secrets

pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")

def hash_password(password: str) -> str:
    return pwd_context.hash(password)

def verify_password(plain: str, hashed: str) -> bool:
    return pwd_context.verify(plain, hashed)

def create_token(user_id: str) -> str:
    return jwt.encode(
        {"sub": user_id, "jti": secrets.token_urlsafe(16)},
        SECRET_KEY,
        algorithm="HS256"
    )

Example 2: SQL Injection Prevention

python
# BAD - Vulnerable to SQL injection
def get_user_bad(user_id: str):
    query = f"SELECT * FROM users WHERE id = '{user_id}'"
    return db.execute(query)

# GOOD - Parameterized query
def get_user_good(user_id: str):
    query = "SELECT * FROM users WHERE id = :id"
    return db.execute(query, {"id": user_id})

Example 3: Security Headers

python
from fastapi import FastAPI
from starlette.middleware.base import BaseHTTPMiddleware

class SecurityHeadersMiddleware(BaseHTTPMiddleware):
    async def dispatch(self, request, call_next):
        response = await call_next(request)
        response.headers["X-Content-Type-Options"] = "nosniff"
        response.headers["X-Frame-Options"] = "DENY"
        response.headers["X-XSS-Protection"] = "1; mode=block"
        response.headers["Strict-Transport-Security"] = "max-age=31536000"
        response.headers["Content-Security-Policy"] = "default-src 'self'"
        return response

app = FastAPI()
app.add_middleware(SecurityHeadersMiddleware)

Compliance Checklists

GDPR

  • Lawful basis for processing
  • Data minimization
  • Right to access/deletion
  • Breach notification (72h)
  • DPO if required

PCI-DSS

  • Encrypt cardholder data
  • No CVV storage
  • Access controls
  • Regular testing
  • Audit logging

Troubleshooting

Common Issues

IssueCauseSolution
Token expiredShort TTLImplement refresh tokens
CORS blockedMissing headersConfigure CORS properly
Weak encryptionOld algorithmsUse AES-256, RSA-2048+
SQL injectionString concatUse parameterized queries

Incident Response

code
Incident Detected
    │
    ├─→ Contain: Isolate affected systems
    ├─→ Assess: Determine scope
    ├─→ Remediate: Fix vulnerability
    ├─→ Recover: Restore services
    └─→ Post-mortem: Document & improve

Test Template

python
# tests/test_security.py
import pytest

class TestSecurityControls:
    def test_password_is_hashed(self):
        password = "secure123"
        hashed = hash_password(password)
        assert password not in hashed
        assert verify_password(password, hashed)

    def test_sql_injection_prevented(self):
        malicious_input = "'; DROP TABLE users; --"
        # Should not execute the DROP TABLE
        result = get_user(malicious_input)
        assert result is None  # User not found, not table dropped

    def test_auth_required_for_protected_routes(self, client):
        response = client.get("/api/v1/users/me")
        assert response.status_code == 401

Resources