playbooks

home / skills / pluginagentmarketplace / custom-plugin-typescript / security

security skill

/skills/security

This skill helps you implement secure development practices aligned with OWASP Top 10, testing, and compliance to protect systems.

npx playbooks add skill pluginagentmarketplace/custom-plugin-typescript --skill security

Review the files below or copy the command above to add this skill to your agents.

Files (4)
SKILL.md
1.7 KB
---
name: security-practices
description: Master secure development, OWASP top 10, testing, and compliance. Use when building secure systems, conducting security reviews, or implementing best practices.
sasmp_version: "1.3.0"
bonded_agent: 06-security-qa-practices
bond_type: PRIMARY_BOND
---

# Security, QA & Best Practices Skill

## Quick Start - Secure Authentication

```javascript
import bcrypt from 'bcrypt';
import jwt from 'jsonwebtoken';

// Hash password
const password = 'user_password';
const hash = await bcrypt.hash(password, 10);

// Verify password
const isValid = await bcrypt.compare(password, hash);

// Issue JWT
const token = jwt.sign(
  { userId: 1, email: '[email protected]' },
  process.env.JWT_SECRET,
  { expiresIn: '24h', algorithm: 'HS256' }
);

// Verify JWT
const decoded = jwt.verify(token, process.env.JWT_SECRET);
```

## Core Technologies

### Security Tools
- Burp Suite
- OWASP ZAP
- Snort/Suricata
- Nmap

### Testing Frameworks
- Selenium / Cypress
- Jest / pytest
- JMeter / Gatling
- Postman / Insomnia

### Code Quality
- SonarQube
- ESLint / Prettier
- Pylint / Black

## Best Practices

1. **OWASP Top 10** - Know and prevent vulnerabilities
2. **Secure Coding** - Input validation, parameterized queries
3. **Testing** - Unit, integration, and E2E tests
4. **Code Review** - Peer review process
5. **Monitoring** - Continuous security monitoring
6. **Compliance** - GDPR, HIPAA, PCI-DSS
7. **Incident Response** - Clear procedures
8. **Documentation** - Security policies

## Resources

- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
- [Burp Suite Documentation](https://portswigger.net/burp)
- [SonarQube Documentation](https://docs.sonarqube.org/)

Overview

This skill helps teams master secure development practices, the OWASP Top 10, testing techniques, and compliance requirements. It provides actionable guidance for building secure systems, running security reviews, and embedding security into the development lifecycle.

How this skill works

The skill inspects common application security controls, recommends mitigations for OWASP Top 10 risks, and outlines testing and monitoring approaches. It maps tools and techniques—static analysis, dependency scanning, dynamic testing, and runtime monitoring—to concrete steps teams can follow. It also summarizes compliance considerations and incident response basics.

When to use it

  • Designing or architecting a new application or API
  • Conducting security reviews or threat modeling sessions
  • Implementing authentication, authorization, or session management
  • Setting up CI/CD pipelines with automated security gates
  • Preparing for compliance audits (GDPR, HIPAA, PCI-DSS)

Best practices

  • Prioritize OWASP Top 10 and remediate high-risk findings first
  • Enforce secure coding: input validation, output encoding, parameterized queries
  • Automate tests: unit, integration, dependency, SAST/DAST in CI
  • Use strong authentication (bcrypt/Argon2, JWT with secure keys and rotation)
  • Monitor production: IDS/IPS, centralized logs, alerting, and runbooks

Example use cases

  • Integrate SAST (SonarQube) and dependency scanning into PR pipelines
  • Perform an application pentest using OWASP ZAP or Burp Suite and fix findings
  • Harden authentication: implement salted hashing, token expiration, and verification
  • Run automated E2E security tests with Cypress or Playwright plus API fuzzing
  • Prepare a compliance checklist and documentation for an audit

FAQ

Which tools should I start with for web app security?

Begin with static analysis (SonarQube/ESLint), dependency scanning, and a dynamic scanner like OWASP ZAP. Add CI automation and logging early.

How do I secure authentication and tokens?

Use strong password hashing (bcrypt/Argon2), short-lived tokens, secure storage of secrets, and server-side token verification with rotation and revocation mechanisms.