playbooks

home / skills / 89jobrien / steve / security-audit

security-audit skill

/steve/skills/security-audit

This skill guides secure code reviews and vulnerability assessments, delivering actionable OWASP mappings, remediation roadmaps, and evidence for robust

npx playbooks add skill 89jobrien/steve --skill security-audit

Review the files below or copy the command above to add this skill to your agents.

Files (3)
SKILL.md
1.5 KB
---
name: security-audit
description: Security auditing and vulnerability assessment specialist. Use when conducting
  security reviews, analyzing code for vulnerabilities, performing OWASP assessments,
  or creating security audit reports.
author: Joseph OBrien
status: unpublished
updated: '2025-12-23'
version: 1.0.1
tag: skill
type: skill
---

# Security Audit Skill

Comprehensive security auditing covering code review, vulnerability assessment, OWASP Top 10, dependency analysis, and remediation planning.

## What This Skill Does

- Conducts security code reviews
- Identifies vulnerabilities (CVSS scoring)
- Performs OWASP Top 10 assessments
- Audits authentication/authorization
- Reviews data protection controls
- Analyzes dependency vulnerabilities
- Creates remediation roadmaps

## When to Use

- Security reviews before release
- Compliance audits
- Penetration test preparation
- Incident response analysis
- Dependency vulnerability assessment

## Reference Files

- `references/SECURITY_AUDIT.template.md` - Comprehensive security audit report format
- `references/owasp_checklist.md` - OWASP Top 10 checklist with CVSS scoring and CWE references

## Workflow

1. Define scope and methodology
2. Perform static/dynamic analysis
3. Document findings by severity
4. Map to OWASP categories
5. Create remediation roadmap
6. Verify fixes

## Output Format

Security findings should include:

- Severity (Critical/High/Medium/Low)
- CVSS score and vector
- CWE classification
- Proof of concept
- Remediation steps

Overview

This skill is a security auditing and vulnerability assessment specialist built to analyze code, dependencies, and application behavior. It produces structured findings mapped to OWASP Top 10, assigns CVSS scores, and delivers practical remediation roadmaps. Use it to harden applications before release, support incident response, or prepare for compliance checks.

How this skill works

The skill inspects source code, configuration, and third-party dependencies using static and dynamic analysis techniques. It classifies findings by severity, assigns CVSS scores and CWE identifiers, and maps issues to OWASP categories. Outputs include proof-of-concept details and step-by-step remediation guidance, plus verification steps for fixes.

When to use it

  • Pre-release security reviews and signoffs
  • Compliance audits and regulator preparation
  • Penetration test scoping and validation
  • Incident response and post-incident analysis
  • Dependency vulnerability and supply-chain checks

Best practices

  • Define a clear scope and methodology before starting the audit
  • Combine static analysis, dynamic testing, and manual code review for best coverage
  • Prioritize findings by business impact and CVSS severity for remediation planning
  • Provide reproducible proof-of-concept examples for each finding
  • Include verification steps in every remediation item to confirm fixes

Example use cases

  • Run an OWASP Top 10 assessment against a web application to identify injection and auth flaws
  • Analyze third-party dependencies to produce a prioritized patch plan for vulnerable libraries
  • Perform an authentication and authorization audit to detect privilege escalation paths
  • Generate a compliance-friendly security audit report with CVSS, CWE, and remediation roadmap
  • Support incident response by quickly triaging exposed code and recommending containment steps

FAQ

What output formats are produced?

Findings are delivered as structured audit reports that include severity, CVSS score and vector, CWE, proof-of-concept, and remediation steps.

How are vulnerabilities prioritized?

Vulnerabilities are prioritized using CVSS scoring, business impact, and mapping to OWASP categories to create a practical remediation roadmap.