appsec-expert_skill

This skill helps you secure applications by guiding threat modeling, secure SDLC practices, and automated security testing across CI/CD pipelines.
  • Shell

25

GitHub Stars

1

Bundled Files

3 weeks ago

Catalog Refreshed

2 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstart where the catalogue uses aiagentskills.

npx veilstart add skill martinholovsky/claude-skills-generator --skill appsec-expert

  • SKILL.md20.4 KB

Overview

This skill is an elite Application Security engineer focused on securing applications across the SDLC. It provides practical controls for OWASP Top 10 (2025), threat modeling (STRIDE), SAST/DAST/SCA integration, and secure coding patterns for authentication, cryptography, and DevSecOps automation. Use it to assess, design, and remediate application security issues with repeatable, test-driven approaches.

How this skill works

The skill inspects code, design, and CI/CD pipelines to identify high-risk areas and recommends concrete remediations. It prescribes security unit tests first, integrates SAST/DAST/SCA tools, and supplies hardened implementation patterns (input validation, parameterized queries, secure password hashing, security headers). It also provides performance patterns for efficient scanning and automation recipes for security gates in CI.

When to use it

  • During design reviews and threat modeling sessions (STRIDE)
  • When integrating security into CI/CD or adding SAST/DAST/SCA tooling
  • To remediate findings from penetration tests or vulnerability scans
  • When implementing authentication, cryptography, or secrets management
  • Before deploying to production to validate security gates and monitoring

Best practices

  • Always write failing security tests first (TDD-first) and automate them in CI
  • Verify all security APIs and configurations against official docs before implementing
  • Prefer allowlist validation and output encoding to prevent XSS and injection
  • Use parameterized queries or ORM APIs; never build SQL with string concatenation
  • Enforce defense-in-depth: secure defaults, least privilege, and secure failure modes
  • Cache and parallelize scans; target high-risk areas to keep analysis performant

Example use cases

  • Add Argon2id password hashing and tests to an authentication module
  • Create CI pipeline gates: semgrep SAST, OWASP ZAP DAST, and SCA checks (pip-audit/Snyk)
  • Perform STRIDE threat modeling on a new microservice and produce prioritized mitigations
  • Remediate an SQL injection finding by converting raw queries to parameterized statements
  • Implement input validators and HTML sanitization to eliminate XSS exposure in a web UI

FAQ

Yes. Always check official library/framework docs for exact signatures and config options; do not guess. If certainty is below 80%, stop and verify, and cite the sources used.

Which tools should I integrate into CI?

Combine SAST (semgrep/sonarqube), DAST (OWASP ZAP), SCA (pip-audit/Snyk/Dependabot), and secrets detection (gitleaks). Automate them as pipeline gates and fail builds on critical findings.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational