playbooks

home / skills / pluginagentmarketplace / custom-plugin-qa / security

security skill

/skills/security

This skill provides enterprise-grade security testing guidance across OWASP Top 10, vulnerability scanning, and remediation steps to strengthen software

npx playbooks add skill pluginagentmarketplace/custom-plugin-qa --skill security

Review the files below or copy the command above to add this skill to your agents.

Files (4)
SKILL.md
10.5 KB
---
name: security
description: Production-grade security testing skill with OWASP Top 10, vulnerability scanning, penetration testing guidance, and compliance validation
sasmp_version: "1.3.0"
bonded_agent: qa-expert
bond_type: PRIMARY_BOND
version: "2.1.0"
---

# Security Testing Skill

## Overview

Enterprise-grade security testing capabilities covering OWASP Top 10, vulnerability assessment, and compliance validation with actionable remediation guidance.

## Input Schema

```json
{
  "type": "object",
  "properties": {
    "action": {
      "type": "string",
      "enum": ["scan", "analyze", "remediate", "compliance_check", "generate_report"],
      "description": "Security action to perform"
    },
    "scan_type": {
      "type": "string",
      "enum": ["owasp_top10", "dependency", "sast", "dast", "secrets", "configuration"],
      "description": "Type of security scan"
    },
    "target": {
      "type": "object",
      "properties": {
        "url": {"type": "string", "format": "uri"},
        "repository": {"type": "string"},
        "file_path": {"type": "string"},
        "docker_image": {"type": "string"}
      }
    },
    "compliance": {
      "type": "string",
      "enum": ["owasp", "pci_dss", "hipaa", "gdpr", "soc2", "iso27001"]
    },
    "severity_filter": {
      "type": "string",
      "enum": ["critical", "high", "medium", "low", "all"],
      "default": "all"
    }
  },
  "required": ["action"]
}
```

## Output Schema

```json
{
  "type": "object",
  "properties": {
    "status": {"type": "string", "enum": ["success", "partial", "failed"]},
    "vulnerabilities": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "id": {"type": "string"},
          "severity": {"type": "string"},
          "category": {"type": "string"},
          "description": {"type": "string"},
          "location": {"type": "string"},
          "remediation": {"type": "string"},
          "references": {"type": "array", "items": {"type": "string"}}
        }
      }
    },
    "summary": {
      "type": "object",
      "properties": {
        "critical": {"type": "integer"},
        "high": {"type": "integer"},
        "medium": {"type": "integer"},
        "low": {"type": "integer"},
        "total": {"type": "integer"}
      }
    },
    "compliance_status": {"type": "string", "enum": ["pass", "fail", "partial"]},
    "recommendations": {"type": "array", "items": {"type": "string"}}
  }
}
```

## Parameter Validation

```yaml
target.url:
  required: false
  validate:
    - type: format
      pattern: "^https?://"
    - type: authorization_check
      require: explicit_consent

scan_type:
  required: false
  default: owasp_top10
  validate:
    - type: enum
      values: [owasp_top10, dependency, sast, dast, secrets, configuration]
    - type: tool_availability_check

compliance:
  required: false
  validate:
    - type: enum
      values: [owasp, pci_dss, hipaa, gdpr, soc2, iso27001]
```

## Error Handling

```yaml
retry_config:
  strategy: exponential_backoff
  max_retries: 3
  base_delay_ms: 2000
  max_delay_ms: 30000
  retryable_errors:
    - SCAN_TIMEOUT
    - TARGET_TEMPORARILY_UNAVAILABLE
    - RATE_LIMITED

error_categories:
  authorization_errors:
    - NO_CONSENT
    - SCOPE_EXCEEDED
    - UNAUTHORIZED_TARGET
    recovery: require_explicit_authorization

  scan_errors:
    - SCAN_TIMEOUT
    - PARTIAL_SCAN
    - TOOL_UNAVAILABLE
    recovery: retry_or_fallback_tool

  target_errors:
    - TARGET_UNREACHABLE
    - INVALID_TARGET
    - WAF_BLOCKED
    recovery: verify_target_access

  compliance_errors:
    - UNKNOWN_STANDARD
    - MISSING_CONTROLS
    - INCOMPLETE_ASSESSMENT
    recovery: manual_review_required
```

## OWASP Top 10 (2021) Coverage

### A01: Broken Access Control
```yaml
tests:
  - Horizontal privilege escalation
  - Vertical privilege escalation
  - Insecure direct object references
  - Missing function level access control
  - CORS misconfiguration

detection_methods:
  - Access matrix testing
  - Role-based testing
  - URL manipulation
  - API endpoint enumeration

remediation:
  - Implement proper authorization checks
  - Use deny-by-default
  - Enforce ownership validation
  - Log access control failures
```

