Marketplace
security-assessment
Execute threat modeling, vulnerability scanning, and security control validation. Use when relevant to the task.
$ Installieren
git clone https://github.com/jmagly/ai-writing-guide /tmp/ai-writing-guide && cp -r /tmp/ai-writing-guide/.factory/skills/security-assessment ~/.claude/skills/ai-writing-guide// tip: Run this command in your terminal to install the skill
SKILL.md
name: security-assessment description: Execute threat modeling, vulnerability scanning, and security control validation. Use when relevant to the task.
security-assessment
Execute threat modeling, vulnerability scanning, and security control validation.
Triggers
- "run security review"
- "security assessment"
- "threat model [component]"
- "validate security controls"
- "security scan"
- "check vulnerabilities"
Purpose
This skill orchestrates comprehensive security assessment through:
- STRIDE threat modeling
- Vulnerability pattern detection
- Security control validation
- Compliance verification
- Risk scoring and prioritization
Behavior
When triggered, this skill:
-
Determines scope:
- Component-level, system-level, or full assessment
- Identify assets and trust boundaries
- Load existing threat model if available
-
Executes threat modeling:
- Dispatch Security Architect for STRIDE analysis
- Enumerate threats per component
- Identify attack vectors
-
Runs vulnerability patterns:
- Dispatch Security Auditor for pattern scanning
- Check OWASP Top 10
- Identify secrets exposure risks
- Review dependency vulnerabilities
-
Validates controls:
- Dispatch Security Gatekeeper
- Map controls to threats
- Verify implementation
- Check coverage gaps
-
Assesses privacy:
- Dispatch Privacy Officer (if PII involved)
- Check data handling
- Verify consent mechanisms
-
Generates report:
- Risk-ranked findings
- CVSS scores where applicable
- Remediation guidance
- Compliance status
STRIDE Threat Categories
| Category | Description | Example |
|---|---|---|
| Spoofing | Impersonating something/someone | Fake user credentials |
| Tampering | Modifying data or code | SQL injection |
| Repudiation | Denying actions | Missing audit logs |
| Information Disclosure | Exposing information | Data leakage |
| Denial of Service | Disrupting availability | Resource exhaustion |
| Elevation of Privilege | Gaining unauthorized access | Broken access control |
Assessment Flow
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 1. SCOPE IDENTIFICATION โ
โ โข Define assessment boundary โ
โ โข Identify assets (data, services, infrastructure) โ
โ โข Map trust boundaries โ
โ โข Load existing threat model (if any) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 2. THREAT MODELING (Security Architect) โ
โ โข Data flow analysis โ
โ โข STRIDE enumeration per component โ
โ โข Attack vector identification โ
โ โข Trust boundary crossing analysis โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 3. VULNERABILITY SCANNING (Security Auditor) โ
โ โข OWASP Top 10 pattern check โ
โ โข Secrets exposure scan โ
โ โข Dependency vulnerability check โ
โ โข Configuration review โ
โ โข Code pattern analysis โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 4. CONTROL VALIDATION (Security Gatekeeper) โ
โ โข Map security requirements to controls โ
โ โข Verify control implementation โ
โ โข Check control effectiveness โ
โ โข Identify coverage gaps โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 5. PRIVACY ASSESSMENT (Privacy Officer) [if PII] โ
โ โข Data inventory review โ
โ โข Consent mechanism validation โ
โ โข Data retention compliance โ
โ โข Cross-border transfer assessment โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 6. RISK SCORING & REPORTING โ
โ โข Calculate CVSS scores โ
โ โข Prioritize by risk (likelihood ร impact) โ
โ โข Generate remediation guidance โ
โ โข Produce assessment report โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
OWASP Top 10 Checks
| # | Category | Patterns Checked |
|---|---|---|
| A01 | Broken Access Control | RBAC, ABAC, path traversal, CORS |
| A02 | Cryptographic Failures | Weak algorithms, key management, TLS |
| A03 | Injection | SQL, NoSQL, LDAP, OS command, XSS |
| A04 | Insecure Design | Threat modeling gaps, missing controls |
| A05 | Security Misconfiguration | Defaults, unnecessary features, verbose errors |
| A06 | Vulnerable Components | Outdated dependencies, known CVEs |
| A07 | Auth Failures | Password policies, MFA, session management |
| A08 | Data Integrity Failures | CI/CD security, unsigned updates |
| A09 | Logging Failures | Missing logs, sensitive data in logs |
| A10 | SSRF | Internal resource access, URL validation |
Severity Scoring
CVSS Base Metrics
severity_levels:
critical:
cvss_range: [9.0, 10.0]
description: Immediate remediation required
sla: 24 hours
high:
cvss_range: [7.0, 8.9]
description: Remediation within sprint
sla: 7 days
medium:
cvss_range: [4.0, 6.9]
description: Plan remediation
