AgentSkillsCN

security

适用于解决适用于所有语言、框架和平台的跨领域安全问题。涵盖 OWASP 标准、威胁建模、身份验证、密码学、供应链安全以及人工智能安全。 适用场景:应用安全策略、安全架构设计、安全控制措施的选择、OWASP 合规性评估、安全工具的选型、安全开发生命周期的实施。 不适用场景:针对特定语言的安全实现(应运用语言特定的安全技能)、基础设施加固(应使用 IaC 技能)、网络安全设备的配置。

SKILL.md
--- frontmatter
name: security
description: |
    Use when addressing cross-cutting security concerns that apply to all languages, frameworks, and platforms. Covers OWASP standards, threat modeling, authentication, cryptography, supply chain security, and AI security.
    USE FOR: application security strategy, security architecture, choosing security controls, OWASP compliance, security tool selection, secure development lifecycle
    DO NOT USE FOR: specific language security implementations (use language-specific skills), infrastructure hardening (use iac skills), network security appliance configuration
license: MIT
metadata:
  displayName: "Security"
  author: "Tyler-R-Kendrick"
compatibility: claude, copilot, cursor

Security

Overview

Security is a cross-cutting concern that spans every layer of software development, from design through deployment and operations. Rather than being confined to a single language or framework, security principles such as defense in depth, least privilege, and secure defaults apply universally. This skill serves as the root entry point for all security-related guidance, organizing sub-skills around the major domains of application security: standards compliance (OWASP), threat modeling, authentication and authorization, cryptography, API security, input validation, data protection, supply chain integrity, security testing, logging and monitoring, secure SDLC practices, and the emerging field of AI security. Use this skill to navigate the security landscape and identify which specialized sub-skill addresses your specific concern.

Knowledge Map

code
+-----------------------------------------------------------------------+
|                     Governance & Compliance                           |
|            (Secure SDLC, Policies, Standards, Regulations)            |
+-----------------------------------------------------------------------+
|                       Application Security                            |
|  +-------------+  +-----------+  +--------------+  +---------------+  |
|  +--------+  +--------+  +-----------+  +-----------+  +--------+     |
|  |  Auth   |  | Crypto |  |Input/Output|  |API Security|  |Hygiene |     |
|  |(AuthN/Z)|  |(TLS,HE)|  |(Validate) |  |(REST,GQL) |  |(Trust  |     |
|  +--------+  +--------+  +-----------+  +-----------+  |Boundaries)|  |
|                                                         +--------+     |
|  +---------------------+  +--------------------------------------+    |
|  |   Data Protection    |  |         Supply Chain Security        |    |
|  | (Encryption at Rest, |  | (Dependencies, SBOMs, Signing)      |    |
|  |  Masking, PII)       |  +--------------------------------------+    |
|  +---------------------+                                              |
+-----------------------------------------------------------------------+
|                          Foundation                                    |
|  +------------------+  +-------------------+  +--------------------+  |
|  +----------------+ +----------------+ +------------------+ +--------+  |
|  | Threat Modeling | | Security Tests | | Logging/Monitor  | | Pen    |  |
|  | (STRIDE,DREAD)  | | (SAST,DAST,SCA)| | (SIEM,Alerting)  | | Test & |  |
|  +----------------+ +----------------+ +------------------+ | Red    |  |
|                                                              | Team   |  |
|                                                              +--------+  |
+-----------------------------------------------------------------------+
|  <<cross-cutting>>         AI Security                                |
|  (Prompt Injection, Model Poisoning, LLM Top 10, AI Supply Chain)     |
+-----------------------------------------------------------------------+

Canonical Works

TitleAuthor(s)YearFocus
The Web Application Hacker's HandbookDafydd Stuttard & Marcus Pinto2011Web app vulnerability discovery and exploitation techniques
Penetration TestingGeorgia Weidman2014Hands-on penetration testing methodology and tools
Red Team Development and OperationsJoe Vest & James Tubberville2020Planning and executing red team engagements
Threat Modeling: Designing for SecurityAdam Shostack2014Systematic approach to identifying and mitigating security threats
NIST Cybersecurity Framework 2.0NIST2024Risk-based framework for managing cybersecurity across organizations
OWASP Top 10 (2021)OWASP Foundation2021Top 10 most critical web application security risks
OWASP API Security Top 10 (2023)OWASP Foundation2023Top 10 most critical API security risks
OWASP Top 10 for LLM Applications (2025)OWASP Foundation2025Top 10 security risks specific to large language model applications

Choosing the Right Sub-Skill

ProblemLook In
Need to understand common web vulnerabilities and compliance baselinesowasp
Designing a system and need to identify threats earlythreat-modeling
Implementing login, OAuth, SSO, or access controlauthentication
Choosing or implementing encryption, hashing, or key managementcryptography
Securing REST or GraphQL APIs against abuseapi-security
Sanitizing user input or preventing injection attacksinput-validation
Enforcing sanitization and canonicalization at every component boundary (including internal data)hygiene
Protecting PII, encrypting data at rest, or masking sensitive fieldsdata-protection
Auditing dependencies, generating SBOMs, or verifying artifact integritysupply-chain
Running SAST, DAST, or SCA scans in CI/CDsecurity-testing
Setting up security logging, alerting, or incident detectionlogging-monitoring
Embedding security gates into the development lifecyclesecure-sdlc
Securing LLM-powered applications against prompt injection or model abuseai-security
Planning or conducting authorized penetration tests against applications and infrastructurepenetration-testing
Adversarial red team engagements, MITRE ATT&CK simulation, purple teaming, AI red teamingred-teaming

Best Practices

  • Defense in depth: never rely on a single security control; layer multiple defenses so that a failure in one does not compromise the system.
  • Least privilege: grant the minimum permissions necessary for any user, service, or process to perform its function.
  • Secure defaults: ship systems in a secure configuration; require explicit action to weaken security posture rather than to strengthen it.
  • Shift left: integrate security analysis (threat modeling, SAST, dependency scanning) as early as possible in the development lifecycle.
  • Zero trust mindset: authenticate and authorize every request regardless of network location; assume the perimeter has already been breached.
  • Automate security gates: use CI/CD pipelines to enforce security scanning, secret detection, and compliance checks before code reaches production.
  • Keep dependencies current: regularly update libraries and frameworks, monitor for CVEs, and generate Software Bills of Materials (SBOMs) for auditability.
  • Treat security as a team responsibility: security is not solely the security team's job; every developer, operator, and architect shares accountability for building and maintaining secure systems.