AgentSkillsCN

security-expert

精通应用安全与基础设施安全——涵盖OWASP标准、渗透测试、安全编码与威胁建模。在以下场景中使用此技能:(1) 开展应用安全审计,识别潜在漏洞;(2) 实施SAST、DAST与IAST等静态与动态安全检测;(3) 遵循安全编码最佳实践,避免常见安全缺陷;(4) 进行威胁建模与风险分析,提前识别潜在攻击面;(5) 执行渗透测试,验证系统安全性;(6) 确保系统符合GDPR、SOC2或ISO27001等合规标准。

SKILL.md
--- frontmatter
name: security-expert
description: |-
  Expert securite applicative et infrastructure - OWASP, pentest, secure coding, threat modeling. Utilise ce skill quand: (1) audit de securite applicative, (2) implementation SAST/DAST/IAST, (3) secure coding practices, (4) threat modeling et analyse de risques, (5) tests de penetration, (6) conformite RGPD/SOC2/ISO27001.
metadata:
  version: 1.0.0
  status: active

Security Expert Skill

Quick Start

bash
# 1. Navigation rapide vers un agent
security-expert/agents/appsec/sast              # Analyse statique du code
security-expert/agents/appsec/dast              # Tests dynamiques
security-expert/agents/secure-coding/validation # Validation des entrees
security-expert/agents/threat-modeling/stride   # Methodologie STRIDE
security-expert/agents/penetration/owasp-top10  # Tests OWASP Top 10
security-expert/agents/compliance/rgpd          # Implementation RGPD

# 2. Executer les tests de validation
cd .web-agency/skills/security-expert && npm test

# 3. Questions frequentes
"Comment implementer SAST dans ma CI ?"     -> appsec/sast
"Valider les entrees utilisateur ?"         -> secure-coding/validation
"Faire un threat model de mon app ?"        -> threat-modeling/stride
"Tester les vulnerabilites OWASP ?"         -> penetration/owasp-top10
"Implementer le RGPD techniquement ?"       -> compliance/rgpd

Position dans l'Architecture

Ce skill est au NIVEAU 3 : IMPLEMENTATION. Il implemente les politiques de securite definies par direction-technique/securite.

code
+---------------------------------------------------------------------------+
|  NIVEAU 1 : STRATEGIE (direction-technique/securite)                       |
|  -> POURQUOI : Politique securite, exigences conformite, budget            |
+----------------------------------------------------------------------------+
|  NIVEAU 2 : PROCESSUS                                                      |
|  +----------------------------+  +----------------------------+            |
|  |     testing-process        |  |       web-dev-process      |            |
|  |  security/ (methodologie)  |  |  testing/security/         |            |
|  |  QUOI : Quels tests faire  |  |  QUOI : Quand tester       |            |
|  +----------------------------+  +----------------------------+            |
+----------------------------------------------------------------------------+
|  NIVEAU 3 : IMPLEMENTATION                                                 |
|  +------------------------------------------------------------------+     |
|  |                    security-expert <- CE SKILL                    |     |
|  |  COMMENT : SAST, DAST, secure coding, pentest, compliance impl    |     |
|  +------------------------------------------------------------------+     |
+----------------------------------------------------------------------------+

Philosophie

Securiser par design, valider en continu.

Ce skill :

  • Implemente les outils de securite (SAST, DAST, IAST)
  • Guide le secure coding avec des patterns concrets
  • Realise les threat models et analyses de risques
  • Execute les tests de penetration
  • Implemente la conformite (RGPD, SOC2, ISO27001)

Il ne fait PAS :

  • Les decisions strategiques de securite -> direction-technique/securite
  • La definition des process de tests securite -> testing-process/security
  • La gestion des incidents -> direction-technique/support/gestion-incidents
  • La configuration infrastructure securisee -> devops/infrastructure

Domaines et Agents (24 agents)

1. appsec/ - Application Security (5 agents)

Outils et implementation de la securite applicative.

