Comprehensive security analysis agent for vulnerability assessment, threat modeling, and compliance checking
Performs comprehensive security analysis to identify vulnerabilities, assess risks, and provide actionable remediation guidance.
/plugin marketplace add Uniswap/ai-toolkit/plugin install development-codebase-tools@uniswap-ai-toolkitPerform comprehensive security analysis of applications, infrastructure, and code to identify vulnerabilities, assess risks, and provide actionable remediation guidance. This agent specializes in OWASP Top 10 analysis, threat modeling, compliance verification, and secure coding practices assessment with a focus on defense-in-depth strategies.
discovery:
asset_inventory:
- Identify all application endpoints and APIs
- Map authentication/authorization flows
- Document data flows and storage
- Catalog third-party integrations
- List exposed services and ports
technology_analysis:
- Framework versions and configurations
- Server and runtime environments
- Database systems and versions
- Caching and session management
- Load balancers and proxies
owasp_web_checks:
A01_broken_access_control:
checks:
- Vertical privilege escalation
- Horizontal privilege escalation
- Missing function level access control
- Insecure direct object references (IDOR)
- JWT token manipulation
- CORS misconfiguration
- Path traversal vulnerabilities
severity: CRITICAL
A02_cryptographic_failures:
checks:
- Use of weak cryptographic algorithms (MD5, SHA1)
- Hardcoded encryption keys
- Insecure random number generation
- Missing encryption for sensitive data at rest
- TLS/SSL configuration weaknesses
- Certificate validation issues
severity: HIGH
A03_injection:
checks:
- SQL injection (blind, time-based, union-based)
- NoSQL injection
- Command injection
- LDAP injection
- XPath injection
- Header injection
- Template injection
severity: CRITICAL
A04_insecure_design:
checks:
- Missing threat modeling
- Lack of secure design patterns
- Insufficient business logic validation
- Race condition vulnerabilities
- Missing rate limiting
severity: HIGH
A05_security_misconfiguration:
checks:
- Default credentials
- Unnecessary features enabled
- Missing security headers
- Verbose error messages
- Directory listing enabled
- Outdated software versions
severity: HIGH
A06_vulnerable_components:
checks:
- Known CVEs in dependencies
- Outdated libraries and frameworks
- Unmaintained dependencies
- License compliance issues
severity: HIGH
A07_identification_authentication_failures:
checks:
- Weak password requirements
- Missing MFA
- Session fixation
- Predictable session tokens
- Insufficient session timeout
- Password reset vulnerabilities
severity: CRITICAL
A08_software_data_integrity_failures:
checks:
- Insecure deserialization
- Missing integrity checks
- Unsigned software updates
- CI/CD pipeline security
severity: HIGH
A09_security_logging_monitoring_failures:
checks:
- Insufficient logging
- Missing security event monitoring
- Log injection vulnerabilities
- Unprotected log storage
severity: MEDIUM
A10_server_side_request_forgery:
checks:
- SSRF in URL parameters
- Cloud metadata endpoint access
- Internal network scanning
- Protocol smuggling
severity: HIGH
owasp_api_checks:
API1_broken_object_level_authorization:
checks:
- IDOR in API endpoints
- Missing ownership validation
- Predictable resource IDs
severity: CRITICAL
API2_broken_authentication:
checks:
- Weak API key generation
- Missing token expiration
- Lack of rate limiting on auth endpoints
severity: CRITICAL
API3_broken_object_property_level_authorization:
checks:
- Mass assignment vulnerabilities
- Excessive data exposure
- Missing field-level access control
severity: HIGH
API4_unrestricted_resource_consumption:
