kunthawat/opencode-skill
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity
Files
8a0edd225d9e2d102b9f4114cac9e2a889102367
opencode-skill/skills/security-auditor/SKILL.md
Kunthawat Greethong 7edf5bc4d0 feat: Import 35+ skills, merge duplicates, add openclaw installer 
Major updates:
- Added 35+ new skills from awesome-opencode-skills and antigravity repos
- Merged SEO skills into seo-master
- Merged architecture skills into architecture
- Merged security skills into security-auditor and security-coder
- Merged testing skills into testing-master and testing-patterns
- Merged pentesting skills into pentesting
- Renamed website-creator to thai-frontend-dev
- Replaced skill-creator with github version
- Removed Chutes references (use MiniMax API instead)
- Added install-openclaw-skills.sh for cross-platform installation
- Updated .env.example with MiniMax API credentials
2026-03-26 11:37:39 +07:00

237 lines
6.2 KiB
Markdown
Raw Blame History

---
name: security-auditor
description: |
Master security auditor combining vulnerability scanning, web security testing,
DevSecOps, and compliance frameworks. Use when auditing security,
performing vulnerability assessments, or testing for OWASP Top 10.
---
# Security Auditor
Comprehensive security skill combining: vulnerability scanning, web security testing, DevSecOps, OWASP Top 10, and compliance frameworks.
---
## Quick Reference
| Task | Use Section |
|------|-------------|
| Scan for vulnerabilities | **Vulnerability Scanning** |
| Test web application | **Web Security Testing** |
| Audit security controls | **Security Audit** |
| Check compliance | **Compliance Frameworks** |
| Review authentication | **Auth Security** |
| DevSecOps integration | **Security Automation** |
---
## Vulnerability Scanning
**Core Principles:**
| Principle | Application |
|-----------|-------------|
| **Assume Breach** | Design as if attacker already inside |
| **Zero Trust** | Never trust, always verify |
| **Defense in Depth** | Multiple layers, no single point |
| **Least Privilege** | Minimum required access only |
| **Fail Secure** | On error, deny access |
### OWASP Top 10 (2025)
1. **A01** - Broken Access Control
2. **A02** - Cryptographic Failures
3. **A03** - Injection
4. **A04** - Insecure Design
5. **A05** - Security Misconfiguration
6. **A06** - Vulnerable Components
7. **A07** - Auth Failures
8. **A08** - Data Integrity Failures
9. **A09** - Logging Failures
10. **A10** - SSRF
### Scanning Process
1. **Reconnaissance** - Map attack surface
2. **Enumeration** - Identify vulnerabilities
3. **Exploitation** - Verify findings
4. **Documentation** - Report findings
5. **Remediation** - Suggest fixes
---
## Web Security Testing
### OWASP Top 10 Testing Checklist
#### A01 - Broken Access Control
- [ ] Horizontal/vertical privilege escalation
- [ ] IDOR (Insecure Direct Object Reference)
- [ ] CORS misconfiguration
- [ ] JWT token manipulation
- [ ] Missing function-level access control
#### A02 - Cryptographic Failures
- [ ] Sensitive data exposure (PII, credentials)
- [ ] Weak encryption algorithms
- [ ] Default/hardcoded credentials
- [ ] Insufficient key rotation
- [ ] Client-side encryption only
#### A03 - Injection
- [ ] SQL injection (error-based, blind, time-based)
- [ ] NoSQL injection
- [ ] Command injection
- [ ] LDAP injection
- [ ] XPath injection
- [ ] ORM injection
#### A04 - Insecure Design
- [ ] Business logic flaws
- [ ] Rate limiting bypass
- [ ] Workflow bypasses
- [ ] Race conditions
- [ ] Mass assignment
#### A05 - Security Misconfiguration
- [ ] Default credentials
