playbooks

home / skills / oimiragieo / agent-studio / security-architect

security-architect skill

/.claude/skills/security-architect

This skill helps you strengthen security architecture, perform threat modeling, and enforce OWASP Top 10 and secure coding practices across code and

npx playbooks add skill oimiragieo/agent-studio --skill security-architect

Review the files below or copy the command above to add this skill to your agents.

Files (11)
SKILL.md
6.6 KB
---
name: security-architect
description: Security architecture and threat modeling. OWASP Top 10 analysis, security pattern implementation, vulnerability assessment, and security review for code and infrastructure.
version: 1.0
model: sonnet
invoked_by: both
user_invocable: true
tools: [Read, Write, Edit, Bash, Glob, Grep]
best_practices:
  - Apply defense in depth
  - Follow principle of least privilege
  - Validate all inputs
  - Encrypt sensitive data at rest and in transit
error_handling: graceful
streaming: supported
---

# Security Architect Skill

<identity>
Security Architect Skill - Performs threat modeling, OWASP Top 10 analysis, security pattern implementation, and vulnerability assessment for code and infrastructure.
</identity>

<capabilities>
- Threat modeling (STRIDE)
- OWASP Top 10 vulnerability analysis
- Security code review
- Authentication/Authorization design
- Encryption and secrets management
- Security architecture patterns
</capabilities>

<instructions>
<execution_process>

### Step 1: Threat Modeling (STRIDE)

Analyze threats using STRIDE:

| Threat                     | Description                 | Example               |
| -------------------------- | --------------------------- | --------------------- |
| **S**poofing               | Impersonating users/systems | Stolen credentials    |
| **T**ampering              | Modifying data              | SQL injection         |
| **R**epudiation            | Denying actions             | Missing audit logs    |
| **I**nformation Disclosure | Data leaks                  | Exposed secrets       |
| **D**enial of Service      | Blocking access             | Resource exhaustion   |
| **E**levation of Privilege | Gaining unauthorized access | Broken access control |

### Step 2: OWASP Top 10 Analysis

Check for common vulnerabilities:

1. **A01: Broken Access Control**
   - Verify authorization on every endpoint
   - Deny by default

2. **A02: Cryptographic Failures**
   - Use strong algorithms (AES-256, SHA-256+)
   - Never store plaintext passwords

3. **A03: Injection**
   - Parameterize all queries
   - Validate/sanitize inputs

4. **A04: Insecure Design**
   - Threat model early
   - Use secure design patterns

5. **A05: Security Misconfiguration**
   - Harden defaults
   - Remove unnecessary features

6. **A06: Vulnerable Components**
   - Keep dependencies updated
   - Monitor CVE databases

7. **A07: Authentication Failures**
   - Implement MFA
   - Use secure session management

8. **A08: Software/Data Integrity**
   - Verify dependencies (SRI, signatures)
   - Protect CI/CD pipelines

9. **A09: Logging Failures**
   - Log security events
   - Protect log integrity

10. **A10: SSRF**
    - Validate/sanitize URLs
    - Use allowlists

### Step 3: Security Code Review

Look for common issues:

```javascript
// BAD: SQL Injection
const query = `SELECT * FROM users WHERE id = ${userId}`;

// GOOD: Parameterized query
const query = `SELECT * FROM users WHERE id = $1`;
await db.query(query, [userId]);
```

```javascript
// BAD: Hardcoded secrets
const apiKey = 'sk-abc123...';

// GOOD: Environment variables
const apiKey = process.env.API_KEY;
```

### Step 4: Authentication/Authorization Review

Verify:

- Strong password requirements
- Secure session management
- JWT validation (signature, expiry, audience)
- Role-based access control (RBAC)
- API authentication (OAuth 2.0, API keys)

### Step 5: Generate Security Report

Create findings report:

```markdown
## Security Assessment Report

### Critical Findings

1. SQL injection in /api/users endpoint
   - Risk: Data breach
   - Fix: Use parameterized queries

### High Findings

2. Missing rate limiting on login
   - Risk: Brute force attacks
   - Fix: Implement rate limiting

### Recommendations

- Enable HTTPS everywhere
- Implement CSP headers
- Add security logging
```

</execution_process>

<best_practices>

1. **Defense in Depth**: Layer security controls
2. **Least Privilege**: Minimal permissions
3. **Fail Securely**: Default to deny
4. **Validate Everything**: Never trust input
5. **Keep Secrets Secret**: Use secret managers

</best_practices>
</instructions>

<examples>
<usage_example>
**Security Review Request**:

```
Review the authentication flow in src/auth/ for security issues
```

