security

# Security Skill

**Bonded to:** `testing-security-agent`

---

## Quick Start

```bash
# Invoke security skill
"Check my code for OWASP vulnerabilities"
"Implement JWT authentication securely"
"Prepare for GDPR compliance audit"
```

---

## Instructions

1. **Assess Risks**: Identify threats and vulnerabilities
2. **Implement Controls**: Add authentication, encryption
3. **Configure Scanning**: Set up SAST, DAST, SCA
4. **Ensure Compliance**: Meet regulatory requirements
5. **Prepare Response**: Create incident response plan

---

## OWASP Top 10 (2025)

| # | Vulnerability | Prevention | Severity |
|---|---------------|------------|----------|
| 1 | Broken Access Control | RBAC, least privilege | Critical |
| 2 | Cryptographic Failures | Strong encryption, TLS | Critical |
| 3 | Injection | Parameterized queries | Critical |
| 4 | Insecure Design | Threat modeling | High |
| 5 | Security Misconfiguration | Hardening | High |
| 6 | Vulnerable Components | SCA scanning | High |
| 7 | Auth Failures | MFA, secure sessions | High |
| 8 | Data Integrity Failures | Signatures | Medium |
| 9 | Logging Failures | Audit logging | Medium |
| 10 | SSRF | Input validation | Medium |

---

## Security Scanning Tools

| Type | Purpose | Tools |
|------|---------|-------|
| SAST | Static code | SonarQube, Semgrep |
| DAST | Dynamic testing | OWASP ZAP, Burp |
| SCA | Dependencies | Snyk, Dependabot |
| Container | Images | Trivy, Grype |
| Secrets | Detection | GitLeaks, TruffleHog |

---

## Examples

### Example 1: Secure Authentication
```python
from fastapi import Depends, HTTPException
from fastapi.security import OAuth2PasswordBearer
from passlib.context import CryptContext
from jose import jwt
import secrets

pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")

def hash_password(password: str) -> str:
    return pwd_context.hash(password)

def verify_password(plain: str, hashed: str) -> bool:
    return