### A02: Cryptographic Failures
```yaml
tests:
  - Weak encryption algorithms
  - Hardcoded secrets
  - Insufficient key length
  - Missing TLS
  - Improper certificate validation

detection_methods:
  - SSL/TLS analysis
  - Code review for crypto usage
  - Secret scanning
  - Traffic analysis

remediation:
  - Use modern encryption (AES-256, RSA-2048+)
  - Implement proper key management
  - Enforce TLS 1.2+
  - Rotate secrets regularly
```

### A03: Injection
```yaml
tests:
  - SQL injection
  - NoSQL injection
  - OS command injection
  - LDAP injection
  - XPath injection

detection_methods:
  - Input fuzzing
  - SAST analysis
  - Parameterized query check
  - Error message analysis

remediation:
  - Use parameterized queries
  - Input validation/sanitization
  - Least privilege database accounts
  - WAF rules
```

### A04-A10 (Continued)
```yaml
A04_insecure_design:
  - Threat modeling
  - Security requirements review
  - Architecture analysis

A05_security_misconfiguration:
  - Default credentials check
  - Unnecessary features enabled
  - Missing security headers
  - Verbose error messages

A06_vulnerable_components:
  - Dependency scanning
  - CVE database check
  - License compliance

A07_authentication_failures:
  - Brute force testing
  - Session management
  - Password policy
  - MFA implementation

A08_integrity_failures:
  - CI/CD security
  - Unsigned updates
  - Deserialization issues

A09_logging_failures:
  - Log injection
  - Sensitive data in logs
  - Insufficient logging

A10_ssrf:
  - Internal network access
  - Cloud metadata access
  - URL validation bypass
```

## Security Test Templates

### SQL Injection Test
```python
# sql_injection_test.py
import requests
from typing import List, Dict

PAYLOADS = [
    "' OR '1'='1",
    "' OR '1'='1' --",
    "' UNION SELECT NULL--",
    "1; DROP TABLE users--",
    "' AND 1=1--",
    "' AND 1=2--",
]

def test_sql_injection(url: str, param: str) -> List[Dict]:
    findings = []

    for payload in PAYLOADS:
        try:
            response = requests.get(
                url,
                params={param: payload},
                timeout=10
            )

            # Check for SQL error indicators
            error_indicators = [
                "sql syntax",
                "mysql_fetch",
                "sqlite_",
                "ORA-",
                "PostgreSQL",
            ]

            for indicator in error_indicators:
                if indicator.lower() in response.text.lower():
                    findings.append({
                        "vulnerability": "SQL Injection",
                        "severity": "CRITICAL",
                        "payload": payload,
                        "indicator": indicator,
                        "url": url,
                        "parameter": param
                    })
                    break

        except requests.exceptions.RequestException as e:
            continue

    return findings
```

### XSS Test
```javascript
// xss_test.js
const XSS_PAYLOADS = [
  '<script>alert(1)</script>',
  '<img src=x onerror=alert(1)>',
  '<svg onload=alert(1)>',
  'javascript:alert(1)',
  '"><script>alert(1)</script>',
];

async function testXSS(url, param) {
  const findings = [];

  for (const payload of XSS_PAYLOADS) {
    const testUrl = `${url}?${param}=${encodeURIComponent(payload)}`;

    const response = await fetch(testUrl);
    const body = await response.text();

    // Check if payload is reflected without encoding
    if (body.includes(payload)) {
      findings.push({
        vulnerability: 'Reflected XSS',
        severity: 'HIGH',
        payload,
        url,
        parameter: param
      });
    }
  }

  return findings;
}
```

## Troubleshooting

### Issue: False Positives
```yaml
symptoms:
  - High volume of low-quality findings
  - Legitimate features flagged
  - WAF rules triggered

diagnosis:
  1. Review scan configuration
  2. Analyze finding context
  3. Compare with manual testing
  4. Check scan scope

solutions:
  - Tune scan sensitivity
  - Add false positive exclusions
  - Use authenticated scanning
  - Combine with manual review
```

### Issue: Incomplete Coverage
```yaml
symptoms:
  - Known vulnerabilities missed
  - Low finding count
  - Scan completed too quickly

diagnosis:
  1. Check scan depth configuration
  2. Review authentication state
  3. Analyze crawl coverage
  4. Check for scan blocks

solutions:
  - Increase scan depth
  - Provide valid credentials
  - Whitelist scanner IP
  - Use multiple scan tools
```

