AgentSkillsCN

security-assessment

针对漏洞评估、渗透测试、安全审计与合规审查,构建结构化的安全评估工作流。适用于在开展安全评估、制定评估范围、记录发现结果、生成修复方案,或遵循 NIST、CIS、ISO 27001 等安全框架时使用。

SKILL.md
--- frontmatter
name: security-assessment
description: "Structured security assessment workflows for vulnerability assessments, penetration testing, security audits, and compliance reviews. Use when conducting security assessments, creating assessment scopes, documenting findings, generating remediation plans, or following security frameworks like NIST, CIS, ISO 27001."

Security Assessment Workflows

Overview

Standardized workflows for conducting security assessments across vulnerability management, penetration testing, and compliance audits.

Assessment Types

TypeScopeOutput
Vulnerability AssessmentInfrastructure, applicationsPrioritized findings, remediation plan
Penetration TestDefined targetsAttack narrative, evidence, recommendations
Security AuditControls, policiesCompliance gaps, control effectiveness
Risk AssessmentBusiness processesRisk register, treatment plan

Vulnerability Assessment Workflow

Phase 1: Scoping

python
SCOPE_TEMPLATE = {
    "assessment_name": str,
    "assessment_type": "vulnerability_assessment",
    "start_date": str,  # ISO date
    "end_date": str,
    "assessor": str,
    "stakeholders": list,
    "in_scope": {
        "ip_ranges": [],      # ["10.0.0.0/24", "192.168.1.0/24"]
        "hostnames": [],      # ["*.company.com"]
        "applications": [],   # ["App1", "App2"]
        "cloud_accounts": [], # ["AWS:123456789", "Azure:sub-id"]
        "exclusions": []      # Explicitly excluded targets
    },
    "data_sources": [],       # ["crowdstrike", "wiz", "snyk"]
    "scan_types": [],         # ["infrastructure", "container", "code"]
    "risk_rating_methodology": "CVSS+EPSS+KEV",
    "reporting_requirements": {
        "executive_summary": True,
        "technical_report": True,
        "remediation_tracker": True
    }
}

Phase 2: Discovery & Scanning

markdown
1. **Asset Discovery**
   - Pull asset inventory from Discover/EASM
   - Correlate with CMDB
   - Identify unmanaged assets
   
2. **Vulnerability Scanning**
   - Infrastructure: CrowdStrike Spotlight, Tenable, Qualys
   - Containers: Wiz, Snyk Container
   - Code: Snyk Code, SonarQube
   - Cloud: Prisma Cloud, Wiz CSPM
   
3. **Data Aggregation**
   - Normalize findings (see vuln-report-generator skill)
   - Deduplicate across sources
   - Enrich with KEV/EPSS (see cisa-kev-nvd skill)

Phase 3: Analysis & Prioritization

python
def prioritize_findings(vulns: list, asset_context: dict) -> list:
    """Prioritize vulnerabilities with business context."""
    for v in vulns:
        # Base risk score
        score = calculate_risk_score(v)
        
        # Asset context adjustments
        asset = v.get("affected_asset", {})
        hostname = asset.get("hostname", "")
        
        # Check business criticality
        if hostname in asset_context.get("critical_assets", []):
            score *= 1.5
        
        # Check internet exposure
        if hostname in asset_context.get("internet_facing", []):
            score *= 1.3
        
        # Check compensating controls
        if hostname in asset_context.get("isolated_network", []):
            score *= 0.8
        
        v["adjusted_risk_score"] = min(score, 100)
    
    return sorted(vulns, key=lambda x: x["adjusted_risk_score"], reverse=True)

Phase 4: Reporting

See vuln-report-generator skill for report templates.