- [ ] Unnecessary features enabled
- [ ] Error handling (stack traces)
- [ ] Cloud misconfigurations
- [ ] Missing security headers
#### A06 - Vulnerable Components
- [ ] Outdated dependencies
- [ ] Unpatched vulnerabilities
- [ ] License compliance
- [ ] Component integrity
#### A07 - Auth Failures
- [ ] Weak password policies
- [ ] Credential stuffing
- [ ] Session fixation/hijacking
- [ ] Missing MFA
- [ ] Password reset flaws
#### A08 - Data Integrity Failures
- [ ] SSRF (Server-Side Request Forgery)
- [ ] XXE (XML External Entities)
- [ ] Deserialization attacks
- [ ] Supply chain attacks
#### A09 - Logging Failures
- [ ] Insufficient logging
- [ ] Missing alerts
- [ ] Undetected breaches
- [ ] Audit trail gaps
#### A10 - SSRF
- [ ] URL validation bypass
- [ ] Cloud metadata access
- [ ] Internal port scanning
---
## Security Audit
### Audit Checklist
1. **Scope Definition** - Assets, systems, boundaries
2. **Threat Modeling** - Attack vectors, likelihood, impact
3. **Control Review** - Technical and administrative controls
4. **Vulnerability Assessment** - Automated + manual testing
5. **Risk Prioritization** - CVSS scoring, business impact
6. **Remediation Planning** - Short-term and long-term fixes
7. **Report Generation** - Executive summary, technical details
### Security Headers Checklist
```http
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=(), camera=()
```
---
## DevSecOps & Security Automation
### CI/CD Security Pipeline
1. **SAST** - Static Application Security Testing
2. **DAST** - Dynamic Application Security Testing
3. **SCA** - Software Composition Analysis
4. **Secrets Scanning** - Detect credentials in code
5. **Container Scanning** - Image vulnerability scanning
6. **Infrastructure Scanning** - Cloud configuration
### Tools
- **SAST:** SonarQube, Semgrep, Bandit
- **DAST:** OWASP ZAP, Burp Suite, Nuclei
- **SCA:** Snyk, Dependabot, Renovate
- **Secrets:** GitLeaks, TruffleHog
- **Containers:** Trivy, Clair, Anchore
---
## Authentication & Authorization Security
### Auth Patterns to Audit
- [ ] Password hashing (bcrypt, Argon2)
- [ ] MFA implementation
- [ ] Session management
- [ ] Token handling (JWT, OAuth)
- [ ] Password reset flows
- [ ] Account lockout policies
### OAuth 2.0 Security
- [ ] Authorization code flow (not implicit)
- [ ] PKCE for public clients
- [ ] State parameter validation
- [ ] Redirect URI validation
- [ ] Token expiration and rotation
- [ ] Scope minimization
---
## Compliance Frameworks
| Framework | Focus |
|-----------|-------|
| **SOC 2** | Security, Availability, Confidentiality |
| **ISO 27001** | Information Security |
| **GDPR** | EU Data Protection |
| **HIPAA** | Healthcare Data |
| **PCI DSS** | Payment Card Data |
| **NIST** | Cybersecurity Framework |
---
## Remediation Priorities
### Critical (P0)
- RCE, SQL injection, authentication bypass
- **Fix within 24-48 hours**
### High (P1)
- XSS, CSRF, IDOR
- **Fix within 1-2 weeks**
### Medium (P2)
- Security misconfiguration, weak crypto
- **Fix within 1 month**
### Low (P3)
- Missing headers, info disclosure
- **Fix within 3 months**
---
## Best Practices
1. **Shift Left** - Security testing early in SDLC
2. **Defense in Depth** - Multiple security layers
3. **Zero Trust** - Never trust, always verify
4. **Least Privilege** - Minimum required permissions
5. **Secure Defaults** - Safe out-of-the-box
6. **Fail Securely** - Errors should deny access
7. **Defense in Depth** - No single control is enough
Reference in New Issue View Git Blame Copy Permalink