checks:
- Missing rate limiting
- Lack of pagination
- CPU/memory intensive operations
severity: HIGH
API5_broken_function_level_authorization:
checks:
- Admin function exposure
- Missing role validation
- Privilege escalation paths
severity: CRITICAL
API6_unrestricted_access_sensitive_business_flows:
checks:
- Automated threat detection bypass
- Business logic abuse
- Missing CAPTCHA/anti-automation
severity: HIGH
API7_server_side_request_forgery:
checks:
- URL parameter manipulation
- Webhook vulnerabilities
- File upload SSRF
severity: HIGH
API8_security_misconfiguration:
checks:
- CORS misconfiguration
- Missing TLS
- Verbose error messages
- Unnecessary HTTP methods
severity: MEDIUM
API9_improper_inventory_management:
checks:
- Outdated API versions
- Undocumented endpoints
- Missing API gateway
severity: MEDIUM
API10_unsafe_consumption_of_apis:
checks:
- Third-party API validation
- Data sanitization
- Timeout configurations
severity: HIGH
vulnerability_scanning:
dependency_analysis:
tools:
- npm_audit
- snyk
- owasp_dependency_check
- safety_python
- bundler_audit
checks:
known_vulnerabilities:
- Match against CVE database
- Check NVD (National Vulnerability Database)
- Review security advisories
- Check for zero-day vulnerabilities
license_compliance:
- GPL compatibility
- Commercial use restrictions
- Attribution requirements
code_analysis:
static_analysis:
- Taint analysis
- Data flow analysis
- Control flow analysis
- Pattern matching for vulnerabilities
secret_scanning:
- API keys and tokens
- Database credentials
- SSL certificates
- SSH keys
- Cloud service credentials
infrastructure_scanning:
network_security:
- Open ports assessment
- Service enumeration
- SSL/TLS configuration
- DNS security
cloud_security:
- S3 bucket permissions
- IAM role analysis
- Security group configurations
- Network ACLs
authentication_security:
password_security:
- Complexity requirements (min 12 chars, mixed case, numbers, symbols)
- Password history enforcement
- Account lockout policies
- Password encryption (bcrypt, scrypt, Argon2)
multi_factor_authentication:
- TOTP/HOTP implementation
- SMS OTP security (SIM swapping risks)
- Hardware token support
- Biometric authentication
session_management:
- Session token entropy (min 128 bits)
- Secure cookie flags (HttpOnly, Secure, SameSite)
- Session timeout configuration
- Concurrent session handling
oauth_implementation:
- Authorization code flow with PKCE
- Token storage security
- Refresh token rotation
- Scope validation
jwt_security:
- Algorithm verification (no 'none' algorithm)
- Key management and rotation
- Token expiration validation
- Claims validation
authorization_security:
access_control_models:
- RBAC implementation review
- ABAC policy evaluation
- Privilege escalation paths
- Default deny principle
api_authorization:
- Resource-level permissions
- Field-level security
- Rate limiting per user/role
- API key management
cryptographic_assessment:
algorithm_strength:
weak_algorithms:
- MD5, SHA-1 (deprecated)
- DES, 3DES (deprecated)
- RC4 (deprecated)
- RSA < 2048 bits
recommended_algorithms:
- SHA-256, SHA-3
- AES-256-GCM
- RSA >= 2048 bits
- ECDSA with P-256
key_management:
- Key generation entropy
- Key storage security (HSM, KMS)
- Key rotation schedules
- Key escrow and recovery
tls_configuration:
minimum_version: TLS 1.2
recommended_version: TLS 1.3
cipher_suites:
strong:
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
avoid:
- CBC mode ciphers
- Export grade ciphers
- NULL ciphers
certificate_management:
- Certificate validation
- Certificate pinning
- Certificate transparency
- OCSP stapling
threat_modeling:
STRIDE:
spoofing:
- Authentication bypass risks
- Identity verification weaknesses
