From systems-design
Performs security architecture review with Zero Trust assessment, identifying authentication/authorization gaps, data protection issues, and providing prioritized remediation guidance. Useful for auditing codebase security.
npx claudepluginhub melodic-software/claude-code-plugins --plugin systems-designThis skill is limited to using the following tools:
This command performs comprehensive security architecture reviews with Zero Trust assessment.
Conducts security audits for DevSecOps, reviews SDLC controls, CI/CD pipelines, threat models, vulnerabilities, authentication, authorization, and compliance frameworks.
Evaluates code for threats, vulnerabilities, and missing protections using STRIDE and OWASP Top 10. Reviews authentication, secrets, data flows, and security controls.
Runs Maestro-style security audits assessing authentication, authorization, data exposure, secret handling, and exploitability risks. Classifies severity and provides prioritized remediations.
Share bugs, ideas, or general feedback.
This command performs comprehensive security architecture reviews with Zero Trust assessment.
Generate security assessments including:
Clarify the review scope:
If a scope is provided:
If no scope provided, ask:
What would you like me to review?
1. Entire system architecture
2. API layer security
3. Service-to-service communication
4. Data storage and protection
5. Specific component/service
Understand the security landscape:
Security Discovery Checklist:
□ Authentication mechanisms (OAuth, OIDC, JWT, API keys)
□ Authorization model (RBAC, ABAC, ACLs)
□ Encryption at rest (databases, files, secrets)
□ Encryption in transit (TLS, mTLS)
□ Secrets management (Vault, cloud KMS, env vars)
□ Network boundaries and segmentation
□ Logging and audit trails
□ Third-party integrations
Search patterns:
auth, login, jwt, oauth, oidc, bearerroles, permissions, authorize, policy, claimsencrypt, decrypt, kms, key, certificate, tlssecret, credential, password, apikey, connectionEvaluate against Zero Trust principles:
Assessment: Verify Explicitly
Questions:
□ Is every request authenticated, regardless of source?
□ Are all API endpoints protected (including internal)?
□ Is token validation performed on every request?
□ Are sessions properly validated and can be revoked?
Findings:
- [ ] External APIs authenticated: [YES/NO/PARTIAL]
- [ ] Internal APIs authenticated: [YES/NO/PARTIAL]
- [ ] Token validation: [Strong/Weak/None]
- [ ] Session management: [Proper/Needs work]
Assessment: Least Privilege
Questions:
□ Do service accounts have minimal required permissions?
□ Are user permissions scoped appropriately?
□ Is privilege escalation prevented?
□ Are administrative functions separated?
Findings:
- [ ] Service account scoping: [Tight/Loose/Overprivileged]
- [ ] User permission model: [Granular/Coarse/None]
- [ ] Admin separation: [Implemented/Missing]
Assessment: Assume Breach
Questions:
□ Is network traffic encrypted even internally?
□ Are secrets rotatable without downtime?
□ Is blast radius limited (microsegmentation)?
□ Are anomalies detectable (monitoring, SIEM)?
Findings:
- [ ] Internal encryption: [mTLS/TLS/None]
- [ ] Secret rotation capability: [Automated/Manual/None]
- [ ] Segmentation: [Microsegmented/Basic/Flat]
- [ ] Detection capability: [Advanced/Basic/None]
Detailed analysis:
Authentication:
Authentication Analysis:
Mechanism: [OAuth 2.0 / OIDC / JWT / Basic / API Key / Other]
Strengths:
- [List positive findings]
Weaknesses:
- [List concerns]
Recommendations:
- [Prioritized improvements]
Token Security:
- Algorithm: [RS256/HS256/Other]
- Expiration: [Duration]
- Refresh handling: [Secure/Concerns]
- Revocation: [Supported/Not supported]
Authorization:
Authorization Analysis:
Model: [RBAC / ABAC / ACL / Custom]
Implementation:
- Enforcement point: [Gateway/Service/Both]
- Policy storage: [Where defined]