sla: 30 days
low:
cvss_range: [0.1, 3.9]
description: Address as time permits
sla: 90 days
informational:
cvss_range: [0.0, 0.0]
description: Awareness only
sla: none
Assessment Report Format
# Security Assessment Report
**Date**: 2025-12-08
**Scope**: Full System Assessment
**Assessors**: security-architect, security-auditor, security-gatekeeper
## Executive Summary
| Severity | Count |
|----------|-------|
| Critical | 0 |
| High | 2 |
| Medium | 5 |
| Low | 8 |
| Informational | 3 |
**Overall Risk Level**: MEDIUM
**Recommendation**: Address high-severity findings before production deployment
## Threat Model Summary
### Trust Boundaries
1. External โ API Gateway
2. API Gateway โ Internal Services
3. Services โ Database
### STRIDE Analysis
| Component | S | T | R | I | D | E | Total |
|-----------|---|---|---|---|---|---|-------|
| API Gateway | 2 | 1 | 0 | 1 | 1 | 1 | 6 |
| Auth Service | 3 | 1 | 1 | 2 | 0 | 2 | 9 |
| Data Service | 1 | 2 | 1 | 3 | 1 | 1 | 9 |
## Findings
### HIGH-001: Insufficient Input Validation
- **Severity**: High (CVSS 7.5)
- **Component**: API Gateway
- **Category**: A03 Injection
- **Description**: User input not sanitized before database query
- **Impact**: SQL injection possible, data exfiltration risk
- **Remediation**: Implement parameterized queries, add input validation
- **Status**: Open
### HIGH-002: Missing Rate Limiting
- **Severity**: High (CVSS 7.2)
- **Component**: API Gateway
- **Category**: A05 Denial of Service
- **Description**: No rate limiting on authentication endpoints
- **Impact**: Brute force attacks, credential stuffing
- **Remediation**: Implement rate limiting, add account lockout
- **Status**: Open
### MEDIUM-001: Verbose Error Messages
...
## Control Assessment
| Control | Requirement | Status | Gap |
|---------|-------------|--------|-----|
| Authentication | MFA for privileged users | โ
Implemented | None |
| Authorization | RBAC with least privilege | โ ๏ธ Partial | Admin role too broad |
| Encryption | TLS 1.2+ for transit | โ
Implemented | None |
| Encryption | AES-256 at rest | โ ๏ธ Partial | Logs not encrypted |
| Logging | Security event logging | โ
Implemented | None |
| Monitoring | Real-time alerting | โ Missing | Not configured |
## Compliance Status
| Framework | Status | Gaps |
|-----------|--------|------|
| OWASP Top 10 | 7/10 compliant | A03, A05, A09 |
| SOC 2 | Partial | Monitoring, encryption |
| GDPR | Compliant | None identified |
## Remediation Roadmap
### Immediate (24-48 hours)
- [ ] Fix SQL injection vulnerability (HIGH-001)
- [ ] Implement rate limiting (HIGH-002)
### Short-term (1-2 weeks)
- [ ] Reduce admin role permissions
- [ ] Encrypt log storage
- [ ] Configure monitoring alerts
### Medium-term (1 month)
- [ ] Address medium-severity findings
- [ ] Complete SOC 2 gap remediation
## Next Assessment
Recommended: 30 days or after major changes
Usage Examples
Full Assessment
User: "Run security review"
Skill orchestrates:
1. Load current architecture
2. Run STRIDE analysis
3. Scan for OWASP patterns
4. Validate controls
5. Generate report
Output:
"Security Assessment Complete
Findings: 0 Critical, 2 High, 5 Medium, 8 Low
Risk Level: MEDIUM
Blocking Issues:
- HIGH-001: SQL injection risk
- HIGH-002: Missing rate limiting
Report: .aiwg/security/assessment-20251208.md"
Component Assessment
User: "Threat model the authentication service"
Skill focuses on:
- Auth service components only
- STRIDE for auth flows
- Auth-specific vulnerabilities
- Control validation for auth
Output: Targeted threat model and findings
Control Validation Only
User: "Validate security controls"
Skill runs:
- Control mapping
- Implementation verification
- Gap analysis
Output: Control assessment summary
Integration
This skill uses:
parallel-dispatch: Launch security agents concurrentlyproject-awareness: Get architecture and component infoartifact-metadata: Track assessment artifacts
Agent Orchestration
agents:
threat_modeling:
agent: security-architect
focus: STRIDE analysis, attack vectors, trust boundaries
vulnerability_scanning:
agent: security-auditor
focus: OWASP patterns, secrets, dependencies, configuration
control_validation:
agent: security-gatekeeper
focus: Control mapping, implementation, effectiveness
privacy_assessment:
agent: privacy-officer
focus: PII handling, consent, retention, transfers
condition: has_pii == true
Output Locations
- Assessment report:
.aiwg/security/assessment-{date}.md - Threat model:
.aiwg/security/threat-model.md - Control matrix:
.aiwg/security/control-matrix.md - Findings tracker:
.aiwg/security/findings/
References
- STRIDE methodology: Microsoft Threat Modeling
- OWASP Top 10: https://owasp.org/Top10/
- CVSS Calculator: https://www.first.org/cvss/calculator/3.1
- Security templates: templates/security/
Repository
jmagly
Author
jmagly/ai-writing-guide/.factory/skills/security-assessment
51
Stars
4
Forks
Updated5d ago
Added1w ago