security-assessment

📁 spjoshis/claude-code-plugins 📅 6 days ago

总安装量

周安装量

#68796

全站排名

安装命令

npx skills add https://github.com/spjoshis/claude-code-plugins --skill security-assessment

Agent 安装分布

opencode 2

gemini-cli 2

claude-code 2

github-copilot 2

codex 2

kimi-cli 2

Skill 文档

Security Assessment

Conduct comprehensive security assessments to identify vulnerabilities, test security controls, and improve security posture.

When to Use This Skill

Pre-release security testing
Compliance audits
Vulnerability management
Security validation
Third-party assessments
Incident prevention
Security baseline
Continuous monitoring

Core Concepts

1. Vulnerability Assessment

## Vulnerability Scan Report

**Scan Date**: 2024-01-15
**Target**: web.example.com
**Tool**: Nessus

### Critical Vulnerabilities (2)
1. **CVE-2023-XXXXX**: SQL Injection in login form
   - CVSS: 9.8 (Critical)
   - Remediation: Update framework to v2.1.5
   - Priority: P0

2. **CVE-2023-YYYYY**: RCE in file upload
   - CVSS: 9.1 (Critical)
   - Remediation: Implement file type validation
   - Priority: P0

### High Vulnerabilities (5)
3. **Missing Security Headers**
   - Missing: CSP, X-Frame-Options, HSTS
   - CVSS: 7.5
   - Remediation: Configure headers in web server

4. **Weak TLS Configuration**
   - TLS 1.0/1.1 enabled
   - CVSS: 7.4
   - Remediation: Disable old TLS versions

### Remediation Plan
- Week 1: Fix critical issues (1, 2)
- Week 2: Fix high severity (3, 4, 5)
- Week 3: Rescan and verify

2. Security Test Plan

# Security Test Plan: E-Commerce Application

## Scope
- Web application
- API endpoints
- Mobile apps (iOS/Android)

## Test Categories

### Authentication & Session Management
- [ ] Brute force protection
- [ ] Password complexity
- [ ] Session timeout
- [ ] Secure session tokens
- [ ] MFA implementation
- [ ] Password reset security

### Authorization
- [ ] Horizontal privilege escalation
- [ ] Vertical privilege escalation
- [ ] Insecure direct object references
- [ ] Missing function-level access control

### Input Validation
- [ ] SQL injection
- [ ] XSS (reflected, stored, DOM)
- [ ] Command injection
- [ ] Path traversal
- [ ] XXE

### Cryptography
- [ ] Sensitive data encryption (in transit)
- [ ] Sensitive data encryption (at rest)
- [ ] Weak cryptographic algorithms
- [ ] Insecure random number generation

### Business Logic
- [ ] Payment bypass
- [ ] Cart manipulation
- [ ] Price tampering
- [ ] Inventory manipulation

### API Security
- [ ] API authentication
- [ ] Rate limiting
- [ ] Input validation
- [ ] Error handling

## Test Approach
1. Automated scanning (OWASP ZAP)
2. Manual testing (Burp Suite)
3. Code review (key areas)
4. Configuration review

Best Practices

Get permission – Authorization before testing
Define scope – Clear boundaries
Use multiple methods – Automated + manual
Document findings – Clear, reproducible
Prioritize by risk – CVSS + business impact
Verify fixes – Retest after remediation
Safe testing – Avoid service disruption
Continuous assessment – Regular scanning

Resources

OWASP Testing Guide: Comprehensive testing methodology
Burp Suite: Web security testing tool
OWASP ZAP: Free security scanner

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台