{ "schemaVersion": "1.0", "item": { "slug": "afrexai-cybersecurity-engine", "name": "Cybersecurity Engine", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/1kalin/afrexai-cybersecurity-engine", "canonicalUrl": "https://clawhub.ai/1kalin/afrexai-cybersecurity-engine", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/afrexai-cybersecurity-engine", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-cybersecurity-engine", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "README.md", "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-30T16:55:25.780Z", "expiresAt": "2026-05-07T16:55:25.780Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentDisposition": "attachment; filename=\"network-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/afrexai-cybersecurity-engine" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/afrexai-cybersecurity-engine", "agentPageUrl": "https://openagent3.xyz/skills/afrexai-cybersecurity-engine/agent", "manifestUrl": "https://openagent3.xyz/skills/afrexai-cybersecurity-engine/agent.json", "briefUrl": "https://openagent3.xyz/skills/afrexai-cybersecurity-engine/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Cybersecurity Engine", "body": "Complete methodology for security assessment, threat modeling, vulnerability management, incident response, and security program design. No tools required — pure agent knowledge that works with any codebase, infrastructure, or organization." }, { "title": "Quick Health Check (5 minutes)", "body": "Run through these three tiers:\n\nTier 1 — Critical (fix today):\n\nDefault credentials in production\n Secrets in source code or environment files committed to git\n No authentication on admin endpoints\n SQL injection in user-facing forms\n Unencrypted sensitive data at rest\n Public S3 buckets or cloud storage\n No HTTPS enforcement\n Root/admin running application processes\n\nTier 2 — High (fix this week):\n\nDependencies with known CVEs (CVSS ≥ 7.0)\n No rate limiting on authentication endpoints\n Missing CSRF protection on state-changing operations\n Verbose error messages leaking stack traces\n No input validation on API endpoints\n Weak password policy (< 12 chars, no complexity)\n Session tokens in URL parameters\n No logging of authentication events\n\nTier 3 — Medium (fix this sprint):\n\nMissing security headers (CSP, HSTS, X-Frame-Options)\n No automated dependency scanning in CI\n Overprivileged service accounts\n No secret rotation policy\n Missing account lockout after failed attempts\n No security.txt or responsible disclosure policy\n Cookies without Secure/HttpOnly/SameSite flags\n\nScore: Count failures. 0-2 = solid. 3-5 = needs work. 6+ = stop shipping features, fix security." }, { "title": "Full Assessment Brief", "body": "assessment:\n name: \"[Project/Org Name] Security Assessment\"\n date: \"YYYY-MM-DD\"\n assessor: \"[Agent/Person]\"\n scope:\n applications:\n - name: \"[App Name]\"\n type: \"web|api|mobile|desktop|iot\"\n tech_stack: \"[languages, frameworks, DBs]\"\n hosting: \"cloud|on-prem|hybrid\"\n cloud_provider: \"aws|gcp|azure|other\"\n internet_facing: true|false\n handles_pii: true|false\n handles_payments: true|false\n handles_phi: true|false # health data\n infrastructure:\n - servers: \"[count, OS types]\"\n containers: true|false\n orchestration: \"k8s|ecs|nomad|none\"\n cdn: \"[provider or none]\"\n dns: \"[provider]\"\n third_parties:\n - name: \"[service]\"\n data_shared: \"[what data]\"\n criticality: \"high|medium|low\"\n compliance_requirements:\n - \"SOC 2|ISO 27001|GDPR|HIPAA|PCI DSS|SOX|none\"\n previous_incidents:\n - date: \"YYYY-MM-DD\"\n type: \"[breach|vuln|misconfiguration]\"\n severity: \"critical|high|medium|low\"\n resolution: \"[what was done]\"\n risk_tolerance: \"conservative|moderate|aggressive\"" }, { "title": "Step 1 — Decompose the System", "body": "For each application, draw the data flow:\n\n[User] → [CDN/WAF] → [Load Balancer] → [Web Server] → [App Server] → [Database]\n ↘ [Cache]\n ↘ [Message Queue] → [Worker]\n ↘ [Third-party API]\n ↘ [Object Storage]\n\nIdentify trust boundaries — where privilege level changes:\n\nInternet → DMZ (public-facing services)\nDMZ → Internal network (app servers, DBs)\nApp → Database (credential boundary)\nUser → Admin (role boundary)\nService → Service (API key boundary)\nYour infra → Third-party (trust boundary)" }, { "title": "Step 2 — STRIDE Analysis Per Component", "body": "For EACH component crossing a trust boundary:\n\nThreatQuestionExample AttackSpoofingCan an attacker pretend to be someone else?Stolen JWT, session hijacking, credential stuffingTamperingCan data be modified in transit or at rest?Man-in-the-middle, SQL injection, parameter manipulationRepudiationCan someone deny they did something?Missing audit logs, unsigned transactionsInformation DisclosureCan sensitive data leak?Error messages, API over-fetching, side channelsDenial of ServiceCan the service be overwhelmed?DDoS, resource exhaustion, regex DoSElevation of PrivilegeCan someone gain unauthorized access?IDOR, broken access control, privilege escalation" }, { "title": "Step 3 — Threat Register", "body": "threats:\n - id: \"T-001\"\n component: \"[affected component]\"\n category: \"S|T|R|I|D|E\"\n description: \"[specific attack scenario]\"\n attacker_profile: \"external-unauthenticated|external-authenticated|internal|insider\"\n likelihood: 1-5 # 1=rare, 5=almost certain\n impact: 1-5 # 1=negligible, 5=catastrophic\n risk_score: 0 # likelihood × impact\n existing_controls: \"[what's already in place]\"\n residual_risk: \"accept|mitigate|transfer|avoid\"\n mitigation: \"[specific fix]\"\n priority: \"P0|P1|P2|P3\"\n owner: \"[person/team]\"\n status: \"open|in-progress|mitigated|accepted\"" }, { "title": "Priority Rules", "body": "P0 (risk ≥ 20): Fix immediately, stop other work\nP1 (risk 12-19): Fix within 1 week\nP2 (risk 6-11): Fix within 1 sprint\nP3 (risk ≤ 5): Track, fix when convenient" }, { "title": "A01: Broken Access Control", "body": "Test checklist:\n\nCan user A access user B's resources by changing ID? (IDOR)\n Can non-admin access admin endpoints?\n Do API endpoints enforce authorization, not just authentication?\n Are directory listings disabled?\n Is CORS properly configured (not * with credentials)?\n Can JWT be tampered with (alg=none, key confusion)?\n Is rate limiting applied to sensitive endpoints?\n Do file uploads validate type server-side?\n\nFix patterns:\n\n# Authorization check pattern (every endpoint)\n1. Authenticate → verify identity\n2. Authorize → verify permission for THIS resource\n3. Validate → verify input is within allowed bounds\n4. Execute → perform the action\n5. Audit → log who did what\n\n# IDOR prevention\n- NEVER use sequential IDs in URLs — use UUIDs\n- ALWAYS verify resource ownership server-side\n- Use middleware that auto-checks resource.owner === request.user" }, { "title": "A02: Cryptographic Failures", "body": "Decision tree:\n\nNeed to store passwords?