Penetration Test Workflow

Engagement Phases

markdown
1. **Pre-Engagement**
   - Rules of engagement (ROE)
   - Scope definition
   - Authorization documentation
   - Emergency contacts
   
2. **Reconnaissance**
   - Passive: OSINT, DNS, certificate transparency
   - Active: Port scanning, service enumeration
   
3. **Vulnerability Analysis**
   - Automated scanning
   - Manual testing
   - Configuration review
   
4. **Exploitation**
   - Proof-of-concept development
   - Controlled exploitation
   - Evidence collection
   
5. **Post-Exploitation**
   - Privilege escalation
   - Lateral movement
   - Data access assessment
   
6. **Reporting**
   - Executive summary
   - Technical findings
   - Attack narrative
   - Remediation guidance

Finding Documentation

python
PENTEST_FINDING = {
    "id": str,
    "title": str,
    "severity": str,  # Critical, High, Medium, Low, Informational
    "cvss_score": float,
    "affected_systems": list,
    "description": str,
    "technical_details": str,
    "proof_of_concept": str,
    "evidence": [
        {"type": "screenshot", "path": str, "description": str},
        {"type": "log", "content": str}
    ],
    "business_impact": str,
    "remediation": {
        "short_term": str,
        "long_term": str,
        "effort": str
    },
    "references": list,  # CVEs, CWEs, external links
    "mitre_attack": list  # Technique IDs
}

Compliance Assessment Workflow

Framework Mapping

python
FRAMEWORKS = {
    "NIST_CSF": {
        "domains": ["Identify", "Protect", "Detect", "Respond", "Recover"],
        "control_count": 108
    },
    "CIS_CONTROLS": {
        "version": "8",
        "implementation_groups": ["IG1", "IG2", "IG3"],
        "control_count": 18
    },
    "ISO_27001": {
        "version": "2022",
        "domains": 4,
        "control_count": 93
    },
    "SOC2": {
        "trust_criteria": ["Security", "Availability", "Processing Integrity", 
                          "Confidentiality", "Privacy"]
    },
    "PCI_DSS": {
        "version": "4.0",
        "requirements": 12
    }
}

Control Assessment

python
CONTROL_ASSESSMENT = {
    "control_id": str,
    "control_name": str,
    "framework": str,
    "assessment_status": str,  # Not Assessed, Compliant, Partially Compliant, Non-Compliant, N/A
    "evidence": list,
    "gaps": list,
    "compensating_controls": list,
    "remediation_plan": str,
    "owner": str,
    "due_date": str,
    "notes": str
}

def assess_control(control_id: str, evidence: list, criteria: dict) -> dict:
    """Assess control compliance."""
    met_criteria = sum(1 for c in criteria.values() if c.get("met"))
    total_criteria = len(criteria)
    
    if met_criteria == total_criteria:
        status = "Compliant"
    elif met_criteria > 0:
        status = "Partially Compliant"
    else:
        status = "Non-Compliant"
    
    return {
        "control_id": control_id,
        "assessment_status": status,
        "compliance_percentage": (met_criteria / total_criteria) * 100,
        "gaps": [k for k, v in criteria.items() if not v.get("met")],
        "evidence": evidence
    }

Risk Assessment Workflow

Risk Register Template

python
RISK_ENTRY = {
    "risk_id": str,
    "risk_name": str,
    "description": str,
    "category": str,  # Technical, Operational, Compliance, Strategic
    "threat_source": str,
    "vulnerability": str,
    "asset_affected": str,
    "likelihood": int,  # 1-5
    "impact": int,      # 1-5
    "inherent_risk": int,  # likelihood * impact
    "existing_controls": list,
    "control_effectiveness": str,  # Effective, Partially Effective, Ineffective
    "residual_likelihood": int,
    "residual_impact": int,
    "residual_risk": int,
    "risk_treatment": str,  # Accept, Mitigate, Transfer, Avoid
    "treatment_plan": str,
    "risk_owner": str,
    "review_date": str
}

def calculate_risk_level(likelihood: int, impact: int) -> str:
    """Calculate risk level from likelihood and impact."""
    score = likelihood * impact
    if score >= 20:
        return "Critical"
    elif score >= 12:
        return "High"
    elif score >= 6:
        return "Medium"
    else:
        return "Low"

Assessment Checklist

markdown
### Pre-Assessment
- [ ] Scope document signed
- [ ] Authorization obtained
- [ ] Stakeholders identified
- [ ] Communication plan established
- [ ] Tools configured
- [ ] Data sources accessible

### During Assessment
- [ ] Discovery complete
- [ ] Scans executed
- [ ] Findings documented
- [ ] Evidence collected
- [ ] Initial prioritization done

### Post-Assessment
- [ ] Findings validated
- [ ] Risk scores calculated
- [ ] Reports generated
- [ ] Stakeholder review
- [ ] Remediation plan created
- [ ] Lessons learned documented