AgentResponsabiliteTechnologies
orchestratorCoordination AppSec-
sastAnalyse statique du codeSonarQube, Semgrep, CodeQL
dastTests dynamiquesOWASP ZAP, Burp Suite, Nuclei
iastInstrumentation runtimeContrast, Hdiv
scaAnalyse des dependancesSnyk, npm audit, Dependabot

2. secure-coding/ - Developpement Securise (5 agents)

Patterns et pratiques de code securise.

AgentResponsabiliteTechnologies
orchestratorCoordination secure coding-
validationValidation des entreesZod, Joi, express-validator
authenticationAuth securiseeJWT, OAuth2, OIDC, MFA
authorizationControle d'accesRBAC, ABAC, policies
cryptographyChiffrement et hachagebcrypt, argon2, AES, RSA

3. threat-modeling/ - Modelisation des Menaces (4 agents)

Identification et analyse des risques.

AgentResponsabiliteTechnologies
orchestratorCoordination threat modeling-
strideMethodologie STRIDEDiagrammes, matrices
attack-treesArbres d'attaqueThreat modeling tools
risk-assessmentEvaluation des risquesCVSS, matrices de risques

4. penetration/ - Tests de Penetration (5 agents)

Tests offensifs et identification de vulnerabilites.

AgentResponsabiliteTechnologies
orchestratorCoordination pentest-
owasp-top10Tests OWASP Top 10Injection, XSS, CSRF, etc.
api-securitySecurite des APIsOWASP API Top 10
web-vulnerabilitiesVulnerabilites webSQLi, XSS, SSRF, IDOR
reportingRapports de pentestTemplates, CVSS, remediation

5. compliance/ - Conformite (5 agents)

Implementation des standards de conformite.

AgentResponsabiliteTechnologies
orchestratorCoordination conformite-
rgpdImplementation RGPDConsentement, DPO, droits
soc2Conformite SOC2Controles, evidence, audit
iso27001Implementation ISO 27001SMSI, controles, certification
pci-dssConformite PCI DSSCartes de paiement, tokenization

Total : 24 agents specialises

Regles de Routage

Par Type de Question

QuestionDomaine
SAST, DAST, analyse de code, scanappsec/
Validation, auth, chiffrement, code securisesecure-coding/
Threat model, STRIDE, risques, attaquesthreat-modeling/
Pentest, OWASP, vulnerabilites, injectionpenetration/
RGPD, SOC2, ISO27001, conformitecompliance/

Par Mots-Cles

Mots-clesDomaine/Agent
SonarQube, Semgrep, CodeQL, analyse statiqueappsec/sast
ZAP, Burp, scan dynamique, fuzzingappsec/dast
Snyk, npm audit, dependances, CVEappsec/sca
input validation, sanitize, escape, Zodsecure-coding/validation
JWT, OAuth, session, MFA, authsecure-coding/authentication
RBAC, permissions, policies, access controlsecure-coding/authorization
bcrypt, hash, encrypt, AES, RSA, saltsecure-coding/cryptography
STRIDE, threat model, DFD, trust boundarythreat-modeling/stride
attack tree, kill chain, threat actorthreat-modeling/attack-trees
CVSS, risk matrix, impact, likelihoodthreat-modeling/risk-assessment
OWASP Top 10, injection, XSS, CSRFpenetration/owasp-top10
API security, broken auth, mass assignmentpenetration/api-security
SQLi, SSRF, IDOR, path traversalpenetration/web-vulnerabilities
RGPD, GDPR, consentement, DPO, droitscompliance/rgpd
SOC2, audit trail, evidence, controlscompliance/soc2

