Application Security (Deep)
Deep security skill for architecture-level security decisions: auth design, cryptography, compliance, tooling, and incident response. Basic security checks (parameterized queries, no hardcoded secrets, input validation) belong in convention-check hooks -- this skill covers the WHY and HOW of security engineering.
Task Router
| Task | Reference | |------|-----------| | OWASP Top 10, injection, broken auth, crypto failures | references/owasp-top10.md | | JWT, OAuth2/OIDC, session mgmt, RBAC/ABAC, MFA | references/authentication-authorization.md | | AES-GCM, RSA, TLS config, Vault, key lifecycle | references/cryptography-secrets.md | | Input validation, SQLi, XSS, CSRF, SSRF, file upload | references/secure-coding-patterns.md | | Semgrep, Bandit, ESLint security, ZAP, Snyk, Trivy | references/sast-dast-tools.md | | CSP, HSTS, CORS, cookie flags, rate limiting | references/security-headers-hardening.md | | API auth, rate limiting, GraphQL, gRPC, error leakage | references/api-security.md | | SOC2, GDPR, PCI-DSS, HIPAA, ISO 27001 | references/compliance-frameworks.md | | Credential leak, data breach, RCE, CVE, post-mortem | references/incident-response.md | | Container hardening, Cosign, SLSA, SBOM, supply chain | references/container-supply-chain.md |
When to Use This Skill
- Designing auth/authz architecture for a new system
- Choosing encryption algorithms or key management strategy
- Setting up SAST/DAST pipeline in CI/CD
- Preparing for SOC2/GDPR/PCI-DSS compliance audit
- Responding to a security incident or CVE
- Hardening container images and supply chain
- Reviewing API security posture
- Threat modeling a new feature
Core Principles
- Defense in depth -- layer multiple independent controls; never rely on one
- Least privilege -- minimum permissions for every component
- Fail securely -- deny access on error, not grant it
- Assume breach -- design for detection and containment, not just prevention
- Security by default -- secure config is the default; developers opt OUT, not IN
- Complete mediation -- check authorization on every access, not just login
CVSS Severity Quick Reference
| Score | Severity | Patch SLA | Examples | |-------|----------|-----------|---------| | 9.0-10.0 | Critical | 24h (4h if exploited) | RCE, SQLi with full DB access, auth bypass | | 7.0-8.9 | High | 7 days | Stored XSS, privilege escalation, SSRF | | 4.0-6.9 | Medium | 30 days | Reflected XSS, CSRF, info disclosure | | 0.1-3.9 | Low | 90 days | Open redirect, verbose errors |
Layer 3 Skills
- auth-clerk — Clerk authentication and authorization setup
- monitoring-sentry — Security incident monitoring via Sentry
Scan to join WeChat group