Verify code and infrastructure against security standards and regulatory compliance requirements (OWASP, PCI-DSS, HIPAA, GDPR, SOC 2).
/plugin marketplace add marcel-Ngan/ai-dev-team/plugin install marcel-ngan-ai-dev-team@marcel-Ngan/ai-dev-teamThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Verify code and infrastructure against security standards and regulatory compliance requirements (OWASP, PCI-DSS, HIPAA, GDPR, SOC 2).
| ID | Category | Focus |
|---|---|---|
| A01 | Broken Access Control | Authorization, RBAC, CORS |
| A02 | Cryptographic Failures | Encryption, hashing, key management |
| A03 | Injection | SQL, NoSQL, OS, LDAP injection |
| A04 | Insecure Design | Threat modeling, secure patterns |
| A05 | Security Misconfiguration | Defaults, headers, error handling |
| A06 | Vulnerable Components | Dependencies, patches |
| A07 | Auth Failures | Passwords, sessions, MFA |
| A08 | Data Integrity Failures | CI/CD, updates, serialization |
| A09 | Logging Failures | Audit logs, monitoring |
| A10 | SSRF | Server-side request forgery |
| Requirement | Description | Code Impact |
|---|---|---|
| 3.x | Protect stored cardholder data | Encryption at rest |
| 4.x | Encrypt transmission | TLS, secure protocols |
| 6.x | Secure development | SDLC, code review |
| 7.x | Restrict access | RBAC, least privilege |
| 8.x | Identify users | Authentication |
| 10.x | Log and monitor | Audit logging |
| 11.x | Test security | Vulnerability scanning |
| Safeguard | Requirement | Implementation |
|---|---|---|
| Access Control | Unique user ID | Authentication system |
| Audit Controls | Activity logging | Audit trail |
| Integrity | Data validation | Checksums, validation |
| Transmission | Encryption in transit | TLS 1.2+ |
| Authentication | Entity verification | MFA support |
| Article | Requirement | Code Impact |
|---|---|---|
| Art. 17 | Right to erasure | Data deletion capability |
| Art. 20 | Data portability | Export functionality |
| Art. 25 | Privacy by design | Data minimization |
| Art. 32 | Security measures | Encryption, access control |
| Art. 33 | Breach notification | Incident detection |
| Principle | Focus Areas | Controls |
|---|---|---|
| Security | Protection against unauthorized access | Firewalls, encryption, access |
| Availability | System uptime and recovery | Redundancy, DR |
| Processing Integrity | Accurate, complete processing | Validation, error handling |
| Confidentiality | Data protection | Encryption, classification |
| Privacy | Personal information handling | Consent, minimization |
## Control Identification
### Applicable Controls
Based on system classification and data types:
| Data Type | Regulations | Controls Required |
|-----------|-------------|-------------------|
| PII | GDPR, CCPA | Encryption, consent, erasure |
| PHI | HIPAA | Full safeguards suite |
| PCI | PCI-DSS | Card data protection |
| Financial | SOX, SOC 2 | Audit, integrity |
## Technical Control Verification
### Authentication Controls
- [ ] Multi-factor authentication available
- [ ] Password policy enforced (length, complexity)
- [ ] Account lockout implemented
- [ ] Session timeout configured
- [ ] Secure password storage (bcrypt, argon2)
### Authorization Controls
- [ ] Role-based access control (RBAC)
- [ ] Principle of least privilege
- [ ] Access reviews documented
- [ ] Privilege escalation prevented
### Encryption Controls
- [ ] Data encrypted at rest (AES-256)
- [ ] Data encrypted in transit (TLS 1.2+)
- [ ] Key management procedures
- [ ] Certificate management
### Logging Controls
- [ ] Authentication events logged
- [ ] Authorization failures logged
- [ ] Data access logged
- [ ] Logs protected from tampering
- [ ] Log retention policy implemented
## Compliance Gap Analysis
### Gaps Identified
| Control | Requirement | Current State | Gap | Remediation |
|---------|-------------|---------------|-----|-------------|