\n → bcrypt (cost 12+) or Argon2id\n → NEVER: MD5, SHA1, SHA256 without salt\n\nNeed to encrypt data at rest?\n → AES-256-GCM (authenticated encryption)\n → NEVER: ECB mode, DES, RC4\n\nNeed to encrypt in transit?\n → TLS 1.2+ (prefer 1.3)\n → HSTS with includeSubDomains\n → Certificate pinning for mobile apps\n\nNeed to generate random values?\n → crypto.randomBytes() / secrets.token_bytes()\n → NEVER: Math.random(), random.random()\n\nNeed to sign/verify?\n → HMAC-SHA256 for symmetric\n → Ed25519 or RSA-PSS (2048+ bits) for asymmetric\n → NEVER: RSA PKCS#1 v1.5 for new systems" }, { "title": "A03: Injection", "body": "SQL Injection prevention:\n\n# ALWAYS use parameterized queries\n✅ db.query(\"SELECT * FROM users WHERE id = $1\", [userId])\n❌ db.query(\"SELECT * FROM users WHERE id = \" + userId)\n\n# Test payloads (for YOUR code, during testing):\n' OR '1'='1\n'; DROP TABLE users;--\n' UNION SELECT password FROM users--\n1; WAITFOR DELAY '0:0:5'--\n\nXSS prevention:\n\n# Output encoding rules:\nHTML body → HTML entity encode (< > & " ')\nHTML attr → Attribute encode + always quote attributes\nJavaScript → JavaScript encode (\\\\xHH)\nURL → Percent encode (%HH)\nCSS → CSS encode (\\\\HHHHHH)\n\n# CSP header (strong baseline):\nContent-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self' https://api.yourdomain.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'\n\nCommand injection prevention:\n\n# NEVER pass user input to shell\n✅ execFile('convert', ['-resize', size, inputFile, outputFile])\n❌ exec('convert -resize ' + size + ' ' + inputFile + ' ' + outputFile)\n\n# If you MUST use shell:\n- Whitelist allowed characters (alphanumeric only)\n- Use library wrappers, never string concatenation" }, { "title": "A04: Insecure Design", "body": "Secure design checklist:\n\nBusiness logic abuse scenarios documented\n Rate limiting on expensive operations\n Fail-safe defaults (deny by default)\n Separation of duties for critical operations\n Multi-step transactions use CSRF tokens\n API pagination has max limit\n File uploads have size limits AND type validation (magic bytes, not extension)\n Background job payloads are signed/validated" }, { "title": "A05: Security Misconfiguration", "body": "Server hardening checklist:\n\nweb_server:\n - remove_default_pages: true\n - disable_directory_listing: true\n - remove_server_version_header: true\n - disable_TRACE_method: true\n - custom_error_pages: true # no stack traces\n\napplication:\n - debug_mode: false # NEVER in production\n - verbose_errors: false\n - default_accounts_removed: true\n - unnecessary_features_disabled: true\n - admin_panel_ip_restricted: true\n\ncloud:\n - public_buckets: none\n - security_groups_least_privilege: true\n - imds_v2_enforced: true # AWS\n - logging_enabled: true\n - mfa_on_root: true\n - billing_alerts: true" }, { "title": "A06-A10 Quick Checks", "body": "VulnTestFixA06: Vulnerable Componentsnpm audit, pip-audit, trivy fs .Update, pin versions, automate scanning in CIA07: Auth FailuresBrute force test, password policy audit, MFA coverageRate limit + lockout, enforce MFA, bcrypt/Argon2A08: Data IntegrityCan unsigned data modify app behavior?Sign all serialized data, verify checksums, SRI for CDNA09: Logging GapsDo you log auth events, access changes, failures?Structured logging, SIEM integration, alert on anomaliesA10: SSRFCan user input trigger server-side requests?Allowlist URLs, block internal IPs, no redirects to internal" }, { "title": "Network Security Baseline", "body": "network_hardening:\n firewall:\n default_policy: \"deny-all\"\n allowed_inbound:\n - port: 443\n source: \"0.0.0.0/0\"\n service: \"HTTPS\"\n - port: 22\n source: \"[admin_ip_range]\"\n service: \"SSH\"\n rules:\n - \"No direct database access from internet\"\n - \"Internal services communicate on private subnet\"\n - \"Egress filtering — block unnecessary outbound\"\n\n ssh:\n password_auth: false\n root_login: false\n key_type: \"ed25519\"\n port: \"[non-standard recommended]\"\n fail2ban: true\n max_auth_tries: 3\n\n dns:\n dnssec: true\n caa_records: true # restrict who can issue TLS certs\n no_zone_transfer: true\n\n tls:\n min_version: \"1.2\"\n preferred: \"1.3\"\n cipher_suites: \"ECDHE+AESGCM:ECDHE+CHACHA20\"\n hsts: \"max-age=31536000; includeSubDomains; preload\"\n certificate_monitoring: true\n auto_renewal: true" }, { "title": "Container Security", "body": "container_hardening:\n image:\n - base: \"distroless or alpine (minimal)\"\n - user: \"non-root (USER 1000:1000)\"\n - scan: \"trivy image before push\"\n - sign: \"cosign or Notary\"\n - pins: \"use SHA256 digests, not :latest\"\n - secrets: \"NEVER in Dockerfile or image layers\"\n - layers: \"multi-stage builds, minimal final image\"\n\n runtime:\n - read_only_rootfs: true\n - no_new_privileges: true\n - drop_all_capabilities: true\n - add_only: [\"NET_BIND_SERVICE\"] # if needed\n - resource_limits: true\n - seccomp_profile: \"default\"\n - network_policy: \"deny by default\"\n\n registry:\n - private: true\n - vulnerability_scanning: true\n - image_signing: true\n - tag_immutability: true" }, { "title": "Cloud Security (AWS/GCP/Azure Universal)", "body": "cloud_security_baseline:\n identity:\n - root_account_mfa: true\n - no_root_access_keys: true\n - least_privilege_iam: true\n - service_accounts_scoped: true\n - temporary_credentials: true # assume role, not long-lived keys\n - sso_enforced: true\n\n data:\n - encryption_at_rest: \"default on all storage\"\n - encryption_in_transit: \"TLS everywhere\"\n - backup_encryption: true\n - key_management: \"cloud KMS, not self-managed\"\n - data_classification: true\n\n network:\n - vpc_flow_logs: true\n - private_subnets_for_databases: true\n - nat_gateway_for_outbound: true\n - waf_on_public_endpoints: true\n - ddos_protection: true\n\n monitoring:\n - cloudtrail_enabled: true # or equivalent\n - config_rules: true\n - guardduty_enabled: true # or equivalent\n - cost_alerts: true\n - unused_resource_alerts: true\n\n storage:\n - no_public_buckets: true\n - versioning_on_critical: true\n - lifecycle_policies: true\n - access_logging: true" }, { "title": "Vulnerability Lifecycle", "body": "Discovery → Triage → Prioritize → Remediate → Verify → Close\n ↓ ↓ ↓ ↓ ↓\n Scan/ Confirm CVSS + Fix or Retest\n Report real? context compensate" }, { "title": "Severity SLA", "body": "SeverityCVSSRemediation SLAEscalationCritical9.0-10.024 hoursCTO/CISO immediatelyHigh7.0-8.97 daysTeam lead + securityMedium4.0-6.930 daysSprint backlogLow0.1-3.990 daysTrack, fix when convenientInfo0No SLADocument for awareness" }, { "title": "Vulnerability Report Template", "body": "vulnerability:\n id: \"VULN-YYYY-NNN\"\n