Skill

security-test-planning

Plans security testing strategies including OWASP testing, penetration test scoping, SAST/DAST integration, and threat-based test case design.

security

testing

npx claudepluginhub melodic-software/claude-code-plugins --plugin test-strategy

Tool Access

This skill is limited to using the following tools:

ReadWriteGlobGrepTaskWebSearchWebFetch

Preview

Use this skill when:

Supporting Assets

references/dotnet-security-tests.mdreferences/owasp-testing.mdreferences/sast-dast-integration.mdreferences/security-strategy-template.md

SKILL.md

Similar Skills

role-aqa:security-testing

Automates security testing with OWASP ZAP (active/passive scans), Burp Suite, SAST (SonarQube/CodeQL), DAST, dependency scans (Snyk/npm audit/Dependabot), pen test planning, and OWASP Top 10 checks. Use for evaluating app security posture.

4 tools

role-aqa

security-scanning-security-hardening

37.1k

Orchestrates multi-layer security scanning and hardening across apps, infrastructure, and compliance with SAST/DAST scans, threat modeling via STRIDE/MITRE ATT&CK, and phased remediation. For defense-in-depth DevSecOps.

antigravity-awesome-skills

security-testing

Guides security testing setups using Snyk/Trivy for dependency scans in GitHub Actions, Semgrep SAST, Gitleaks secrets scanning, OWASP ZAP DAST, SQLi/XSS test cases, and security headers validation. Use for CI/CD pipelines, vulnerability reviews, and OWASP Top 10 testing.

3 files3 tools

billy-milligan

Stats

Parent Repo Stars63

Parent Repo Forks9

Last CommitDec 28, 2025

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Security Test Planning

When to Use This Skill

Use this skill when:

Security Test Planning tasks - Planning security testing strategies for applications
Planning or design - Need guidance on OWASP testing, pen test scoping, SAST/DAST
Best practices - Want to follow established security testing standards

Overview

Security testing validates that applications are protected against threats and vulnerabilities. A comprehensive security test strategy combines automated scanning, manual testing, and threat-based test case design.

Security Testing Pyramid

                    ┌───────────┐
                   /  Pentest    \         Manual, Expert
                  /   Red Team    \        (Quarterly)
                 /─────────────────\
                /      DAST          \     Dynamic Scanning
               /    (Runtime)         \    (Weekly/Release)
              /───────────────────────\
             /         SAST             \  Static Analysis
            /      (Build Time)          \ (Every Commit)
           /─────────────────────────────\
          /      Secret Scanning           \ Pre-Commit
         /     Dependency Scanning          \ (Continuous)
        └───────────────────────────────────┘

Quick Reference: Testing Layers

Layer	Tools	Frequency	Gate
Layer 1 (CI/CD)	Gitleaks, SonarQube, Snyk, Trivy	Every commit	Block Critical
Layer 2 (Periodic)	OWASP ZAP, Burp, 42Crunch	Weekly/Release	Block High+
Layer 3 (Manual)	Penetration testing, Code review	Quarterly	Block All

OWASP Top 10 Quick Coverage

Category	Testing Approach
A01: Broken Access Control	Manual + Automated
A02: Cryptographic Failures	Code review + SAST
A03: Injection	SAST + DAST + Manual
A04: Insecure Design	Threat modeling
A05: Security Misconfiguration	Config scanning
A06: Vulnerable Components	SCA
A07: Auth Failures	Manual + Automated
A08: Data Integrity	Manual testing
A09: Logging Failures	Log review
A10: SSRF	DAST + Manual

Remediation SLAs

Severity	SLA	Verification
Critical	24 hours	Immediate retest
High	7 days	Next sprint retest
Medium	30 days	Quarterly scan
Low	90 days	Annual review

References

Reference	Content	When to Load
security-strategy-template.md	Full strategy template, scope, compliance, metrics	Planning security test strategy
owasp-testing.md	WSTG test categories, test case template	Writing OWASP-aligned test cases
dotnet-security-tests.md	Auth, input validation, rate limiting tests	Implementing .NET security tests
sast-dast-integration.md	CI/CD gates, ZAP integration, tool comparison	Setting up automated security scanning

Integration Points

Inputs from:

Threat model → Test priorities
Security requirements → Coverage targets
test-strategy-planning skill → Overall strategy

Outputs to:

CI/CD pipeline → Security gates
devsecops-practices skill (security plugin) → Remediation
Compliance reporting → Evidence

Test Scenarios

Scenario 1: Planning security test strategy

Query: "Help me create a security test plan for our web application"

Expected: Skill activates, provides strategy template, guides through scope and layers

Scenario 2: OWASP-aligned testing

Query: "What OWASP tests should I run for authentication?"

Expected: Skill activates, loads owasp-testing.md reference, provides WSTG-ATHN tests

Scenario 3: .NET security tests

Query: "Show me how to test for SQL injection in .NET"

Expected: Skill activates, loads dotnet-security-tests.md reference, provides code examples

Last Updated: 2025-12-28

Version History

v1.1.0 (2025-12-28): Refactored to progressive disclosure - extracted tests/templates to references/
v1.0.0 (2025-12-26): Initial release