security-assessment_skill

This skill helps you perform comprehensive security assessments of code, architecture, and configurations using STRIDE patterns and secure coding practices.
  • Shell

168

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill rsmdt/the-startup --skill security-assessment

  • SKILL.md10.5 KB

Overview

This skill provides a structured security-assessment workflow for reviewing code, architecture, and infrastructure. It combines threat modeling (STRIDE), OWASP Top 10 review patterns, and secure coding practices to identify and remediate vulnerabilities. Use it to drive repeatable, practical security reviews and threat analyses across the development lifecycle.

How this skill works

The skill inspects architecture diagrams, code diffs, configuration, dependency lists, and CI/CD pipelines to surface risks. It applies STRIDE to classify threats, maps OWASP Top 10 patterns to concrete review steps, and recommends mitigations such as input validation, encryption, and IAM hardening. Outputs are prioritized findings, actionable remediation steps, and verification checks for follow-up.

When to use it

  • Code reviews for security-sensitive changes or pull requests
  • Designing new features, services, or integrations
  • Threat modeling during architecture or sprint planning
  • Validating infrastructure, CI/CD, and deployment configurations
  • Preparing for security audits, compliance reviews, or pen tests

Best practices

  • Perform threat modeling early and update it as design changes
  • Automate security checks in CI/CD (SAST, dependency scanning, tests)
  • Enforce least privilege for code, services, and cloud IAM
  • Validate inputs server-side and apply context-aware output encoding
  • Keep secrets out of source control and rotate them regularly

Example use cases

  • Reviewing a pull request for injection, auth, and data exposure issues
  • Threat modeling a new microservice to identify spoofing and SSRF risks
  • Auditing cloud IAM roles and Kubernetes network policies before launch
  • Assessing third-party libraries for known CVEs and insecure defaults
  • Designing secure session management and token handling for an API

FAQ

Use STRIDE during architecture and design reviews to categorize threats (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) and drive targeted mitigations.

Which OWASP patterns should I prioritize?

Prioritize based on your context: broken access control, injection, and cryptographic failures are high-impact for web apps; vulnerable components and misconfiguration are often high-risk across environments.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational