返回 Skill 列表
extension
分类: 开发与工程无需 API Key

security-deep

用于安全审计、漏洞分析、威胁建模、合规性以及事件响应。触发条件包括OWASP、XSS、SQL注入、CSRF、安全审计、渗透测试、笔测、CVE、漏洞、威胁模型、安全审查、SOC2、GDPR、PCI-DSS、HIPAA、合规性审计、CSP头、HSTS、CORS策略、RBAC、ABAC、密钥轮换、加密、AES-256、TLS、mTLS、bcrypt、argon2、Semgrep、OWASP ZAP、Snyk、Trivy、SBOM、容器加固、供应链安全、Cosign、SLSA、事件响应、安全态势、HashiCorp Vault、密钥管理。

person作者: jakexiaohubgithub

Application Security (Deep)

Deep security skill for architecture-level security decisions: auth design, cryptography, compliance, tooling, and incident response. Basic security checks (parameterized queries, no hardcoded secrets, input validation) belong in convention-check hooks -- this skill covers the WHY and HOW of security engineering.

Task Router

| Task | Reference | |------|-----------| | OWASP Top 10, injection, broken auth, crypto failures | references/owasp-top10.md | | JWT, OAuth2/OIDC, session mgmt, RBAC/ABAC, MFA | references/authentication-authorization.md | | AES-GCM, RSA, TLS config, Vault, key lifecycle | references/cryptography-secrets.md | | Input validation, SQLi, XSS, CSRF, SSRF, file upload | references/secure-coding-patterns.md | | Semgrep, Bandit, ESLint security, ZAP, Snyk, Trivy | references/sast-dast-tools.md | | CSP, HSTS, CORS, cookie flags, rate limiting | references/security-headers-hardening.md | | API auth, rate limiting, GraphQL, gRPC, error leakage | references/api-security.md | | SOC2, GDPR, PCI-DSS, HIPAA, ISO 27001 | references/compliance-frameworks.md | | Credential leak, data breach, RCE, CVE, post-mortem | references/incident-response.md | | Container hardening, Cosign, SLSA, SBOM, supply chain | references/container-supply-chain.md |

When to Use This Skill

  • Designing auth/authz architecture for a new system
  • Choosing encryption algorithms or key management strategy
  • Setting up SAST/DAST pipeline in CI/CD
  • Preparing for SOC2/GDPR/PCI-DSS compliance audit
  • Responding to a security incident or CVE
  • Hardening container images and supply chain
  • Reviewing API security posture
  • Threat modeling a new feature

Core Principles

  1. Defense in depth -- layer multiple independent controls; never rely on one
  2. Least privilege -- minimum permissions for every component
  3. Fail securely -- deny access on error, not grant it
  4. Assume breach -- design for detection and containment, not just prevention
  5. Security by default -- secure config is the default; developers opt OUT, not IN
  6. Complete mediation -- check authorization on every access, not just login

CVSS Severity Quick Reference

| Score | Severity | Patch SLA | Examples | |-------|----------|-----------|---------| | 9.0-10.0 | Critical | 24h (4h if exploited) | RCE, SQLi with full DB access, auth bypass | | 7.0-8.9 | High | 7 days | Stored XSS, privilege escalation, SSRF | | 4.0-6.9 | Medium | 30 days | Reflected XSS, CSRF, info disclosure | | 0.1-3.9 | Low | 90 days | Open redirect, verbose errors |

Layer 3 Skills

  • auth-clerk — Clerk authentication and authorization setup
  • monitoring-sentry — Security incident monitoring via Sentry