security-assessment

The security-assessment skill acts as an autonomous security engineer within the Agentic Startup framework. It provides a rigorous, multi-layered evaluation process to identify vulnerabilities, assess risk, and propose remediations before deployment. By integrating industry-standard security methodologies, it ensures that your system architecture and implementation are hardened against common attack vectors and design flaws. This skill is intended for security-conscious developers, software architects, and DevOps engineers who need to validate authentication, authorization, data integrity, and privacy controls throughout the development lifecycle.

• Performs comprehensive STRIDE threat modeling to identify Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege threats.

• Conducts deep-dive code reviews focusing on seven core areas: authentication/session management, authorization checks, input handling, data exposure, cryptography, third-party integration, and error handling.

• Validates infrastructure configurations, including network segmentation, secrets management, and cloud IAM policies against secure coding standards.

• References OWASP A01-A10 patterns to ensure web application security is aligned with current global standards.

• Automatically generates detailed findings tables categorized by severity, impact, and specific remediation steps to streamline the patching process.

• Before using this skill, ensure your system components and data flows are defined to allow for an accurate threat model.

• The output includes a prioritized list of findings; address CRITICAL and HIGH severity issues before proceeding with deployment.

• Leverage the included checklists to ensure all infrastructure-as-code and container security aspects are accounted for.

• Always use this skill during the architectural design phase and post-implementation review to maintain a 'defense in depth' posture.

• Note that this skill requires explicit input arguments representing the target system, code repository, or specific architectural module for analysis.