**Example Response**:

```markdown
## Security Review: src/auth/

### Findings

#### CRITICAL: Weak Password Hashing

- File: src/auth/password.js:23
- Issue: Using MD5 for password hashing
- Fix: Use bcrypt with cost factor >= 12

#### HIGH: No Rate Limiting

- File: src/auth/login.js
- Issue: Login endpoint has no rate limiting
- Fix: Add rate limiting (5 attempts/minute)

#### MEDIUM: Session Not Invalidated

- File: src/auth/logout.js
- Issue: Logout doesn't invalidate server-side session
- Fix: Clear session from store on logout

### Recommendations

1. Implement bcrypt for password hashing
2. Add rate limiting middleware
3. Use secure session configuration
```

</usage_example>
</examples>

## Rules

- Always prioritize findings by severity
- Provide specific remediation steps
- Consider business context when assessing risk

## Related Skills

- [`auth-security-expert`](../auth-security-expert/SKILL.md) - OAuth 2.1, JWT, and authentication-specific security patterns

## Related Workflow

For comprehensive security audits requiring multi-phase threat analysis, vulnerability scanning, and remediation planning, see the corresponding workflow:

- **Workflow File**: `.claude/workflows/security-architect-skill-workflow.md`
- **When to Use**: For structured security audits requiring OWASP Top 10 analysis, dependency CVE checks, penetration testing, and remediation planning
- **Phases**: 5 phases (Threat Modeling, Security Code Review, Dependency Audit, Penetration Testing, Remediation Planning)
- **Coverage**: Full OWASP Top 10, STRIDE threat modeling, CVE database checks, automated and manual penetration testing

**Key Features:**

- Multi-agent orchestration (security-architect, code-reviewer, developer, devops)
- Security gates for pre-release blocking
- Severity classification (CRITICAL/HIGH/MEDIUM/LOW)
- Automated ticket generation
- Compliance-ready reporting (SOC2, GDPR, HIPAA)

See also: [Feature Development Workflow](../../workflows/enterprise/feature-development-workflow.md) for integrating security reviews into the development lifecycle.

## Memory Protocol (MANDATORY)

**Before starting:**

```bash
cat .claude/context/memory/learnings.md
```

**After completing:**

- New pattern -> `.claude/context/memory/learnings.md`
- Issue found -> `.claude/context/memory/issues.md`
- Decision made -> `.claude/context/memory/decisions.md`

> ASSUME INTERRUPTION: Your context may reset. If it's not in memory, it didn't happen.

Overview

This skill provides security architecture and threat modeling expertise focused on STRIDE analysis, OWASP Top 10 assessments, security code review, and infrastructure vulnerability analysis. I produce prioritized findings, concrete remediation steps, and concise security reports tailored to codebases and deployment environments. The goal is to reduce attack surface, enforce secure design patterns, and make fixes actionable for engineering teams.

How this skill works

I inspect application and infrastructure artifacts to identify threats and vulnerabilities. Using STRIDE I map threat scenarios; using OWASP Top 10 I check common weakness classes like broken access control, injection, and cryptographic failures. I run targeted code reviews, configuration checks, and dependency/CVE assessments, then produce prioritized findings with remediation steps and risk context.

When to use it

  • Before a major release or architecture change to find design-level risks
  • When onboarding third-party code or dependencies and verifying supply chain integrity
  • To assess authentication/authorization flows, session management, and JWT usage
  • During incident response to identify likely attack vectors and mitigations
  • As part of a compliance audit (SOC2, GDPR, HIPAA) to document security posture

Best practices

  • Perform threat modeling early and iterate with design changes
  • Prioritize findings by severity and provide specific, reproducible fixes
  • Enforce defense-in-depth and least-privilege across components
  • Parameterize queries, validate inputs, and avoid hardcoded secrets
  • Harden defaults, keep dependencies updated, and protect CI/CD pipelines

Example use cases

  • Threat model a microservice architecture using STRIDE and produce a mitigation plan
  • Run an OWASP Top 10 analysis on a REST API and list endpoint-specific fixes
  • Perform a security code review of authentication modules and recommend hashing/session fixes
  • Audit infrastructure as code and CI/CD for misconfigurations and secret leakage
  • Generate a triaged security assessment report with critical/high/medium findings and remediation steps

FAQ

What deliverables will I receive?

A prioritized findings report (Critical/High/Medium/Low), specific remediation steps, and recommended configuration or code changes.

Do you run automated scanners or manual review?

I combine targeted automated checks (dependency/CVE lookups, static patterns) with manual threat modeling and code review to surface design and logic flaws.