Security Audit Creation Skill
Purpose: Generate comprehensive security audit documentation. Ensures security reviews are thorough and remediation is tracked.
Trigger
When: Pre-deployment review OR compliance audit OR security concern raised
Context Needed: Code to review, threat model, compliance requirements
MCP Tools: mcp_payment-syste_search_full_text, read_file, grep_search
Required Sections
markdown
# [Feature/System] - Security Audit ## Audit Metadata - Date: YYYY-MM-DD - Auditor: @username - Scope: [description] - Classification: internal | confidential ## Executive Summary [High-level findings] ## Threat Model ### Assets - [asset]: [classification] ### Threat Actors - [actor]: [capability] ### Attack Vectors - [vector]: [mitigation] ## Findings ### Critical | ID | Title | Status | Remediation | | :-- | :---- | :----- | :---------- | ### High ... ### Medium ... ### Low ... ## Compliance Status - [ ] OWASP Top 10 - [ ] PCI-DSS (if applicable) - [ ] GDPR (if applicable)
OWASP Top 10 Checklist
markdown
## OWASP Top 10 (2021) | # | Category | Status | Notes | | :-- | :------------------------ | :------- | :---- | | A01 | Broken Access Control | ✅/⚠️/❌ | | | A02 | Cryptographic Failures | ✅/⚠️/❌ | | | A03 | Injection | ✅/⚠️/❌ | | | A04 | Insecure Design | ✅/⚠️/❌ | | | A05 | Security Misconfiguration | ✅/⚠️/❌ | | | A06 | Vulnerable Components | ✅/⚠️/❌ | | | A07 | Auth Failures | ✅/⚠️/❌ | | | A08 | Software/Data Integrity | ✅/⚠️/❌ | | | A09 | Security Logging | ✅/⚠️/❌ | | | A10 | SSRF | ✅/⚠️/❌ | |
Finding Format
markdown
### FINDING-001: [Title] **Severity:** Critical | High | Medium | Low **Category:** OWASP A0X **Status:** Open | In Progress | Resolved **Description:** [What was found] **Impact:** [Potential damage] **Reproduction:** 1. [step] 2. [step] **Recommendation:** [How to fix] **Remediation Timeline:** - Target: YYYY-MM-DD - Owner: @username