Plan security testing strategies including OWASP testing, penetration test scoping, SAST/DAST integration, and threat-based test case design.
Plans security testing strategies including OWASP testing, penetration test scoping, and SAST/DAST integration. Use when you need to design comprehensive security test strategies or need guidance on established security testing standards.
/plugin marketplace add melodic-software/claude-code-plugins/plugin install test-strategy@melodic-softwareThis skill is limited to using the following tools:
references/dotnet-security-tests.mdreferences/owasp-testing.mdreferences/sast-dast-integration.mdreferences/security-strategy-template.mdUse this skill when:
Security testing validates that applications are protected against threats and vulnerabilities. A comprehensive security test strategy combines automated scanning, manual testing, and threat-based test case design.
┌───────────┐
/ Pentest \ Manual, Expert
/ Red Team \ (Quarterly)
/─────────────────\
/ DAST \ Dynamic Scanning
/ (Runtime) \ (Weekly/Release)
/───────────────────────\
/ SAST \ Static Analysis
/ (Build Time) \ (Every Commit)
/─────────────────────────────\
/ Secret Scanning \ Pre-Commit
/ Dependency Scanning \ (Continuous)
└───────────────────────────────────┘
| Layer | Tools | Frequency | Gate |
|---|---|---|---|
| Layer 1 (CI/CD) | Gitleaks, SonarQube, Snyk, Trivy | Every commit | Block Critical |
| Layer 2 (Periodic) | OWASP ZAP, Burp, 42Crunch | Weekly/Release | Block High+ |
| Layer 3 (Manual) | Penetration testing, Code review | Quarterly | Block All |
| Category | Testing Approach |
|---|---|
| A01: Broken Access Control | Manual + Automated |
| A02: Cryptographic Failures | Code review + SAST |
| A03: Injection | SAST + DAST + Manual |
| A04: Insecure Design | Threat modeling |
| A05: Security Misconfiguration | Config scanning |
| A06: Vulnerable Components | SCA |
| A07: Auth Failures | Manual + Automated |
| A08: Data Integrity | Manual testing |
| A09: Logging Failures | Log review |
| A10: SSRF | DAST + Manual |
| Severity | SLA | Verification |
|---|---|---|
| Critical | 24 hours | Immediate retest |
| High | 7 days | Next sprint retest |
| Medium | 30 days | Quarterly scan |
| Low | 90 days | Annual review |
| Reference | Content | When to Load |
|---|---|---|
| security-strategy-template.md | Full strategy template, scope, compliance, metrics | Planning security test strategy |
| owasp-testing.md | WSTG test categories, test case template | Writing OWASP-aligned test cases |
| dotnet-security-tests.md | Auth, input validation, rate limiting tests | Implementing .NET security tests |
| sast-dast-integration.md | CI/CD gates, ZAP integration, tool comparison | Setting up automated security scanning |
Inputs from:
test-strategy-planning skill → Overall strategyOutputs to:
devsecops-practices skill (security plugin) → RemediationQuery: "Help me create a security test plan for our web application"
Expected: Skill activates, provides strategy template, guides through scope and layers
Query: "What OWASP tests should I run for authentication?"
Expected: Skill activates, loads owasp-testing.md reference, provides WSTG-ATHN tests
Query: "Show me how to test for SQL injection in .NET"
Expected: Skill activates, loads dotnet-security-tests.md reference, provides code examples
Last Updated: 2025-12-28
Use when working with Payload CMS projects (payload.config.ts, collections, fields, hooks, access control, Payload API). Use when debugging validation errors, security issues, relationship queries, transactions, or hook behavior.
Creating algorithmic art using p5.js with seeded randomness and interactive parameter exploration. Use this when users request creating art using code, generative art, algorithmic art, flow fields, or particle systems. Create original algorithmic art rather than copying existing artists' work to avoid copyright violations.