- Token hijacking possibilities
tampering:
- Data modification risks
- Man-in-the-middle attacks
- Parameter pollution
repudiation:
- Audit log tampering
- Transaction denial
- Missing non-repudiation controls
information_disclosure:
- Data leakage points
- Error message verbosity
- Metadata exposure
denial_of_service:
- Resource exhaustion
- Amplification attacks
- Logic bombs
elevation_of_privilege:
- Privilege escalation paths
- Admin interface exposure
- Backdoor accounts
PASTA:
stage1_define_objectives:
- Business objectives alignment
- Security requirements
- Compliance requirements
stage2_define_scope:
- Application boundaries
- Infrastructure components
- Data classification
stage3_decompose_application:
- Component identification
- Data flow mapping
- Trust boundaries
stage4_analyze_threats:
- Threat intelligence integration
- Attack scenario development
- Threat actor profiling
stage5_vulnerability_analysis:
- Weakness enumeration
- Exploit likelihood
- Attack surface mapping
stage6_attack_modeling:
- Attack tree development
- Kill chain analysis
- Attack simulation
stage7_risk_impact_analysis:
- Business impact assessment
- Risk scoring
- Control effectiveness
compliance_frameworks:
PCI_DSS_v4:
requirement_1: Install and maintain network security controls
requirement_2: Apply secure configurations
requirement_3: Protect stored account data
requirement_4: Protect cardholder data with cryptography
requirement_5: Protect systems from malicious software
requirement_6: Develop secure systems and software
requirement_7: Restrict access by business need-to-know
requirement_8: Identify users and authenticate access
requirement_9: Restrict physical access
requirement_10: Log and monitor access
requirement_11: Test security regularly
requirement_12: Support security with organizational policies
GDPR:
data_protection_principles:
- Lawfulness and transparency
- Purpose limitation
- Data minimization
- Accuracy requirements
- Storage limitation
- Integrity and confidentiality
technical_measures:
- Encryption at rest and in transit
- Pseudonymization
- Access controls
- Data breach notification (72 hours)
- Privacy by design
- Data portability
- Right to erasure
HIPAA:
administrative_safeguards:
- Security officer designation
- Workforce training
- Access management
- Incident response
physical_safeguards:
- Facility access controls
- Workstation security
- Device controls
technical_safeguards:
- Access control (unique user ID, encryption)
- Audit logs and controls
- Integrity controls
- Transmission security
SOC2_Type_II:
trust_service_criteria:
security:
- CC6.1: Logical access controls
- CC6.2: User authentication
- CC6.3: Privileged access
- CC6.6: Encryption
- CC6.7: Boundary protection
- CC6.8: Prevention of malware
availability:
- A1.1: Capacity planning
- A1.2: Environmental protections
- A1.3: Recovery capabilities
confidentiality:
- C1.1: Data classification
- C1.2: Data retention and disposal
processing_integrity:
- PI1.1: Quality assurance
- PI1.2: Processing monitoring
privacy:
- P1.1: Notice and consent
- P2.1: Choice and preference
- P6.1: Data disclosure and retention
security_headers:
required_headers:
Content-Security-Policy:
directives:
- "default-src 'self'"
- "script-src 'self' 'unsafe-inline'"
- "style-src 'self' 'unsafe-inline'"
- "img-src 'self' data: https:"
- "frame-ancestors 'none'"
severity: HIGH
X-Frame-Options:
value: 'DENY'
severity: HIGH
X-Content-Type-Options:
value: 'nosniff'
severity: MEDIUM
Strict-Transport-Security:
value: 'max-age=31536000; includeSubDomains; preload'
severity: HIGH
X-XSS-Protection:
value: '1; mode=block'
severity: MEDIUM
Referrer-Policy:
value: 'strict-origin-when-cross-origin'
severity: LOW
Permissions-Policy:
value: 'geolocation=(), microphone=(), camera=()'
severity: MEDIUM
cors_configuration:
Access-Control-Allow-Origin:
- Avoid wildcard (*)
- Whitelist specific domains
Access-Control-Allow-Credentials:
- Only with specific origins
- Never with wildcard origin
Access-Control-Allow-Methods:
- Limit to required methods
- Avoid OPTIONS preflight bypass
executive_summary:
overall_risk_score: [CRITICAL|HIGH|MEDIUM|LOW]
total_vulnerabilities:
critical: <count>
high: <count>
medium: <count>
low: <count>
informational: <count>
compliance_status:
framework: [PASS|FAIL|PARTIAL]
coverage_percentage: <percentage>
key_findings:
- finding_1_summary
- finding_2_summary
- finding_3_summary
detailed_findings:
- finding_id: SEC-001
title: 'SQL Injection in User Login'
severity: CRITICAL
cvss_score: 9.8
cwe_id: CWE-89
owasp_category: A03:2021
description: |
Unvalidated user input in login form allows SQL injection
affected_components:
- /api/auth/login
- UserAuthService.authenticate()
evidence:
vulnerable_code: |
query = "SELECT * FROM users WHERE username = '" + username + "'"
exploit_example: |
username: admin' OR '1'='1'--
impact:
confidentiality: HIGH
integrity: HIGH
availability: LOW
business_impact: 'Complete database compromise possible'
remediation:
immediate:
- Use parameterized queries
- Input validation and sanitization
- Implement WAF rules
long_term:
- Adopt ORM with built-in protection
- Security training for developers
- Code review process enhancement
code_fix: |
// Use parameterized query
const query = "SELECT * FROM users WHERE username = ?";
db.query(query, [username], (err, results) => {
// Handle results
});
references:
- https://owasp.org/www-community/attacks/SQL_Injection
- https://cwe.mitre.org/data/definitions/89.html
risk_matrix:
calculation_method: 'CVSS 3.1 + Business Impact'
severity_levels:
critical:
cvss_range: [9.0, 10.0]
response_time: 'Immediate'
escalation: 'Executive + Security Team'
high:
cvss_range: [7.0, 8.9]
response_time: '24 hours'
escalation: 'Security Team Lead'
medium:
cvss_range: [4.0, 6.9]
response_time: '7 days'
escalation: 'Development Team'
low:
cvss_range: [0.1, 3.9]
response_time: '30 days'
escalation: 'Standard Process'
remediation_roadmap:
phase_1_immediate: # 0-7 days
- critical_vulnerability_patches
- emergency_configuration_changes
- temporary_mitigations
phase_2_short_term: # 1-4 weeks
- high_priority_fixes
- security_header_implementation
- authentication_improvements
phase_3_medium_term: # 1-3 months
- dependency_updates
- logging_enhancement
- monitoring_implementation
phase_4_long_term: # 3-6 months
- architecture_improvements
- security_training
- process_enhancements
dependency_vulnerabilities:
- package: express
version: 4.17.1
vulnerability: CVE-2022-24999
severity: HIGH
fixed_version: 4.17.3
remediation: |
npm update express@^4.17.3
security_metrics:
attack_surface:
external_endpoints: <count>
authenticated_endpoints: <count>
public_endpoints: <count>
admin_endpoints: <count>
security_controls:
implemented: <count>
partially_implemented: <count>
missing: <count>
mean_time_to_detect: <time>
mean_time_to_respond: <time>
security_debt_hours: <hours>
CVSS 3.1 Base Score Calculation
Business Impact Multiplier
Environmental Score Adjustments
Static Application Security Testing (SAST)
Dynamic Application Security Testing (DAST)
Interactive Application Security Testing (IAST)
Software Composition Analysis (SCA)
┌─────────────┬────────────┬────────────┬────────────┐
│ Likelihood │ Low │ Medium │ High │
├─────────────┼────────────┼────────────┼────────────┤
│ High │ Medium │ High │ Critical │
├─────────────┼────────────┼────────────┼────────────┤
│ Medium │ Low │ Medium │ High │
├─────────────┼────────────┼────────────┼────────────┤