title: \"[descriptive title]\"\n discovered: \"YYYY-MM-DD\"\n discoverer: \"[scanner/person/bounty]\"\n severity: \"critical|high|medium|low|info\"\n cvss_score: 0.0\n cvss_vector: \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n cve: \"[if applicable]\"\n affected:\n - component: \"[app/service/library]\"\n version: \"[affected versions]\"\n environment: \"production|staging|dev\"\n description: \"[what the vulnerability is]\"\n impact: \"[what an attacker could do]\"\n proof_of_concept: \"[steps to reproduce]\"\n remediation:\n fix: \"[specific fix]\"\n workaround: \"[temporary mitigation]\"\n compensating_control: \"[if fix isn't immediate]\"\n status: \"open|in-progress|fixed|accepted|false-positive\"\n fixed_date: \"YYYY-MM-DD\"\n verified_by: \"[person who confirmed fix]\"" }, { "title": "Scanning Schedule", "body": "Scan TypeFrequencyTool ExamplesDependency scanEvery CI buildnpm audit, pip-audit, trivySAST (code)Every PRSemgrep, CodeQL, BanditSecret scanningEvery commitGitLeaks, truffleHog, GitHub secret scanningContainer scanEvery image buildTrivy, Grype, Snyk ContainerDAST (runtime)WeeklyOWASP ZAP, Burp Suite, NucleiCloud configDailyScoutSuite, Prowler, CloudSploitPenetration testQuarterlyManual + automatedRed teamAnnuallyExternal firm" }, { "title": "Incident Severity Levels", "body": "LevelDefinitionResponse TimeTeamSEV-1Active breach, data exfiltration, service down15 minAll hands + management + legalSEV-2Vulnerability actively exploited, partial compromise1 hourSecurity + affected team leadsSEV-3Suspicious activity, potential compromise indicators4 hoursSecurity teamSEV-4Low-risk finding, policy violation, failed attackNext business dayAssigned engineer" }, { "title": "Incident Response Playbook", "body": "Phase 1 — Detection & Triage (first 15 minutes)\n\n1. Confirm incident is real (not false positive)\n2. Classify severity (SEV-1 through SEV-4)\n3. Assign incident commander\n4. Open incident channel (Slack/Teams)\n5. Start incident log with timestamps\n6. Notify stakeholders per severity\n\nPhase 2 — Containment (first hour)\n\nSHORT-TERM (stop the bleeding):\n- Isolate affected systems (network segmentation)\n- Revoke compromised credentials immediately\n- Block attacking IP/user agent\n- Enable enhanced logging on affected systems\n- Preserve forensic evidence (DON'T reboot/wipe yet)\n\nLONG-TERM (prevent spread):\n- Patch the vulnerability that was exploited\n- Rotate ALL credentials that may be compromised\n- Update firewall/WAF rules\n- Deploy additional monitoring\n\nPhase 3 — Eradication\n\n1. Identify root cause\n2. Remove all attacker artifacts (backdoors, malware, new accounts)\n3. Patch all instances of the vulnerability\n4. Verify no lateral movement occurred\n5. Confirm all compromised credentials rotated\n\nPhase 4 — Recovery\n\n1. Restore from clean backups (verify backup integrity first)\n2. Rebuild compromised systems from scratch (don't trust cleanup)\n3. Monitor restored systems with enhanced logging\n4. Gradual return to production (staged rollback)\n5. Confirm normal operations for 48 hours\n\nPhase 5 — Post-Incident\n\npost_mortem:\n incident_id: \"INC-YYYY-NNN\"\n date: \"YYYY-MM-DD\"\n severity: \"SEV-1|2|3|4\"\n duration: \"[detection to resolution]\"\n impact:\n users_affected: 0\n data_compromised: \"[type and volume]\"\n financial_impact: \"$0\"\n regulatory_notification_required: true|false\n timeline:\n - time: \"HH:MM\"\n event: \"[what happened]\"\n action: \"[what we did]\"\n root_cause: \"[specific technical cause]\"\n contributing_factors:\n - \"[what made it possible or worse]\"\n what_went_well:\n - \"[detection, response, communication]\"\n what_went_poorly:\n - \"[gaps, delays, confusion]\"\n action_items:\n - action: \"[specific improvement]\"\n owner: \"[person]\"\n due: \"YYYY-MM-DD\"\n status: \"open|done\"\n lessons_learned:\n - \"[distilled insight]\"" }, { "title": "Communication Templates", "body": "Internal notification (SEV-1/2):\n\n🚨 SECURITY INCIDENT — [severity]\nWhat: [brief description]\nImpact: [what's affected]\nStatus: [containment/investigation/resolved]\nIncident Commander: [name]\nChannel: #incident-[id]\nNext update: [time]\n\nDO NOT discuss outside this channel.\n\nCustomer notification (if required):\n\nSubject: Security Notice — [Company Name]\n\nWe're writing to inform you of a security incident that [may have|affected] your account.\n\nWhat happened: [brief, honest description]\nWhen: [date range]\nWhat data was involved: [specific data types]\nWhat we've done: [remediation steps]\nWhat you should do: [password reset, monitor accounts, etc.]\nContact: [security team email/phone]\n\nWe take the security of your data seriously and have [specific improvements]." }, { "title": "Required HTTP Headers", "body": "# Copy-paste baseline for production:\nStrict-Transport-Security: max-age=31536000; includeSubDomains; preload\nContent-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'\nX-Content-Type-Options: nosniff\nX-Frame-Options: DENY\nReferrer-Policy: strict-origin-when-cross-origin\nPermissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=()\nCross-Origin-Opener-Policy: same-origin\nCross-Origin-Resource-Policy: same-origin\nX-XSS-Protection: 0 # Disabled — CSP handles this; old header can cause issues" }, { "title": "Cookie Security", "body": "Set-Cookie: session=;\n Secure; # HTTPS only\n HttpOnly; # No JavaScript access\n SameSite=Lax; # CSRF protection (Strict if no cross-site navigation needed)\n Path=/; # Scope appropriately\n Max-Age=3600; # 1 hour (adjust per use case)\n Domain=.yourdomain.com; # Explicit domain" }, { "title": "Password Policy (NIST 800-63B aligned)", "body": "password_policy:\n minimum_length: 12 # NIST minimum is 8, 12+ recommended\n maximum_length: 128 # Must support long passwords\n complexity_rules: false # NIST says don't require special chars\n check_against_breached: true # HaveIBeenPwned API\n no_password_hints: true\n no_security_questions: true # Easy to social engineer\n allow_paste: true # For password managers\n rate_limit_attempts: \"5 per 15 minutes\"\n lockout_duration: \"progressive (1min, 5min, 15min, 1hr)\"\n mfa_required: \"all accounts\"\n mfa_methods:\n preferred: \"TOTP or WebAuthn/passkeys\"\n acceptable: \"push notification\"\n discouraged: \"SMS (SIM swap risk)\"\n storage: \"Argon2id or bcrypt cost 12+\"" }, { "title": "JWT Security Checklist", "body": "jwt_security:\n signing:\n algorithm: \"RS256 or EdDSA\" # NEVER HS256 with shared secrets in distributed systems\n key_rotation: \"quarterly\"\n verify_algorithm: true # Reject alg=none\n claims:\n exp: \"required — 15 min for access, 7d for refresh\"\n iss: \"required — validate on every request\"\n aud: \"required — validate matches expected service\"\n iat: \"required\"\n jti: \"recommended — for revocation\"\n nbf: \"recommended\"\n storage:\n access_token: \"memory only (never localStorage)\"\n refresh_token: \"httpOnly secure cookie\"\n revocation:\n method: \"token blacklist with Redis TTL matching exp\"\n on_password_change: \"revoke all tokens\"\n on_permission_change: \"revoke all tokens\"" }, { "title": "OAuth 2.0 / OIDC Checklist", "body": "Use Authorization Code flow with PKCE (never Implicit)\n Validate state parameter to prevent CSRF\n Validate nonce for OIDC to prevent replay\n Validate token issuer and audience\n Store tokens server-side, not in browser\n Implement token rotation for refresh tokens\n Set minimal scopes (principle of least privilege)\n Register exact redirect URIs (no wildcards)" }, { "title": "Building a Security Program from Scratch", "body": "Quarter 1 — Foundation:\n\nWeek 1-2: Asset inventory (what do we have?)