playbooks

home / skills / hoangnguyen0403 / agent-skills-standard / security-standards

security-standards skill

/skills/common/security-standards

This skill helps you implement universal security standards across your codebase, guiding safe practices, data protection, and secure development workflows.

npx playbooks add skill hoangnguyen0403/agent-skills-standard --skill security-standards

Review the files below or copy the command above to add this skill to your agents.

Files (3)
SKILL.md
2.2 KB
---
name: Security Standards
description: Universal security protocols for building safe and resilient software.
metadata:
  labels: [security, encryption, authentication, authorization]
  triggers:
    keywords: [security, encrypt, authenticate, authorize]
---

# Security Standards - High-Density Standards

Universal security protocols for building safe and resilient software.

## **Priority: P0 (CRITICAL)**

## 🛡 Data Safeguarding

- **Zero Trust**: Never trust external input. Sanitize and validate every data boundary (API, UI, CSV).
- **Least Privilege**: Grant minimum necessary permissions to users, services, and containers.
- **No Hardcoded Secrets**: Use environment variables or secret managers. Never commit keys or passwords.
- **Encryption**: Use modern, collision-resistant algorithms (AES-256 for data-at-rest; TLS 1.3 for data-in-transit).
- **PII Logging**: Never log PII (email, phone, names). Mask sensitive fields before logging.

## 🧱 Secure Coding Practices

- **Injection Prevention**: Use parameterized queries or ORMs to stop SQL, Command, and XSS injections.
- **Dependency Management**: Regularly scan (`audit`) and update third-party libraries to patch CVEs.
- **Secure Auth**: Implement Multi-Factor Authentication (MFA) and secure session management.
- **Error Privacy**: Never leak stack traces or internal implementation details to the end-user.

## 🔍 Continuous Security

- **Shift Left**: Integrate security scanners (SAST/DAST) early in the CI/CD pipeline.
- **Data Minimization**: Collect and store only the absolute minimum data required for the business logic.
- **Logging**: Maintain audit logs for sensitive operations (Auth, Deletion, Admin changes).

## 🚫 Anti-Patterns

- **Hardcoded Secrets**: `**No Secrets in Git**: Use Secret Managers or Env variables.`
- **Raw SQL**: `**No String Concatenation**: Use Parameterized queries or ORMs.`
- **Leaking Context**: `**No Stacktraces in Prod**: Return generic error codes to clients.`
- **Insecure Defaults**: `**No Default Passwords**: Force rotation and strong entropy.`

## 📚 References

- [Injection Testing Protocols (SQLi/HTMLi)](references/INJECTION_TESTING.md)
- [Vulnerability Remediation & Secure Patterns](references/VULNERABILITY_REMEDIATION.md)

Overview

This skill defines universal security protocols and high-density standards for building safe, resilient software across languages and frameworks. It codifies critical controls like zero trust, least privilege, secret management, encryption, and secure coding patterns to reduce risk and improve incident prevention. The guidance is framework-agnostic and intended to be embedded into CI/CD, code reviews, and runtime controls.

How this skill works

The skill inspects design and implementation choices against a prioritized checklist: data safeguarding, secure coding, continuous security, and known anti-patterns. It prescribes concrete controls (parameterized queries, secret managers, TLS 1.3, AES-256, MFA) and recommends integrating SAST/DAST and dependency audits into pipelines. Outputs include recommended fixes, required configuration changes, and items to escalate as P0 issues.

When to use it

  • During design reviews to enforce zero-trust and least-privilege models
  • Integrating security checks into CI/CD (shift-left SAST/DAST and dependency audits)
  • Onboarding new services or microservices to ensure no hardcoded secrets or insecure defaults
  • Preparing applications for production hardening and compliance audits
  • Responding to dependency CVEs or incident-driven remediation planning

Best practices

  • Sanitize and validate every external boundary; treat all input as untrusted
  • Never commit secrets; use environment variables or a managed secret store
  • Use parameterized queries or ORM abstractions to prevent SQL and command injection
  • Encrypt data in transit (TLS 1.3+) and at rest with strong algorithms (AES-256 where applicable)
  • Enable MFA and secure session management; log only masked, non-PII audit records
  • Automate dependency scanning and fail builds on high/critical CVEs

Example use cases

  • Scan a web service to flag hardcoded API keys, unsafe SQL concatenation, and excessive permissions
  • Validate mobile app builds (iOS/Android/React Native/Flutter) for embedded secrets and insecure storage
  • Enforce server-side logging rules to redact PII and prevent stack-trace leakage in production
  • Add SAST/DAST gates to a CI pipeline for Next.js, Spring Boot, NestJS, or Laravel projects
  • Remediate a vulnerability by recommending dependency updates, config changes, and compensating controls

FAQ

What counts as a P0 issue?

P0 issues are critical risks that can lead to immediate compromise or data exposure, such as exposed secrets in source control, unauthenticated admin endpoints, or high-severity CVEs in production dependencies.

How should secrets be stored instead of hardcoding?

Use managed secret stores or environment variables injected at runtime. Prefer cloud secret managers or vaults with RBAC and audit logging; rotate keys regularly.

Which encryption standards should I follow?

Use TLS 1.3 for data in transit and modern, widely vetted algorithms for data at rest (e.g., AES-256). Avoid deprecated ciphers and enable strong key management.