From vamfi-software-consultancy
This skill should be used when the user asks to "review security architecture", "run a threat model", "produce a security review", "check for security risks", "review OWASP compliance", "assess security controls", "run a pre-production security gate", or needs security analysis at any stage of the SDLC — not just at the end.
npx claudepluginhub vamfi/vamfi-plugins --plugin vamfi-software-consultancyThis skill uses the workspace's default tool permissions.
Embed security thinking at every stage of the SDLC. Produce threat models, security controls checklists, and compliance gap analyses that identify risks before they reach production.
Generates design tokens/docs from CSS/Tailwind/styled-components codebases, audits visual consistency across 10 dimensions, detects AI slop in UI.
Records polished WebM UI demo videos of web apps using Playwright with cursor overlay, natural pacing, and three-phase scripting. Activates for demo, walkthrough, screen recording, or tutorial requests.
Delivers idiomatic Kotlin patterns for null safety, immutability, sealed classes, coroutines, Flows, extensions, DSL builders, and Gradle DSL. Use when writing, reviewing, refactoring, or designing Kotlin code.
Embed security thinking at every stage of the SDLC. Produce threat models, security controls checklists, and compliance gap analyses that identify risks before they reach production.
Security architecture review is not a final gate — it is a continuous practice applied at design, implementation, test, and release stages. This skill is callable from any pipeline stage. The earlier a security concern is found, the cheaper it is to fix.
| Stage | Security Activity | Output |
|---|---|---|
| Discovery | Data classification, compliance identification | Data map, regulatory checklist |
| Architecture | Threat modelling, security controls design | STRIDE threat model, controls spec |
| Implementation | Secure code review patterns, secrets audit | Code security checklist |
| Testing | Security test cases, DAST planning | Security test plan |
| Release | Pre-production gate, dependency audit | Go/No-go security gate |
| Run | Incident response, continuous monitoring | Security runbook |
For each trust boundary in the system:
| Threat | Category | Asset at Risk | Attack Vector | Likelihood | Impact | Risk | Control |
|---|---|---|---|---|---|---|---|
| [description] | S/T/R/I/D/E | [what is exposed] | [how attack occurs] | H/M/L | H/M/L | H/M/L | [mitigation] |
STRIDE categories:
Risk = Likelihood × Impact. HIGH risk requires a documented control before architecture sign-off.
Assess against the following controls:
Authentication and Identity
Authorisation
Input Validation and Output Encoding
Secrets and Configuration
Data Protection
Dependency Security
Binary PASS / FAIL assessment:
| Check | Status | Blocker? |
|---|---|---|
| No CRITICAL CVEs in dependencies | PASS/FAIL | Yes |
| No hardcoded secrets in codebase | PASS/FAIL | Yes |
| Authentication implemented and tested | PASS/FAIL | Yes |
| OWASP Top 10 reviewed | PASS/FAIL | Yes |
| Security test cases passing | PASS/FAIL | Yes |
| Data classification documented | PASS/FAIL | No |
Result: PASS (proceed) / FAIL (list of blocking items to resolve first)
references/owasp-top10-mapping.md — OWASP Top 10 2025 with controlsreferences/compliance-frameworks.md — GDPR, SOC 2, ISO 27001, PCI-DSS, HIPAA mappingsassets/security-review-template.md — Blank threat model + controls template