\nWeek 3-4: Risk assessment (what matters most?)\nWeek 5-6: Critical controls (authentication, secrets, backups)\nWeek 7-8: Basic scanning (dependencies, secrets in code)\nWeek 9-10: Incident response plan (what if something happens?)\nWeek 11-12: Security awareness basics (phishing, passwords)\n\nQuarter 2 — Automation:\n\n- CI/CD security scanning (SAST, dependency audit)\n- Automated secret detection (pre-commit hooks)\n- Centralized logging and basic alerting\n- Access reviews (quarterly)\n- Vulnerability management process\n\nQuarter 3 — Maturity:\n\n- Penetration testing (first external assessment)\n- Security architecture review\n- Data classification and handling policies\n- Vendor security assessments\n- Bug bounty program (start small)\n\nQuarter 4 — Optimization:\n\n- Compliance framework alignment (SOC 2, ISO 27001)\n- Red team exercise\n- Security metrics dashboard\n- Security champion program (devs with security training)\n- Supply chain security (SBOM, signed artifacts)" }, { "title": "Security Metrics Dashboard", "body": "security_dashboard:\n vulnerability_management:\n - open_critical: 0 # Target: always 0\n - open_high: 0 # Target: < 5\n - mean_time_to_remediate:\n critical: \"24h\" # Target\n high: \"7d\"\n medium: \"30d\"\n - scan_coverage: \"100%\" # % of repos with automated scanning\n\n incident_management:\n - incidents_this_quarter: 0\n - mean_time_to_detect: \"< 1h\"\n - mean_time_to_respond: \"< 4h\"\n - mean_time_to_recover: \"< 24h\"\n\n access_control:\n - mfa_adoption: \"100%\"\n - privileged_accounts: 0 # Count, minimize\n - stale_accounts: 0 # Accounts unused > 90 days\n - access_reviews_completed: \"on schedule\"\n\n code_security:\n - repos_with_sast: \"100%\"\n - repos_with_dependency_scanning: \"100%\"\n - secret_detection_coverage: \"100%\"\n - security_review_for_critical_changes: \"100%\"\n\n training:\n - security_awareness_completion: \"100%\"\n - phishing_simulation_click_rate: \"< 5%\"\n - security_champions_per_team: \">= 1\"" }, { "title": "Reconnaissance", "body": "PASSIVE (no direct interaction with target):\n1. DNS enumeration: subdomains, MX, TXT, CNAME\n - Tools: subfinder, amass, crt.sh, dnsdumpster\n2. Technology fingerprinting\n - Check: Wappalyzer, BuiltWith, HTTP headers\n3. Public exposure\n - Shodan/Censys for open ports/services\n - GitHub/GitLab for leaked code/secrets\n - Wayback Machine for old endpoints\n4. Employee OSINT (for social engineering scope)\n - LinkedIn for tech stack clues\n - Job postings reveal internal tools\n\nACTIVE (interacting with target — requires permission):\n1. Port scanning: full TCP + top 1000 UDP\n2. Service enumeration: version detection\n3. Web crawling: sitemap, robots.txt, directory brute-force\n4. API discovery: /api, /v1, /graphql, /swagger, /openapi" }, { "title": "Testing Phases", "body": "Phase 1 — Authentication Testing\n\n- Credential stuffing resistance (rate limiting)\n- Password reset flow (token guessability, expiry, reuse)\n- Account enumeration (different responses for valid/invalid users)\n- Session management (token entropy, fixation, timeout)\n- MFA bypass attempts (backup codes, race conditions)\n- OAuth flow attacks (redirect URI manipulation, scope escalation)\n\nPhase 2 — Authorization Testing\n\n- Horizontal privilege escalation (access other users' data)\n- Vertical privilege escalation (user → admin)\n- Missing function-level access control (direct API calls)\n- IDOR on every resource endpoint (change IDs systematically)\n- GraphQL introspection + unauthorized field access\n- Mass assignment (send extra fields in requests)\n\nPhase 3 — Injection Testing\n\n- SQL injection on all user inputs (including headers, cookies)\n- XSS (reflected, stored, DOM-based) on all output points\n- Command injection on any server-side execution\n- SSRF on any URL input or file fetch\n- Template injection (if server-side templating)\n- LDAP/XML/XXE injection where applicable\n\nPhase 4 — Business Logic Testing\n\n- Price manipulation (change prices in requests)\n- Quantity manipulation (negative numbers, decimals, MAX_INT)\n- Race conditions (concurrent requests for same resource)\n- Workflow bypass (skip steps in multi-step processes)\n- Coupon/discount abuse (reuse, stacking)\n- Rate limit bypass (header rotation, distributed requests)" }, { "title": "Penetration Test Report Template", "body": "report:\n executive_summary:\n overall_risk: \"critical|high|medium|low\"\n critical_findings: 0\n high_findings: 0\n medium_findings: 0\n low_findings: 0\n key_recommendations:\n - \"[top 3 fixes by impact]\"\n\n scope:\n targets: \"[URLs, IPs, apps tested]\"\n methodology: \"OWASP Testing Guide v4.2 + PTES\"\n dates: \"YYYY-MM-DD to YYYY-MM-DD\"\n type: \"black-box|grey-box|white-box\"\n exclusions: \"[what was out of scope]\"\n\n findings:\n - id: \"F-001\"\n title: \"[descriptive title]\"\n severity: \"critical|high|medium|low|info\"\n cvss: 0.0\n location: \"[URL/endpoint/component]\"\n description: \"[what the vulnerability is]\"\n impact: \"[what an attacker could do]\"\n evidence: \"[screenshots, request/response pairs]\"\n reproduction_steps:\n - \"[step by step]\"\n remediation: \"[specific fix with code examples]\"\n references:\n - \"[OWASP, CWE, CVE links]\"\n\n positive_observations:\n - \"[security controls that were effective]\"" }, { "title": "Dependency Security", "body": "supply_chain:\n dependencies:\n - lock_files: \"always commit (package-lock.json, poetry.lock, go.sum)\"\n - pin_versions: \"exact versions, not ranges\"\n - audit_frequency: \"every CI build\"\n - auto_update: \"Dependabot/Renovate with auto-merge for patch, review for minor/major\"\n - review_new_deps:\n check: \"maintainer count, last update, download count, known issues\"\n rule: \"no single-maintainer deps for critical paths\"\n - sbom: \"generate SPDX or CycloneDX on every release\"\n\n build_pipeline:\n - reproducible_builds: true\n - artifact_signing: true\n - build_provenance: true # SLSA Level 