security_skill
- Python
1
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill pluginagentmarketplace/custom-plugin-typescript --skill security- SKILL.md1.7 KB
Overview
This skill helps teams master secure development practices, the OWASP Top 10, testing techniques, and compliance requirements. It provides actionable guidance for building secure systems, running security reviews, and embedding security into the development lifecycle.
How this skill works
The skill inspects common application security controls, recommends mitigations for OWASP Top 10 risks, and outlines testing and monitoring approaches. It maps tools and techniques—static analysis, dependency scanning, dynamic testing, and runtime monitoring—to concrete steps teams can follow. It also summarizes compliance considerations and incident response basics.
When to use it
- Designing or architecting a new application or API
- Conducting security reviews or threat modeling sessions
- Implementing authentication, authorization, or session management
- Setting up CI/CD pipelines with automated security gates
- Preparing for compliance audits (GDPR, HIPAA, PCI-DSS)
Best practices
- Prioritize OWASP Top 10 and remediate high-risk findings first
- Enforce secure coding: input validation, output encoding, parameterized queries
- Automate tests: unit, integration, dependency, SAST/DAST in CI
- Use strong authentication (bcrypt/Argon2, JWT with secure keys and rotation)
- Monitor production: IDS/IPS, centralized logs, alerting, and runbooks
Example use cases
- Integrate SAST (SonarQube) and dependency scanning into PR pipelines
- Perform an application pentest using OWASP ZAP or Burp Suite and fix findings
- Harden authentication: implement salted hashing, token expiration, and verification
- Run automated E2E security tests with Cypress or Playwright plus API fuzzing
- Prepare a compliance checklist and documentation for an audit
FAQ
Begin with static analysis (SonarQube/ESLint), dependency scanning, and a dynamic scanner like OWASP ZAP. Add CI automation and logging early.
How do I secure authentication and tokens?
Use strong password hashing (bcrypt/Argon2), short-lived tokens, secure storage of secrets, and server-side token verification with rotation and revocation mechanisms.