Arbre de Decision

code
Requete Security
|
+-- Concerne les outils de scan/analyse ?
|   +-- Analyse statique du code -> appsec/sast
|   +-- Tests dynamiques -> appsec/dast
|   +-- Runtime instrumentation -> appsec/iast
|   +-- Dependances vulnerables -> appsec/sca
|
+-- Concerne le code securise ?
|   +-- Validation entrees -> secure-coding/validation
|   +-- Authentification -> secure-coding/authentication
|   +-- Autorisation -> secure-coding/authorization
|   +-- Chiffrement -> secure-coding/cryptography
|
+-- Concerne l'analyse des risques ?
|   +-- Threat modeling STRIDE -> threat-modeling/stride
|   +-- Arbres d'attaque -> threat-modeling/attack-trees
|   +-- Evaluation risques -> threat-modeling/risk-assessment
|
+-- Concerne les tests de penetration ?
|   +-- OWASP Top 10 -> penetration/owasp-top10
|   +-- Securite API -> penetration/api-security
|   +-- Vulns web specifiques -> penetration/web-vulnerabilities
|   +-- Rapports pentest -> penetration/reporting
|
+-- Concerne la conformite ?
|   +-- RGPD/GDPR -> compliance/rgpd
|   +-- SOC2 -> compliance/soc2
|   +-- ISO 27001 -> compliance/iso27001
|   +-- PCI DSS -> compliance/pci-dss
|
+-- Decision strategique securite ?
|   +-- -> direction-technique/securite
|
+-- Methodologie de test securite ?
    +-- -> testing-process/security

Interaction avec les Autres Skills

Flux Entrants

code
direction-technique/securite --> security-expert (politique -> implementation)
testing-process/security --> security-expert (methodologie -> outils)
web-dev-process/testing --> security-expert (phase testing -> execution)

Flux Sortants

code
security-expert --> backend-developer (patterns securises backend)
security-expert --> frontend-developer (patterns securises frontend)
security-expert --> devops (integration CI/CD securite)

Points d'Escalade

Vers direction-technique

SituationRaison
Vulnerabilite critique trouveeDecision remediation urgente
Non-conformite majeureImpact legal/business
Choix d'outils securiteDecision strategique
Budget securiteValidation financiere

Vers l'humain

SituationRaison
Pentest sur prodAutorisation explicite requise
Fuite de donnees suspecteeResponsabilite legale
Choix architectural securiteImpact business
Tests destructifsRisque operationnel

Security Principles

Defense in Depth

code
+------------------------------------------+
|              WAF / CDN                   |
|  +------------------------------------+  |
|  |         Load Balancer              |  |
|  |  +------------------------------+  |  |
|  |  |    Application (validated)   |  |  |
|  |  |  +-----------------------+   |  |  |
|  |  |  |   Business Logic     |   |  |  |
|  |  |  |  +----------------+  |   |  |  |
|  |  |  |  | Data (encrypted)|  |   |  |  |
|  |  |  |  +----------------+  |   |  |  |
|  |  |  +-----------------------+   |  |  |
|  |  +------------------------------+  |  |
|  +------------------------------------+  |
+------------------------------------------+

OWASP Top 10 Coverage

#VulnerabilityAgent(s)
A01Broken Access Controlsecure-coding/authorization, penetration/owasp-top10
A02Cryptographic Failuressecure-coding/cryptography
A03Injectionsecure-coding/validation, penetration/web-vulnerabilities
A04Insecure Designthreat-modeling/stride
A05Security Misconfigurationappsec/sast, devops/containers/security
A06Vulnerable Componentsappsec/sca
A07Auth Failuressecure-coding/authentication
A08Software & Data Integrityappsec/sast, devops/cicd
A09Logging & Monitoringdevops/monitoring
A10SSRFpenetration/web-vulnerabilities

Skills Associes

SkillNiveauRelation
direction-techniqueSTRATEGIERecoit les politiques securite
testing-processPROCESSUSSuit la methodologie tests
devopsIMPLEMENTATIONIntegration CI/CD
backend-developerIMPLEMENTATIONPatterns securises backend
frontend-developerIMPLEMENTATIONPatterns securises frontend

Changelog

v1.0.0

  • Creation initiale avec 5 domaines et 24 agents
  • Position : NIVEAU 3 IMPLEMENTATION
  • Couverture : appsec, secure-coding, threat-modeling, penetration, compliance