- Policy evaluation: [How decisions made]
Gaps:
- [Identify missing controls]
Recommendations:
- [Prioritized improvements]
Analyze data security:
Encryption:
Encryption Assessment:
At Rest:
- Database: [AES-256/Other/None] via [mechanism]
- File storage: [Encrypted/Unencrypted]
- Backups: [Encrypted/Unencrypted]
In Transit:
- External: [TLS 1.3/TLS 1.2/Other]
- Internal: [mTLS/TLS/Plaintext]
Key Management:
- Storage: [HSM/KMS/Config/Code]
- Rotation: [Automated/Manual/None]
- Access control: [Strict/Loose]
Secrets Management:
Secrets Assessment:
Storage Location:
- [ ] Dedicated secrets manager (Vault, AWS SM, Azure KV)
- [ ] Environment variables
- [ ] Configuration files
- [ ] Hardcoded (CRITICAL)
Rotation Capability:
- Database credentials: [Automatic/Manual/Never]
- API keys: [Automatic/Manual/Never]
- Certificates: [Automatic/Manual/Never]
Access Control:
- Who can access secrets: [Documented/Unknown]
- Audit logging: [Enabled/Disabled]
Analyze network protection:
Network Security Assessment:
Segmentation:
- Network topology: [Microsegmented/Segmented/Flat]
- Service mesh: [Yes - Type / No]
- Trust boundaries: [Defined/Unclear]
Traffic Control:
- Ingress: [WAF/API Gateway/Direct]
- Egress: [Controlled/Open]
- East-West: [Controlled/Open]
Service Communication:
- Protocol: [gRPC+mTLS/HTTPS/HTTP]
- Service identity: [SPIFFE/Certificates/None]
- Policy enforcement: [Service mesh/Manual/None]
Check against OWASP API Security Top 10:
OWASP API Security Top 10 Assessment:
1. Broken Object Level Authorization
Status: [PASS/FAIL/NEEDS REVIEW]
Notes: [Findings]
2. Broken Authentication
Status: [PASS/FAIL/NEEDS REVIEW]
Notes: [Findings]
3. Broken Object Property Level Authorization
Status: [PASS/FAIL/NEEDS REVIEW]
Notes: [Findings]
4. Unrestricted Resource Consumption
Status: [PASS/FAIL/NEEDS REVIEW]
Notes: [Findings]
5. Broken Function Level Authorization
Status: [PASS/FAIL/NEEDS REVIEW]
Notes: [Findings]
6. Unrestricted Access to Sensitive Business Flows
Status: [PASS/FAIL/NEEDS REVIEW]
Notes: [Findings]
7. Server Side Request Forgery
Status: [PASS/FAIL/NEEDS REVIEW]
Notes: [Findings]
8. Security Misconfiguration
Status: [PASS/FAIL/NEEDS REVIEW]
Notes: [Findings]
9. Improper Inventory Management
Status: [PASS/FAIL/NEEDS REVIEW]
Notes: [Findings]
10. Unsafe Consumption of APIs
Status: [PASS/FAIL/NEEDS REVIEW]
Notes: [Findings]
Create the security assessment report:
# Security Assessment Report: [System/Component]
## Executive Summary
Risk Level: [CRITICAL/HIGH/MEDIUM/LOW]
Key Findings: [X] critical, [Y] high, [Z] medium
## Zero Trust Assessment
| Principle | Status | Score |
|-----------|--------|-------|
| Verify explicitly | [PASS/PARTIAL/FAIL] | X/10 |
| Least privilege | [PASS/PARTIAL/FAIL] | X/10 |
| Assume breach | [PASS/PARTIAL/FAIL] | X/10 |
Overall Zero Trust Maturity: [X/30]
## Findings
### [CRITICAL] Finding Title
**Category**: [Auth/Data/Network/Config]
**Component**: [Affected component]
**Risk**: [Impact description]
**Recommendation**: [How to fix]
**Priority**: Immediate
[Repeat for all findings by severity]
## Remediation Roadmap
### Immediate (0-7 days)
- [ ] [Critical items]
### Short-term (1-4 weeks)
- [ ] [High priority items]
### Medium-term (1-3 months)
- [ ] [Medium priority items]
### Long-term (3-6 months)
- [ ] [Hardening items]
# Review entire system
/sd:security-review
# Review specific component
/sd:security-review payment-service
# Review with architecture context
/sd:security-review @docs/architecture.md
# Review API layer only
/sd:security-review "API gateway and endpoints"
Use AskUserQuestion to:
The command produces:
This command leverages:
zero-trust-architecture - Zero Trust principles and patternsapi-security - API authentication and authorizationmtls-service-mesh - Service mesh securitysecrets-management - Secrets handling best practicesFor ongoing security consultation:
security-reviewer - Security architecture expertise