### Issue: Scan Blocked
```yaml
symptoms:
  - Connection refused
  - Rate limited
  - WAF blocks

diagnosis:
  1. Check firewall rules
  2. Review rate limiting
  3. Analyze WAF logs
  4. Verify authorization

solutions:
  - Whitelist scanner IP
  - Reduce scan intensity
  - Configure WAF bypass
  - Use internal scanning
```

## Compliance Mapping

```yaml
pci_dss:
  requirement_6_5: OWASP_Top_10
  requirement_6_6: WAF_or_code_review
  requirement_11_3: Penetration_testing

gdpr:
  article_32: Security_measures
  article_35: Impact_assessment

soc2:
  cc6_1: Logical_access
  cc6_6: System_boundaries
  cc6_7: Change_management
```

## Best Practices

```yaml
scanning:
  - Always get authorization
  - Start with passive scanning
  - Use authenticated scans
  - Schedule during low traffic

remediation:
  - Prioritize by risk score
  - Fix critical issues first
  - Verify fixes with retest
  - Document all changes

continuous_security:
  - Integrate in CI/CD
  - Regular dependency updates
  - Security code review
  - Bug bounty program
```

## Logging & Observability

```yaml
log_events:
  - scan_started
  - vulnerability_found
  - scan_completed
  - remediation_verified

metrics:
  - vulnerabilities_by_severity
  - mean_time_to_remediate
  - scan_coverage_percentage
  - compliance_score

alerts:
  - critical_vulnerability_found
  - compliance_threshold_breached
  - scan_failure
```

## Ethical Guidelines

```yaml
authorization:
  - Always obtain written consent
  - Define scope clearly
  - Respect boundaries
  - Report all findings

responsible_disclosure:
  - Follow disclosure timeline
  - Work with vendor on fixes
  - Protect user data
  - Document everything
```

## Version History

| Version | Date | Changes |
|---------|------|---------|
| 2.1.0 | 2025-01 | Production-grade with OWASP 2021 |
| 2.0.0 | 2024-12 | SASMP v1.3.0 compliance |
| 1.0.0 | 2024-11 | Initial release |

Overview

This skill provides production-grade security testing for web applications, services, containers, and codebases. It combines OWASP Top 10 coverage, automated vulnerability scanning (SAST/DAST/dependency/secrets), and compliance validation with actionable remediation guidance. Designed for integration into CI/CD pipelines and security programs, it produces structured findings and compliance status for prioritized remediation.

How this skill works

The skill accepts an action (scan, analyze, remediate, compliance_check, generate_report) and a scan_type (owasp_top10, dependency, sast, dast, secrets, configuration) with an explicit target (URL, repository, file path, or docker image). It runs the appropriate detection methods—fuzzing, SAST rules, dependency CVE checks, secret scanning, TLS analysis—and returns a structured result containing vulnerability details, severity summary, compliance_status, and recommendations. Built-in parameter validation, retry strategies, and error categories handle transient failures and authorization requirements.

When to use it

  • Before releasing a web application to production to catch OWASP Top 10 issues.
  • As part of CI/CD to detect SAST and dependency vulnerabilities early.
  • When performing penetration testing preparation or guided manual testing.
  • To validate compliance controls for PCI DSS, GDPR, SOC 2, HIPAA, or ISO 27001.
  • For scheduled security reviews of containers and configuration baselines.

Best practices

  • Obtain written authorization and define scope before scanning any external target.
  • Start with passive scans and use authenticated scans to improve coverage.
  • Prioritize remediation by risk score: fix critical and high issues first and retest.
  • Integrate scans into CI/CD and automate dependency updates and secret rotation.
  • Tune scan sensitivity and combine automated results with manual verification to reduce false positives.

Example use cases

  • Run an OWASP Top 10 web scan against a staging URL and generate a remediation report for developers.
  • Add dependency scanning to the CI pipeline to block builds with high-severity CVEs.
  • Perform a secrets scan on a repository before a public release to prevent credential leaks.
  • Run a compliance_check for PCI DSS mapping and produce a pass/partial/fail compliance_status.
  • Use configuration scans on container images to detect insecure defaults and missing security headers.

FAQ

What authorization is required to scan a target URL?

Explicit written consent is required; the skill enforces authorization checks and will reject scans without proper scope and consent.

How does the skill handle false positives?

Tune scan sensitivity, add exclusions for known false positives, use authenticated scanning, and validate findings with manual testing or secondary tools.