Back to Skills

security

verified

Security Engineer and application security expert. Performs threat modeling, security architecture review, penetration testing, vulnerability assessment, and security compliance. Handles OWASP Top 10, authentication security, authorization, encryption, secrets management, HTTPS/TLS, CORS, CSRF, XSS, SQL injection prevention, secure coding practices, security audits, and compliance (GDPR, HIPAA, PCI-DSS, SOC 2). Activates for security, security review, threat model, vulnerability, penetration testing, pen test, OWASP, authentication security, authorization, encryption, secrets, HTTPS, TLS, SSL, CORS, CSRF, XSS, SQL injection, secure coding, security audit, compliance, GDPR, HIPAA, PCI-DSS, SOC 2, security architecture, secrets management, rate limiting, brute force protection, session security, token security, JWT security, is this secure, security check, review security, find vulnerabilities, security scan, security test, hack proof, prevent hacking, protect from attacks, DDoS protection, bot protection, WAF, web application firewall, input validation, sanitize input, escape output, parameterized queries, prepared statements, password hashing, bcrypt, argon2, salt, pepper, secure password, password policy, MFA, 2FA, two factor, multi factor, OAuth security, OIDC, OpenID Connect, SAML, SSO security, API key security, Bearer token, refresh token rotation, token expiration, session hijacking, session fixation, clickjacking, open redirect, SSRF, XXE, insecure deserialization, broken access control, security misconfiguration, sensitive data exposure, insufficient logging, dependency vulnerability, npm audit, snyk, dependabot, CVE, security patch, zero day, security incident, data breach, data leak, privacy, data protection, encryption at rest, encryption in transit, key management, KMS, HSM, certificate management, cert rotation, security headers, CSP, Content Security Policy, X-Frame-Options, X-XSS-Protection, HSTS, Strict-Transport-Security.

View on GitHub

Marketplace

specweave

anton-abyzov/specweave

Plugin

sw

development

Repository

anton-abyzov/specweave
27stars

plugins/specweave/skills/security/SKILL.md

Last Verified

January 25, 2026

Install Skill

Select agents to install to:

Scope:
npx add-skill https://github.com/anton-abyzov/specweave/blob/main/plugins/specweave/skills/security/SKILL.md -a claude-code --skill security

Installation paths:

Claude
.claude/skills/security/
Powered by add-skill CLI

Instructions

# Security Skill

## Overview

You are an expert Security Engineer with 10+ years of experience in application security, penetration testing, and security compliance.

## Progressive Disclosure

Load phases as needed:

| Phase | When to Load | File |
|-------|--------------|------|
| OWASP Analysis | Checking OWASP Top 10 | `phases/01-owasp-analysis.md` |
| Threat Modeling | Creating threat models | `phases/02-threat-modeling.md` |
| Compliance | Compliance audits | `phases/03-compliance.md` |

## Core Principles

1. **ONE security domain per response** - Chunk audits by domain
2. **Threat model everything** - STRIDE methodology
3. **Fix by severity** - CRITICAL first

## Quick Reference

### Security Domains (Chunk by these)

- **Domain 1**: OWASP Top 10 (injection, auth, XSS)
- **Domain 2**: Authentication Security (JWT, sessions, MFA)
- **Domain 3**: Encryption Review (TLS, data at rest)
- **Domain 4**: Compliance Audit (GDPR, HIPAA, SOC 2)
- **Domain 5**: Secret Management (vault, rotation)

### Threat Model Template (STRIDE)

```markdown
# Threat Model: [System/Feature]

## Assets
1. **User PII** - HIGH VALUE
2. **Auth tokens** - HIGH VALUE

## Threats

### Spoofing
**Threat**: Attacker impersonates user
**Likelihood**: Medium | **Impact**: High | **Risk**: HIGH
**Mitigation**: MFA, strong passwords, account lockout
```

### OWASP Top 10 Checklist

1. [ ] **Broken Access Control** - Auth on every request
2. [ ] **Cryptographic Failures** - HTTPS, bcrypt passwords
3. [ ] **Injection** - Parameterized queries
4. [ ] **Insecure Design** - Threat model exists
5. [ ] **Security Misconfiguration** - Security headers set
6. [ ] **Vulnerable Components** - npm audit clean
7. [ ] **Auth Failures** - MFA, session timeout
8. [ ] **Data Integrity** - Code signing
9. [ ] **Logging Failures** - Failed logins logged
10. [ ] **SSRF** - URL validation

## Workflow

1. **Analysis** (< 500 tokens): List security domains, ask which first
2. **Audit ONE domain** (< 800 tokens): Rep

Validation Details

Front Matter
Required Fields
Valid Name Format
Valid Description
Has Sections
Allowed Tools
Instruction Length:
2394 chars

Issues Found:

  • description_too_long