2+\n - no_curl_pipe_bash: true # Never pipe internet scripts to shell\n - verify_checksums: true\n\n ci_cd:\n - pin_action_versions: \"use SHA, not tags (actions/checkout@SHA)\"\n - least_privilege_tokens: true\n - no_secrets_in_logs: true\n - protected_branches: true\n - required_reviews: true\n - signed_commits: \"recommended\"" }, { "title": "Phase 12: Security Scoring Rubric", "body": "Rate any application/system 0-100:\n\nDimensionWeight0 (Critical)5 (Adequate)10 (Excellent)Authentication & Access20%No auth or default credsPassword + basic RBACMFA + ABAC + zero trustData Protection15%Plaintext secrets, no encryptionEncryption at rest + transitE2E encryption, key rotation, classificationVulnerability Management15%No scanning, known CVEsAutomated scanning, SLAs metFull coverage, MTTD < 1h, bug bountyInfrastructure Security15%Open ports, no firewallHardened baseline, least privilegeZero trust, microsegmentation, IaCLogging & Monitoring10%No security loggingCentralized logs, basic alertsSIEM, anomaly detection, 24/7 SOCIncident Response10%No planDocumented plan, tested annuallyAutomated response, < 1h MTTRCode Security10%No reviews, injection vulnsSAST in CI, peer reviewFull pipeline, threat modeling, security championsSupply Chain5%No dependency managementLock files, automated scanningSBOM, signed artifacts, SLSA\n\nScore interpretation:\n\n90-100: Excellent — security is a competitive advantage\n70-89: Good — solid foundation, keep improving\n50-69: Needs work — significant gaps exist\nBelow 50: Critical — stop feature work, fix security" }, { "title": "Common Mistakes", "body": "Security through obscurity — hiding admin panel at /secret-admin is not security\nClient-side only validation — always validate server-side\nTrusting internal networks — assume breach, verify everything\nLogging sensitive data — passwords, tokens, PII in logs = breach waiting to happen\n\"We're too small to be targeted\" — automated attacks don't check company size\nOne-time audit mentality — security is continuous, not a checkbox\nIgnoring security in dev/staging — attackers find your staging environment too\nOver-permissioning for convenience — least privilege, always\nNo backup testing — backups you haven't tested are hopes, not backups\nTreating compliance as security — SOC 2 ≠ secure; it's a starting point" }, { "title": "Edge Cases", "body": "Startup with zero security: Start with Phase 9 Quarter 1 — foundation first\nLegacy application: Focus on network segmentation + WAF + monitoring before code fixes\nMicroservices: Service mesh for mTLS, centralized auth (OAuth/OIDC), API gateway\nIoT/embedded: Assume physical access, encrypt firmware, signed updates, minimal attack surface\nMobile apps: Certificate pinning, root/jailbreak detection, binary protection, secure local storage\nServerless: Function-level IAM, no secrets in code, API Gateway throttling, cold start timing attacks\nMulti-tenant SaaS: Tenant isolation verification, noisy neighbor prevention, cross-tenant data leak testing" }, { "title": "Natural Language Commands", "body": "\"Audit security of [project/repo]\" → Full assessment (Phase 1-4)\n\"Threat model [system/feature]\" → STRIDE analysis (Phase 2)\n\"Check OWASP top 10 for [app]\" → Application security review (Phase 3)\n\"Harden [server/container/cloud]\" → Infrastructure checklist (Phase 4)\n\"Create incident response plan\" → IR playbook (Phase 6)\n\"Design security program\" → Phased program build (Phase 9)\n\"Pentest methodology for [target]\" → Testing phases (Phase 10)\n\"Score security of [system]\" → 100-point rubric (Phase 12)\n\"Review auth implementation\" → Auth deep dive (Phase 8)\n\"Check security headers\" → Header audit (Phase 7)\n\"Vulnerability report for [finding]\" → Report template (Phase 5)\n\"Supply chain security review\" → Dependency audit (Phase 11)" } ], "body": "Cybersecurity Engine\n\nComplete methodology for security assessment, threat modeling, vulnerability management, incident response, and security program design. No tools required — pure agent knowledge that works with any codebase, infrastructure, or organization.\n\nPhase 1: Security Posture Assessment\nQuick Health Check (5 minutes)\n\nRun through these three tiers:\n\nTier 1 — Critical (fix today):\n\n Default credentials in production\n Secrets in source code or environment files committed to git\n No authentication on admin endpoints\n SQL injection in user-facing forms\n Unencrypted sensitive data at rest\n Public S3 buckets or cloud storage\n No HTTPS enforcement\n Root/admin running application processes\n\nTier 2 — High (fix this week):\n\n Dependencies with known CVEs (CVSS ≥ 7.0)\n No rate limiting on authentication endpoints\n Missing CSRF protection on state-changing operations\n Verbose error messages leaking stack traces\n No input validation on API endpoints\n Weak password policy (< 12 chars, no complexity)\n Session tokens in URL parameters\n No logging of authentication events\n\nTier 3 — Medium (fix this sprint):\n\n Missing security headers (CSP, HSTS, X-Frame-Options)\n No automated dependency scanning in CI\n Overprivileged service accounts\n No secret rotation policy\n Missing account lockout after failed attempts\n No security.txt or responsible disclosure policy\n Cookies without Secure/HttpOnly/SameSite flags\n\nScore: Count failures. 0-2 = solid. 3-5 = needs work. 6+ = stop shipping features, fix security.\n\nFull Assessment Brief\nassessment:\n name: \"[Project/Org Name] Security Assessment\"\n date: \"YYYY-MM-DD\"\n assessor: \"[Agent/Person]\"\n scope:\n applications:\n - name: \"[App Name]\"\n type: \"web|api|mobile|desktop|iot\"\n tech_stack: \"[languages, frameworks, DBs]\"\n hosting: \"cloud|on-prem|hybrid\"\n cloud_provider: \"aws|gcp|azure|other\"\n internet_facing: true|false\n handles_pii: true|false\n handles_payments: true|false\n handles_phi: true|false # health data\n infrastructure:\n - servers: \"[count, OS types]\"\n containers: true|false\n orchestration: \"k8s|ecs|nomad|none\"\n cdn: \"[provider or none]\"\n dns: \"[provider]\"\n third_parties:\n - name: \"[service]\"\n data_shared: \"[what data]\"\n criticality: \"high|medium|low\"\n compliance_requirements:\n - \"SOC 2|ISO 27001|GDPR|HIPAA|PCI DSS|SOX|none\"\n previous_incidents:\n - date: \"YYYY-MM-DD\"\n type: \"[breach|vuln|misconfiguration]\"\n severity: \"critical|high|medium|low\"\n resolution: \"[what was done]\"\n risk_tolerance: \"conservative|moderate|aggressive\"\n\nPhase 2: Threat Modeling (STRIDE+)\nStep 1 — Decompose the System\n\nFor each application, draw the data flow:\n\n[User] → [CDN/WAF] → [Load Balancer] → [Web Server] → [App Server] → [Database]\n ↘ [Cache]\n ↘ [Message Queue] → [Worker]\n ↘ [Third-party API]\n ↘ [Object Storage]\n\n\nIdentify trust boundaries — where privilege level changes:\n\nInternet → DMZ (public-facing services)\nDMZ → Internal network (app servers, DBs)\nApp → Database (credential boundary)\nUser → Admin (role boundary)\nService → Service (API key boundary)\nYour infra → Third-party (trust boundary)\nStep 2 — STRIDE Analysis Per Component\n\nFor EACH component crossing a trust boundary:\n\nThreat\tQuestion\tExample Attack\nSpoofing\tCan an attacker pretend to be someone else?