security

Security Skill

Bonded to: testing-security-agent

---

Quick Start

# Invoke security skill
"Check my code for OWASP vulnerabilities"
"Implement JWT authentication securely"
"Prepare for GDPR compliance audit"

---

Instructions

1. Assess Risks: Identify threats and vulnerabilities
2. Implement Controls: Add authentication, encryption
3. Configure Scanning: Set up SAST, DAST, SCA
4. Ensure Compliance: Meet regulatory requirements
5. Prepare Response: Create incident response plan

---

OWASP Top 10 (2025)

#	Vulnerability	Prevention	Severity
1	Broken Access Control	RBAC, least privilege	Critical
2	Cryptographic Failures	Strong encryption, TLS	Critical
3	Injection	Parameterized queries	Critical
4	Insecure Design	Threat modeling	High
5	Security Misconfiguration	Hardening	High
6	Vulnerable Components	SCA scanning	High
7	Auth Failures	MFA, secure sessions	High
8	Data Integrity Failures	Signatures	Medium
9	Logging Failures	Audit logging	Medium
10	SSRF	Input validation	Medium

---

Security Scanning Tools

Type	Purpose	Tools
SAST	Static code	SonarQube, Semgrep
DAST	Dynamic testing	OWASP ZAP, Burp
SCA	Dependencies	Snyk, Dependabot
Container	Images	Trivy, Grype
Secrets	Detection	GitLeaks, TruffleHog

---

Examples

Example 1: Secure Authentication

from fastapi import Depends, HTTPException
from fastapi.security import OAuth2PasswordBearer
from passlib.context import CryptContext
from jose import jwt
import secrets

pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")

def hash_password(password: str) -> str:
    return pwd_context.hash(password)

def verify_password(plain: str, hashed: str) -> bool:
    return pwd_context.verify(plain, hashed)

def create_token(user_id: str) -> str:
    return jwt.encode(
        {"sub": user_id, "jti": secrets.token_urlsafe(16)},
        SECRET_KEY,
        algorithm="HS256"
    )

Example 2: SQL Injection Prevention

# BAD - Vulnerable to SQL injection
def get_user_bad(user_id: str):
    query = f"SELECT * FROM users WHERE id = '{user_id}'"
    return db.execute(query)

# GOOD - Parameterized query
def get_user_good(user_id: str):
    query = "SELECT * FROM users WHERE id = :id"
    return db.execute(query, {"id": user_id})

Example 3: Security Headers

from fastapi import FastAPI
from starlette.middleware.base import BaseHTTPMiddleware

class SecurityHeadersMiddleware(BaseHTTPMiddleware):
    async def dispatch(self, request, call_next):
        response = await call_next(request)
        response.headers["X-Content-Type-Options"] = "nosniff"
        response.headers["X-Frame-Options"] = "DENY"
        response.headers["X-XSS-Protection"] = "1; mode=block"
        response.headers["Strict-Transport-Security"] = "max-age=31536000"
        response.headers["Content-Security-Policy"] = "default-src 'self'"
        return response

app = FastAPI()
app.add_middleware(SecurityHeadersMiddleware)

---

Compliance Checklists

GDPR

• Lawful basis for processing
• Data minimization
• Right to access/deletion
• Breach notification (72h)
• DPO if required

PCI-DSS

• Encrypt cardholder data
• No CVV storage
• Access controls
• Regular testing
• Audit logging

---

Troubleshooting

Common Issues

Issue	Cause	Solution
Token expired	Short TTL	Implement refresh tokens
CORS blocked	Missing headers	Configure CORS properly
Weak encryption	Old algorithms	Use AES-256, RSA-2048+
SQL injection	String concat	Use parameterized queries

Incident Response

Incident Detected
    │
    ├─→ Contain: Isolate affected systems
    ├─→ Assess: Determine scope
    ├─→ Remediate: Fix vulnerability
    ├─→ Recover: Restore services
    └─→ Post-mortem: Document & improve

---

Test Template

# tests/test_security.py
import pytest

class TestSecurityControls:
    def test_password_is_hashed(self):
        password = "secure123"
        hashed = hash_password(password)
        assert password not in hashed
        assert verify_password(password, hashed)

    def test_sql_injection_prevented(self):
        malicious_input = "'; DROP TABLE users; --"
        # Should not execute the DROP TABLE
        result = get_user(malicious_input)
        assert result is None  # User not found, not table dropped

    def test_auth_required_for_protected_routes(self, client):
        response = client.get("/api/v1/users/me")
        assert response.status_code == 401

---

Resources

• OWASP Top 10
• NIST Cybersecurity Framework
• CWE Top 25