| AUTH-01 | MFA required | Not implemented | Critical | Implement TOTP/WebAuthn |
| LOG-03 | 1-year retention | 30-day retention | High | Update retention policy |
| ENC-02 | AES-256 at rest | AES-128 | Medium | Upgrade encryption |
## Compliance Assessment Report
**Assessment Date:** {{date}}
**Standard:** {{standard}}
**Scope:** {{scope}}
**Assessor:** {{assessor}}
### Executive Summary
**Overall Compliance Score:** {{score}}%
| Category | Compliant | Partial | Non-Compliant |
|----------|-----------|---------|---------------|
| Access Control | 8 | 2 | 1 |
| Cryptography | 5 | 1 | 0 |
| Logging | 4 | 2 | 2 |
| **Total** | **17** | **5** | **3** |
### Compliance Status: **PARTIAL**
---
### Detailed Findings
#### A01: Broken Access Control
**Status:** Partial Compliance
**Score:** 7/10
**Compliant:**
- [x] Role-based access control implemented
- [x] Default deny policy in place
- [x] Access control at server side
**Non-Compliant:**
- [ ] **FINDING-001:** Missing access control on `/api/admin/users`
- **Risk:** High
- **Evidence:** Endpoint accessible without admin role
- **Remediation:** Add role check middleware
- **Effort:** 2 hours
- [ ] **FINDING-002:** CORS allows wildcard origin
- **Risk:** Medium
- **Evidence:** `Access-Control-Allow-Origin: *`
- **Remediation:** Whitelist specific origins
- **Effort:** 1 hour
---
### Remediation Roadmap
| Priority | Finding | Control | Effort | Target |
|----------|---------|---------|--------|--------|
| Critical | FINDING-001 | A01 | 2h | 7 days |
| High | FINDING-005 | A02 | 8h | 14 days |
| Medium | FINDING-002 | A01 | 1h | 30 days |
### Certification Readiness
**Current State:** Not ready for certification
**Blockers:** 3 critical findings, 2 high findings
**Estimated Remediation:** 2-3 weeks
### Recommendations
1. Address all critical findings before next release
2. Implement automated compliance scanning in CI/CD
3. Schedule quarterly compliance reviews
4. Update security training for developers
## Evidence Repository
### Authentication Controls
- Password policy configuration: `config/auth.json`
- MFA implementation: `src/auth/mfa/`
- Session management: `src/middleware/session.ts`
### Encryption Controls
- TLS configuration: `nginx/ssl.conf`
- Database encryption: `db/encryption.sql`
- Key management: `secrets/README.md`
### Logging Controls
- Audit log implementation: `src/logging/audit.ts`
- Log retention policy: `ops/log-rotation.conf`
- Log samples: `evidence/logs/sample-audit.log`
security-vulnerability-scan - Vulnerability detectionsecurity-secret-scan - Credential detectionsecurity-dependency-audit - Component complianceconfluence-technical-docs - Evidence documentationAtlassian:createConfluencePage - Compliance documentationAtlassian:createJiraIssue - Remediation trackingThis skill should be used when the user asks to "create a slash command", "add a command", "write a custom command", "define command arguments", "use command frontmatter", "organize commands", "create command with file references", "interactive command", "use AskUserQuestion in command", or needs guidance on slash command structure, YAML frontmatter fields, dynamic arguments, bash execution in commands, user interaction patterns, or command development best practices for Claude Code.
This skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.
This skill should be used when the user asks to "create a hook", "add a PreToolUse/PostToolUse/Stop hook", "validate tool use", "implement prompt-based hooks", "use ${CLAUDE_PLUGIN_ROOT}", "set up event-driven automation", "block dangerous commands", or mentions hook events (PreToolUse, PostToolUse, Stop, SubagentStop, SessionStart, SessionEnd, UserPromptSubmit, PreCompact, Notification). Provides comprehensive guidance for creating and implementing Claude Code plugin hooks with focus on advanced prompt-based hooks API.