\tStolen JWT, session hijacking, credential stuffing\nTampering\tCan data be modified in transit or at rest?\tMan-in-the-middle, SQL injection, parameter manipulation\nRepudiation\tCan someone deny they did something?\tMissing audit logs, unsigned transactions\nInformation Disclosure\tCan sensitive data leak?\tError messages, API over-fetching, side channels\nDenial of Service\tCan the service be overwhelmed?\tDDoS, resource exhaustion, regex DoS\nElevation of Privilege\tCan someone gain unauthorized access?\tIDOR, broken access control, privilege escalation\nStep 3 — Threat Register\nthreats:\n - id: \"T-001\"\n component: \"[affected component]\"\n category: \"S|T|R|I|D|E\"\n description: \"[specific attack scenario]\"\n attacker_profile: \"external-unauthenticated|external-authenticated|internal|insider\"\n likelihood: 1-5 # 1=rare, 5=almost certain\n impact: 1-5 # 1=negligible, 5=catastrophic\n risk_score: 0 # likelihood × impact\n existing_controls: \"[what's already in place]\"\n residual_risk: \"accept|mitigate|transfer|avoid\"\n mitigation: \"[specific fix]\"\n priority: \"P0|P1|P2|P3\"\n owner: \"[person/team]\"\n status: \"open|in-progress|mitigated|accepted\"\n\nPriority Rules\nP0 (risk ≥ 20): Fix immediately, stop other work\nP1 (risk 12-19): Fix within 1 week\nP2 (risk 6-11): Fix within 1 sprint\nP3 (risk ≤ 5): Track, fix when convenient\nPhase 3: Application Security (OWASP Top 10 + Beyond)\nA01: Broken Access Control\n\nTest checklist:\n\n Can user A access user B's resources by changing ID? (IDOR)\n Can non-admin access admin endpoints?\n Do API endpoints enforce authorization, not just authentication?\n Are directory listings disabled?\n Is CORS properly configured (not * with credentials)?\n Can JWT be tampered with (alg=none, key confusion)?\n Is rate limiting applied to sensitive endpoints?\n Do file uploads validate type server-side?\n\nFix patterns:\n\n# Authorization check pattern (every endpoint)\n1. Authenticate → verify identity\n2. Authorize → verify permission for THIS resource\n3. Validate → verify input is within allowed bounds\n4. Execute → perform the action\n5. Audit → log who did what\n\n# IDOR prevention\n- NEVER use sequential IDs in URLs — use UUIDs\n- ALWAYS verify resource ownership server-side\n- Use middleware that auto-checks resource.owner === request.user\n\nA02: Cryptographic Failures\n\nDecision tree:\n\nNeed to store passwords?\n → bcrypt (cost 12+) or Argon2id\n → NEVER: MD5, SHA1, SHA256 without salt\n\nNeed to encrypt data at rest?\n → AES-256-GCM (authenticated encryption)\n → NEVER: ECB mode, DES, RC4\n\nNeed to encrypt in transit?\n → TLS 1.2+ (prefer 1.3)\n → HSTS with includeSubDomains\n → Certificate pinning for mobile apps\n\nNeed to generate random values?\n → crypto.randomBytes() / secrets.token_bytes()\n → NEVER: Math.random(), random.random()\n\nNeed to sign/verify?\n → HMAC-SHA256 for symmetric\n → Ed25519 or RSA-PSS (2048+ bits) for asymmetric\n → NEVER: RSA PKCS#1 v1.5 for new systems\n\nA03: Injection\n\nSQL Injection prevention:\n\n# ALWAYS use parameterized queries\n✅ db.query(\"SELECT * FROM users WHERE id = $1\", [userId])\n❌ db.query(\"SELECT * FROM users WHERE id = \" + userId)\n\n# Test payloads (for YOUR code, during testing):\n' OR '1'='1\n'; DROP TABLE users;--\n' UNION SELECT password FROM users--\n1; WAITFOR DELAY '0:0:5'--\n\n\nXSS prevention:\n\n# Output encoding rules:\nHTML body → HTML entity encode (< > & " ')\nHTML attr → Attribute encode + always quote attributes\nJavaScript → JavaScript encode (\\\\xHH)\nURL → Percent encode (%HH)\nCSS → CSS encode (\\\\HHHHHH)\n\n# CSP header (strong baseline):\nContent-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self' https://api.yourdomain.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'\n\n\nCommand injection prevention:\n\n# NEVER pass user input to shell\n✅ execFile('convert', ['-resize', size, inputFile, outputFile])\n❌ exec('convert -resize ' + size + ' ' + inputFile + ' ' + outputFile)\n\n# If you MUST use shell:\n- Whitelist allowed characters (alphanumeric only)\n- Use library wrappers, never string concatenation\n\nA04: Insecure Design\n\nSecure design checklist:\n\n Business logic abuse scenarios documented\n Rate limiting on expensive operations\n Fail-safe defaults (deny by default)\n Separation of duties for critical operations\n Multi-step transactions use CSRF tokens\n API pagination has max limit\n File uploads have size limits AND type validation (magic bytes, not extension)\n Background job payloads are signed/validated\nA05: Security Misconfiguration\n\nServer hardening checklist:\n\nweb_server:\n - remove_default_pages: true\n - disable_directory_listing: true\n - remove_server_version_header: true\n - disable_TRACE_method: true\n - custom_error_pages: true # no stack traces\n\napplication:\n - debug_mode: false # NEVER in production\n - verbose_errors: false\n - default_accounts_removed: true\n - unnecessary_features_disabled: true\n - admin_panel_ip_restricted: true\n\ncloud:\n - public_buckets: none\n - security_groups_least_privilege: true\n - imds_v2_enforced: true # AWS\n - logging_enabled: true\n - mfa_on_root: true\n - billing_alerts: true\n\nA06-A10 Quick Checks\nVuln\tTest\tFix\nA06: Vulnerable Components\tnpm audit, pip-audit, trivy fs .\tUpdate, pin versions, automate scanning in CI\nA07: Auth Failures\tBrute force test, password policy audit, MFA coverage\tRate limit + lockout, enforce MFA, bcrypt/Argon2\nA08: Data Integrity\tCan unsigned data modify app behavior?\tSign all serialized data, verify checksums, SRI for CDN\nA09: Logging Gaps\tDo you log auth events, access changes, failures?\tStructured logging, SIEM integration, alert on anomalies\nA10: SSRF\tCan user input trigger server-side requests?