opencode-skill/skills/security-auditor/SKILL.md

---
name: security-auditor
description: |
  Master security auditor combining vulnerability scanning, web security testing,
  DevSecOps, and compliance frameworks. Use when auditing security,
  performing vulnerability assessments, or testing for OWASP Top 10.
---

# Security Auditor

Comprehensive security skill combining: vulnerability scanning, web security testing, DevSecOps, OWASP Top 10, and compliance frameworks.

---

## Quick Reference

| Task | Use Section |
|------|-------------|
| Scan for vulnerabilities | **Vulnerability Scanning** |
| Test web application | **Web Security Testing** |
| Audit security controls | **Security Audit** |
| Check compliance | **Compliance Frameworks** |
| Review authentication | **Auth Security** |
| DevSecOps integration | **Security Automation** |

---

## Vulnerability Scanning

**Core Principles:**
| Principle | Application |
|-----------|-------------|
| **Assume Breach** | Design as if attacker already inside |
| **Zero Trust** | Never trust, always verify |
| **Defense in Depth** | Multiple layers, no single point |
| **Least Privilege** | Minimum required access only |
| **Fail Secure** | On error, deny access |

### OWASP Top 10 (2025)
1. **A01** - Broken Access Control
2. **A02** - Cryptographic Failures
3. **A03** - Injection
4. **A04** - Insecure Design
5. **A05** - Security Misconfiguration
6. **A06** - Vulnerable Components
7. **A07** - Auth Failures
8. **A08** - Data Integrity Failures
9. **A09** - Logging Failures
10. **A10** - SSRF

### Scanning Process
1. **Reconnaissance** - Map attack surface
2. **Enumeration** - Identify vulnerabilities
3. **Exploitation** - Verify findings
4. **Documentation** - Report findings
5. **Remediation** - Suggest fixes

---

## Web Security Testing

### OWASP Top 10 Testing Checklist

#### A01 - Broken Access Control
- [ ] Horizontal/vertical privilege escalation
- [ ] IDOR (Insecure Direct Object Reference)
- [ ] CORS misconfiguration
- [ ] JWT token manipulation
- [ ] Missing function-level access control

#### A02 - Cryptographic Failures
- [ ] Sensitive data exposure (PII, credentials)
- [ ] Weak encryption algorithms
- [ ] Default/hardcoded credentials
- [ ] Insufficient key rotation
- [ ] Client-side encryption only

#### A03 - Injection
- [ ] SQL injection (error-based, blind, time-based)
- [ ] NoSQL injection
- [ ] Command injection
- [ ] LDAP injection
- [ ] XPath injection
- [ ] ORM injection

#### A04 - Insecure Design
- [ ] Business logic flaws
- [ ] Rate limiting bypass
- [ ] Workflow bypasses
- [ ] Race conditions
- [ ] Mass assignment

#### A05 - Security Misconfiguration
- [ ] Default credentials
- [ ] Unnecessary features enabled
- [ ] Error handling (stack traces)
- [ ] Cloud misconfigurations
- [ ] Missing security headers

#### A06 - Vulnerable Components
- [ ] Outdated dependencies
- [ ] Unpatched vulnerabilities
- [ ] License compliance
- [ ] Component integrity

#### A07 - Auth Failures
- [ ] Weak password policies
- [ ] Credential stuffing
- [ ] Session fixation/hijacking
- [ ] Missing MFA
- [ ] Password reset flaws

#### A08 - Data Integrity Failures
- [ ] SSRF (Server-Side Request Forgery)
- [ ] XXE (XML External Entities)
- [ ] Deserialization attacks
- [ ] Supply chain attacks

#### A09 - Logging Failures
- [ ] Insufficient logging
- [ ] Missing alerts
- [ ] Undetected breaches
- [ ] Audit trail gaps

#### A10 - SSRF
- [ ] URL validation bypass
- [ ] Cloud metadata access
- [ ] Internal port scanning

---

## Security Audit

### Audit Checklist
1. **Scope Definition** - Assets, systems, boundaries
2. **Threat Modeling** - Attack vectors, likelihood, impact
3. **Control Review** - Technical and administrative controls
4. **Vulnerability Assessment** - Automated + manual testing
5. **Risk Prioritization** - CVSS scoring, business impact
6. **Remediation Planning** - Short-term and long-term fixes
7. **Report Generation** - Executive summary, technical details

### Security Headers Checklist
```http
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=(), camera=()
```

---

## DevSecOps & Security Automation

### CI/CD Security Pipeline
1. **SAST** - Static Application Security Testing
2. **DAST** - Dynamic Application Security Testing
3. **SCA** - Software Composition Analysis
4. **Secrets Scanning** - Detect credentials in code
5. **Container Scanning** - Image vulnerability scanning
6. **Infrastructure Scanning** - Cloud configuration

### Tools
- **SAST:** SonarQube, Semgrep, Bandit
- **DAST:** OWASP ZAP, Burp Suite, Nuclei
- **SCA:** Snyk, Dependabot, Renovate
- **Secrets:** GitLeaks, TruffleHog
- **Containers:** Trivy, Clair, Anchore

---

## Authentication & Authorization Security

### Auth Patterns to Audit
- [ ] Password hashing (bcrypt, Argon2)
- [ ] MFA implementation
- [ ] Session management
- [ ] Token handling (JWT, OAuth)
- [ ] Password reset flows
- [ ] Account lockout policies

### OAuth 2.0 Security
- [ ] Authorization code flow (not implicit)
- [ ] PKCE for public clients
- [ ] State parameter validation
- [ ] Redirect URI validation
- [ ] Token expiration and rotation
- [ ] Scope minimization

---

## Compliance Frameworks

| Framework | Focus |
|-----------|-------|
| **SOC 2** | Security, Availability, Confidentiality |
| **ISO 27001** | Information Security |
| **GDPR** | EU Data Protection |
| **HIPAA** | Healthcare Data |
| **PCI DSS** | Payment Card Data |
| **NIST** | Cybersecurity Framework |

---

## Remediation Priorities

### Critical (P0)
- RCE, SQL injection, authentication bypass
- **Fix within 24-48 hours**

### High (P1)
- XSS, CSRF, IDOR
- **Fix within 1-2 weeks**

### Medium (P2)
- Security misconfiguration, weak crypto
- **Fix within 1 month**

### Low (P3)
- Missing headers, info disclosure
- **Fix within 3 months**

---

## Best Practices

1. **Shift Left** - Security testing early in SDLC
2. **Defense in Depth** - Multiple security layers
3. **Zero Trust** - Never trust, always verify
4. **Least Privilege** - Minimum required permissions
5. **Secure Defaults** - Safe out-of-the-box
6. **Fail Securely** - Errors should deny access
7. **Defense in Depth** - No single control is enough