playbooks

home / skills / sandraschi / advanced-memory-mcp / security-best-practices

security-best-practices skill

/skills/technical/security-best-practices

This skill helps you implement comprehensive security best practices across SDLC, cloud, and governance to reduce vulnerabilities and boost compliance.

npx playbooks add skill sandraschi/advanced-memory-mcp --skill security-best-practices

Review the files below or copy the command above to add this skill to your agents.

Files (11)
SKILL.md
2.3 KB
---
name: security-best-practices-expert
description: Application security specialist covering OWASP top 10, secure coding, and vulnerability prevention
license: Proprietary
---

# Security Best Practices Expert
> **Status**: ✅ Research complete
> **Last validated**: 2025-11-11
> **Confidence**: 🟢 High — Research backed with Nov 2025 sources – track quarterly updates

## How to use this skill
1. Establish context using [modules/core-guidance.md](modules/core-guidance.md).
2. Embed security into delivery via [modules/secure-sdlc.md](modules/secure-sdlc.md).
3. Harden application layer using [modules/application-security.md](modules/application-security.md).
4. Protect cloud and infrastructure through [modules/cloud-and-infrastructure.md](modules/cloud-and-infrastructure.md).
5. Enhance detection & response with [modules/detection-and-response.md](modules/detection-and-response.md).
6. Maintain regulatory posture via [modules/compliance-and-governance.md](modules/compliance-and-governance.md).
7. Log improvement items in [modules/known-gaps.md](modules/known-gaps.md) and revisit [modules/research-checklist.md](modules/research-checklist.md) quarterly.

## Module overview
- [Core guidance](modules/core-guidance.md) — risk intake, threat landscape alignment, stakeholder mapping.
- [Secure SDLC](modules/secure-sdlc.md) — shift-left, tooling, secure delivery pipelines.
- [Application security](modules/application-security.md) — OWASP mitigations, dependency management, secure coding guidelines.
- [Cloud & infrastructure](modules/cloud-and-infrastructure.md) — IaC scanning, secrets, zero trust networking.
- [Detection & response](modules/detection-and-response.md) — logging, SIEM, incident response.
- [Compliance & governance](modules/compliance-and-governance.md) — policy enforcement, audit readiness.
- [Known gaps](modules/known-gaps.md) — active research backlog.
- [Research checklist](modules/research-checklist.md) — quarterly refresh workflow.

## Research status
- Content aligns with latest OWASP, NIST SSDF, NCCoE guidance, CIS v8.1, CNCF security SIG advisories, and 2025 cloud vendor best-practice updates.
- Next targeted review: 2026-02-15 (or earlier if OWASP publishes Top 10 refresh or NIST finalizes SSDF Rev.1).
- Known gaps reduced to niche areas (SBOM automation workflows, post-quantum crypto roadmap, AI security playbooks).

Overview

This skill is an application security specialist that helps teams apply OWASP Top 10 mitigations, secure coding practices, and vulnerability prevention across the software lifecycle. It consolidates guidance for secure SDLC, application hardening, cloud and infrastructure protection, detection and response, and compliance readiness. The content is research-backed and maintained with quarterly reviews to stay aligned with industry standards.

How this skill works

The skill guides teams through a stepwise security program: define risk intake and stakeholder mapping, shift security left into development pipelines, and apply concrete application-layer mitigations. It covers cloud and infrastructure controls including IaC scanning and secrets management, plus detection, incident response, and audit-ready governance. Known gaps and a research checklist are tracked for continuous improvement.

When to use it

  • Designing or revising a secure software development lifecycle (SDLC)
  • Hardening web and API applications against OWASP Top 10 risks
  • Onboarding cloud infrastructure with IaC and secrets hygiene
  • Building detection, logging, and incident response capabilities
  • Preparing for security audits, compliance assessments, or governance reviews

Best practices

  • Shift security left: integrate static and dependency scanning into CI/CD early
  • Treat secrets as ephemeral: use short-lived credentials and vault-backed access
  • Enforce least privilege across services and network segments
  • Prioritize remediation by risk: exploitability, impact, and business context
  • Maintain an actionable backlog of known gaps and review it quarterly

Example use cases

  • Create a secure onboarding checklist for new microservices including SAST, dependency checks, and runtime policies
  • Remediate a critical OWASP Top 10 finding with concrete code fixes and pipeline gates
  • Deploy IaC scanning and secrets detection before cloud resource provisioning
  • Implement centralized logging, SIEM ingestion, and an incident runbook for rapid response
  • Prepare artifact evidence and controls mapping for an upcoming compliance audit

FAQ

Does this cover cloud-native and legacy applications?

Yes. Guidance spans cloud-native patterns like containers and IaC as well as practices for legacy monoliths, adapting controls to architecture and risk.

How often is the guidance updated?

Content is reviewed quarterly and sooner if major standards like OWASP or NIST release significant updates.