\tAllowlist URLs, block internal IPs, no redirects to internal\nPhase 4: Infrastructure Security\nNetwork Security Baseline\nnetwork_hardening:\n firewall:\n default_policy: \"deny-all\"\n allowed_inbound:\n - port: 443\n source: \"0.0.0.0/0\"\n service: \"HTTPS\"\n - port: 22\n source: \"[admin_ip_range]\"\n service: \"SSH\"\n rules:\n - \"No direct database access from internet\"\n - \"Internal services communicate on private subnet\"\n - \"Egress filtering — block unnecessary outbound\"\n\n ssh:\n password_auth: false\n root_login: false\n key_type: \"ed25519\"\n port: \"[non-standard recommended]\"\n fail2ban: true\n max_auth_tries: 3\n\n dns:\n dnssec: true\n caa_records: true # restrict who can issue TLS certs\n no_zone_transfer: true\n\n tls:\n min_version: \"1.2\"\n preferred: \"1.3\"\n cipher_suites: \"ECDHE+AESGCM:ECDHE+CHACHA20\"\n hsts: \"max-age=31536000; includeSubDomains; preload\"\n certificate_monitoring: true\n auto_renewal: true\n\nContainer Security\ncontainer_hardening:\n image:\n - base: \"distroless or alpine (minimal)\"\n - user: \"non-root (USER 1000:1000)\"\n - scan: \"trivy image before push\"\n - sign: \"cosign or Notary\"\n - pins: \"use SHA256 digests, not :latest\"\n - secrets: \"NEVER in Dockerfile or image layers\"\n - layers: \"multi-stage builds, minimal final image\"\n\n runtime:\n - read_only_rootfs: true\n - no_new_privileges: true\n - drop_all_capabilities: true\n - add_only: [\"NET_BIND_SERVICE\"] # if needed\n - resource_limits: true\n - seccomp_profile: \"default\"\n - network_policy: \"deny by default\"\n\n registry:\n - private: true\n - vulnerability_scanning: true\n - image_signing: true\n - tag_immutability: true\n\nCloud Security (AWS/GCP/Azure Universal)\ncloud_security_baseline:\n identity:\n - root_account_mfa: true\n - no_root_access_keys: true\n - least_privilege_iam: true\n - service_accounts_scoped: true\n - temporary_credentials: true # assume role, not long-lived keys\n - sso_enforced: true\n\n data:\n - encryption_at_rest: \"default on all storage\"\n - encryption_in_transit: \"TLS everywhere\"\n - backup_encryption: true\n - key_management: \"cloud KMS, not self-managed\"\n - data_classification: true\n\n network:\n - vpc_flow_logs: true\n - private_subnets_for_databases: true\n - nat_gateway_for_outbound: true\n - waf_on_public_endpoints: true\n - ddos_protection: true\n\n monitoring:\n - cloudtrail_enabled: true # or equivalent\n - config_rules: true\n - guardduty_enabled: true # or equivalent\n - cost_alerts: true\n - unused_resource_alerts: true\n\n storage:\n - no_public_buckets: true\n - versioning_on_critical: true\n - lifecycle_policies: true\n - access_logging: true\n\nPhase 5: Vulnerability Management Program\nVulnerability Lifecycle\nDiscovery → Triage → Prioritize → Remediate → Verify → Close\n ↓ ↓ ↓ ↓ ↓\n Scan/ Confirm CVSS + Fix or Retest\n Report real? context compensate\n\nSeverity SLA\nSeverity\tCVSS\tRemediation SLA\tEscalation\nCritical\t9.0-10.0\t24 hours\tCTO/CISO immediately\nHigh\t7.0-8.9\t7 days\tTeam lead + security\nMedium\t4.0-6.9\t30 days\tSprint backlog\nLow\t0.1-3.9\t90 days\tTrack, fix when convenient\nInfo\t0\tNo SLA\tDocument for awareness\nVulnerability Report Template\nvulnerability:\n id: \"VULN-YYYY-NNN\"\n title: \"[descriptive title]\"\n discovered: \"YYYY-MM-DD\"\n discoverer: \"[scanner/person/bounty]\"\n severity: \"critical|high|medium|low|info\"\n cvss_score: 0.0\n cvss_vector: \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n cve: \"[if applicable]\"\n affected:\n - component: \"[app/service/library]\"\n version: \"[affected versions]\"\n environment: \"production|staging|dev\"\n description: \"[what the vulnerability is]\"\n impact: \"[what an attacker could do]\"\n proof_of_concept: \"[steps to reproduce]\"\n remediation:\n fix: \"[specific fix]\"\n workaround: \"[temporary mitigation]\"\n compensating_control: \"[if fix isn't immediate]\"\n status: \"open|in-progress|fixed|accepted|false-positive\"\n fixed_date: \"YYYY-MM-DD\"\n verified_by: \"[person who confirmed fix]\"\n\nScanning Schedule\nScan Type\tFrequency\tTool Examples\nDependency scan\tEvery CI build\tnpm audit, pip-audit, trivy\nSAST (code)\tEvery PR\tSemgrep, CodeQL, Bandit\nSecret scanning\tEvery commit\tGitLeaks, truffleHog, GitHub secret scanning\nContainer scan\tEvery image build\tTrivy, Grype, Snyk Container\nDAST (runtime)\tWeekly\tOWASP ZAP, Burp Suite, Nuclei\nCloud config\tDaily\tScoutSuite, Prowler, CloudSploit\nPenetration test\tQuarterly\tManual + automated\nRed team\tAnnually\tExternal firm\nPhase 6: Incident Response\nIncident Severity Levels\nLevel\tDefinition\tResponse Time\tTeam\nSEV-1\tActive breach, data exfiltration, service down\t15 min\tAll hands + management + legal\nSEV-2\tVulnerability actively exploited, partial compromise\t1 hour\tSecurity + affected team leads\nSEV-3\tSuspicious activity, potential compromise indicators\t4 hours\tSecurity team\nSEV-4\tLow-risk finding, policy violation, failed attack\tNext business day\tAssigned engineer\nIncident Response Playbook\n\nPhase 1 — Detection & Triage (first 15 minutes)\n\n1. Confirm incident is real (not false positive)\n2. Classify severity (SEV-1 through SEV-4)\n3. Assign incident commander\n4. Open incident channel (Slack/Teams)\n5. Start incident log with timestamps\n6. Notify stakeholders per severity\n\n\nPhase 2 — Containment (first hour)\n\nSHORT-TERM (stop the bleeding):\n- Isolate affected systems (network segmentation)\n- Revoke compromised credentials immediately\n- Block attacking IP/user agent\n- Enable enhanced logging on affected systems\n- Preserve forensic evidence (DON'T reboot/wipe yet)\n\nLONG-TERM (prevent spread):\n- Patch the vulnerability that was exploited\n- Rotate ALL credentials that may be compromised\n- Update firewall/WAF rules\n- Deploy additional monitoring\n\n\nPhase 3 — Eradication\n\n1. Identify root cause\n2. Remove all attacker artifacts (backdoors, malware, new accounts)\n3. Patch all instances of the vulnerability\n4. Verify no lateral movement occurred\n5. Confirm all compromised credentials rotated\n\n\nPhase 4 — Recovery\n\n1. Restore from clean backups (verify backup integrity first)\n2. Rebuild compromised systems from scratch (don't trust cleanup)\n3. Monitor restored systems with enhanced logging\n4. Gradual return to production (staged rollback)\n5. Confirm normal operations for 48 hours\n\n\nPhase 5 — Post-Incident\n\npost_mortem:\n incident_id: \"INC-YYYY-NNN\"\n date: \"YYYY-MM-DD\"\n severity: \"SEV-1|2|3|4\"\n duration: \"[detection to resolution]\"\n impact:\n users_affected: 0\n data_compromised: \"[type and volume]\"\n financial_impact: \"$0\"\n regulatory_notification_required: true|false\n timeline:\n - time: \"HH:MM\"\n event: \"[what happened]\"\n action: \"[what we did]\"\n root_cause: \"[specific technical cause]\"\n contributing_factors:\n - \"[what made it possible or worse]\"\n what_went_well:\n - \"[detection, response, communication]\"\n what_went_poorly:\n - \"[gaps, delays, confusion]\"\n action_items:\n - action: \"[specific improvement]\"\n owner: \"[person]\"\n due: \"YYYY-MM-DD\"\n status: \"open|done\"\n lessons_learned:\n - \"[distilled insight]\"\n\nCommunication Templates\n\nInternal notification (SEV-1/2):\n\n🚨 SECURITY INCIDENT — [severity]\nWhat: [brief description]\nImpact: [what's affected]\nStatus: [containment/investigation/resolved]\nIncident Commander: [name]\nChannel: #incident-[id]\nNext update: [time]\n\nDO NOT discuss outside this channel.