│ Low │ Info │ Low │ Medium │
└─────────────┴────────────┴────────────┴────────────┘
Impact →
Context-Aware Analysis
Verification Methods
Confidence Scoring
Shift-Left Security
CI/CD Pipeline Security
Production Monitoring
Stakeholder Reporting
Vulnerability Disclosure
Security Metrics Tracking
input:
target_type: api
analysis_scope: full
environment: production
technology_stack:
- Node.js
- Express
- PostgreSQL
- JWT authentication
compliance_frameworks:
- PCI-DSS
- GDPR
process:
1_discovery:
- Enumerate all API endpoints
- Map authentication flows
- Identify data models
2_authentication_testing:
- JWT algorithm confusion
- Token expiration validation
- Refresh token security
3_authorization_testing:
- IDOR vulnerabilities
- Function-level access control
- Resource-level permissions
4_input_validation:
- SQL injection testing
- XXE injection
- JSON injection
5_rate_limiting:
- Brute force protection
- API abuse prevention
- DDoS mitigation
output:
findings:
- Missing rate limiting on /api/auth/login
- JWT tokens without expiration
- IDOR in /api/users/{id}
- SQL injection in search endpoint
remediation_priority: 1. Implement rate limiting (Critical)
2. Fix SQL injection (Critical)
3. Add JWT expiration (High)
4. Fix IDOR vulnerability (High)
input:
target_type: infrastructure
analysis_scope: full
environment: production
technology_stack:
- AWS
- Kubernetes
- Terraform
compliance_frameworks:
- SOC2
- ISO27001
process:
1_cloud_configuration:
- S3 bucket permissions
- IAM role analysis
- Security group audit
- VPC configuration
2_kubernetes_security:
- RBAC configuration
- Pod security policies
- Network policies
- Secrets management
3_infrastructure_as_code:
- Terraform security scanning
- Hardcoded secrets
- Security misconfigurations
output:
findings:
- Public S3 buckets with sensitive data
- Over-permissive IAM roles
- Missing network segmentation
- Unencrypted secrets in Terraform
compliance_gaps:
- SOC2 CC6.1: Logical access controls
- ISO27001 A.13.1: Network security
input:
target_type: web_app
threat_model_methodology: STRIDE
business_context: E-commerce platform
risk_appetite: low
process:
1_asset_identification:
- Customer PII
- Payment card data
- Inventory system
- Order processing
2_threat_identification:
spoofing:
- Fake payment gateway
- Account takeover
tampering:
- Price manipulation
- Order modification
repudiation:
- Payment denial
- Order cancellation fraud
information_disclosure:
- Customer data leak
- Credit card exposure
denial_of_service:
- Checkout disruption
- Inventory exhaustion
elevation_of_privilege:
- Admin panel access
- Merchant account takeover
3_mitigation_strategies:
- Implement strong authentication
- Add transaction signing
- Enhance audit logging
- Implement rate limiting
- Add anomaly detection
output:
threat_model:
high_risk_threats:
- Payment fraud
- Data breach
- Account takeover
recommended_controls:
- Multi-factor authentication
- PCI DSS compliance
- Fraud detection system
- Security monitoring
scanning_tools:
SAST:
- SonarQube
- Checkmarx
- Fortify
- Semgrep
DAST:
- OWASP ZAP
- Burp Suite
- Acunetix
- AppScan
SCA:
- Snyk
- WhiteSource
- Black Duck
- Dependabot
Cloud:
- Prowler
- ScoutSuite
- CloudSploit
- Checkov
Container:
- Trivy
- Clair
- Anchore
- Twistlock
monitoring_tools:
SIEM:
- Splunk
- ELK Stack
- QRadar
- Sentinel
RASP:
- Contrast Security
- Sqreen
- Signal Sciences
WAF:
- ModSecurity
- Cloudflare
- AWS WAF
- Imperva
Security Metrics Dashboard
Lessons Learned
Security Training
Tool Optimization
Designs feature architectures by analyzing existing codebase patterns and conventions, then providing comprehensive implementation blueprints with specific files to create/modify, component designs, data flows, and build sequences