\n\n\nCustomer notification (if required):\n\nSubject: Security Notice — [Company Name]\n\nWe're writing to inform you of a security incident that [may have|affected] your account.\n\nWhat happened: [brief, honest description]\nWhen: [date range]\nWhat data was involved: [specific data types]\nWhat we've done: [remediation steps]\nWhat you should do: [password reset, monitor accounts, etc.]\nContact: [security team email/phone]\n\nWe take the security of your data seriously and have [specific improvements].\n\nPhase 7: Security Headers & Browser Security\nRequired HTTP Headers\n# Copy-paste baseline for production:\nStrict-Transport-Security: max-age=31536000; includeSubDomains; preload\nContent-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'\nX-Content-Type-Options: nosniff\nX-Frame-Options: DENY\nReferrer-Policy: strict-origin-when-cross-origin\nPermissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=()\nCross-Origin-Opener-Policy: same-origin\nCross-Origin-Resource-Policy: same-origin\nX-XSS-Protection: 0 # Disabled — CSP handles this; old header can cause issues\n\nCookie Security\nSet-Cookie: session=;\n Secure; # HTTPS only\n HttpOnly; # No JavaScript access\n SameSite=Lax; # CSRF protection (Strict if no cross-site navigation needed)\n Path=/; # Scope appropriately\n Max-Age=3600; # 1 hour (adjust per use case)\n Domain=.yourdomain.com; # Explicit domain\n\nPhase 8: Authentication & Authorization Deep Dive\nPassword Policy (NIST 800-63B aligned)\npassword_policy:\n minimum_length: 12 # NIST minimum is 8, 12+ recommended\n maximum_length: 128 # Must support long passwords\n complexity_rules: false # NIST says don't require special chars\n check_against_breached: true # HaveIBeenPwned API\n no_password_hints: true\n no_security_questions: true # Easy to social engineer\n allow_paste: true # For password managers\n rate_limit_attempts: \"5 per 15 minutes\"\n lockout_duration: \"progressive (1min, 5min, 15min, 1hr)\"\n mfa_required: \"all accounts\"\n mfa_methods:\n preferred: \"TOTP or WebAuthn/passkeys\"\n acceptable: \"push notification\"\n discouraged: \"SMS (SIM swap risk)\"\n storage: \"Argon2id or bcrypt cost 12+\"\n\nJWT Security Checklist\njwt_security:\n signing:\n algorithm: \"RS256 or EdDSA\" # NEVER HS256 with shared secrets in distributed systems\n key_rotation: \"quarterly\"\n verify_algorithm: true # Reject alg=none\n claims:\n exp: \"required — 15 min for access, 7d for refresh\"\n iss: \"required — validate on every request\"\n aud: \"required — validate matches expected service\"\n iat: \"required\"\n jti: \"recommended — for revocation\"\n nbf: \"recommended\"\n storage:\n access_token: \"memory only (never localStorage)\"\n refresh_token: \"httpOnly secure cookie\"\n revocation:\n method: \"token blacklist with Redis TTL matching exp\"\n on_password_change: \"revoke all tokens\"\n on_permission_change: \"revoke all tokens\"\n\nOAuth 2.0 / OIDC Checklist\n Use Authorization Code flow with PKCE (never Implicit)\n Validate state parameter to prevent CSRF\n Validate nonce for OIDC to prevent replay\n Validate token issuer and audience\n Store tokens server-side, not in browser\n Implement token rotation for refresh tokens\n Set minimal scopes (principle of least privilege)\n Register exact redirect URIs (no wildcards)\nPhase 9: Security Program Design\nBuilding a Security Program from Scratch\n\nQuarter 1 — Foundation:\n\nWeek 1-2: Asset inventory (what do we have?)\nWeek 3-4: Risk assessment (what matters most?)\nWeek 5-6: Critical controls (authentication, secrets, backups)\nWeek 7-8: Basic scanning (dependencies, secrets in code)\nWeek 9-10: Incident response plan (what if something happens?)\nWeek 11-12: Security awareness basics (phishing, passwords)\n\n\nQuarter 2 — Automation:\n\n- CI/CD security scanning (SAST, dependency audit)\n- Automated secret detection (pre-commit hooks)\n- Centralized logging and basic alerting\n- Access reviews (quarterly)\n- Vulnerability management process\n\n\nQuarter 3 — Maturity:\n\n- Penetration testing (first external assessment)\n- Security architecture review\n- Data classification and handling policies\n- Vendor security assessments\n- Bug bounty program (start small)\n\n\nQuarter 4 — Optimization:\n\n- Compliance framework alignment (SOC 2, ISO 27001)\n- Red team exercise\n- Security metrics dashboard\n- Security champion program (devs with security training)\n- Supply chain security (SBOM, signed artifacts)\n\nSecurity Metrics Dashboard\nsecurity_dashboard:\n vulnerability_management:\n - open_critical: 0 # Target: always 0\n - open_high: 0 # Target: < 5\n - mean_time_to_remediate:\n critical: \"24h\" # Target\n high: \"7d\"\n medium: \"30d\"\n - scan_coverage: \"100%\" # % of repos with automated scanning\n\n incident_management:\n - incidents_this_quarter: 0\n - mean_time_to_detect: \"< 1h\"\n - mean_time_to_respond: \"< 4h\"\n - mean_time_to_recover: \"< 24h\"\n\n access_control:\n - mfa_adoption: \"100%\"\n - privileged_accounts: 0 # Count, minimize\n - stale_accounts: 0 # Accounts unused > 90 days\n - access_reviews_completed: \"on schedule\"\n\n code_security:\n - repos_with_sast: \"100%\"\n - repos_with_dependency_scanning: \"100%\"\n - secret_detection_coverage: \"100%\"\n - security_review_for_critical_changes: \"100%\"\n\n training:\n - security_awareness_completion: \"100%\"\n - phishing_simulation_click_rate: \"< 5%\"\n - security_champions_per_team: \">= 1\"\n\nPhase 10: Penetration Testing Methodology\nReconnaissance\nPASSIVE (no direct interaction with target):\n1. DNS enumeration: subdomains, MX, TXT, CNAME\n - Tools: subfinder, amass, crt.sh, dnsdumpster\n2. Technology fingerprinting\n - Check: Wappalyzer, BuiltWith, HTTP headers\n3. Public exposure\n - Shodan/Censys for open ports/services\n - GitHub/GitLab for leaked code/secrets\n - Wayback Machine for old endpoints\n4. Employee OSINT (for social engineering scope)\n - LinkedIn for tech stack clues\n - Job postings reveal internal tools\n\nACTIVE (interacting with target — requires permission):\n1. Port scanning: full TCP + top 1000 UDP\n2. Service enumeration: version detection\n3. Web crawling: sitemap, robots.txt, directory brute-force\n4. API discovery: /api, /v1, /graphql, /swagger, /openapi\n\nTesting Phases\n\nPhase 1 — Authentication Testing\n\n- Credential stuffing resistance (rate limiting)\n- Password reset flow (token guessability, expiry, reuse)\n- Account enumeration (different responses for valid/invalid users)\n- Session management (token entropy, fixation, timeout)\n- MFA bypass attempts (backup codes, race conditions)\n- OAuth flow attacks (redirect URI manipulation, scope escalation)\n\n\nPhase 2 — Authorization Testing\n\n- Horizontal privilege escalation (access other users' data)\n- Vertical privilege escalation (user → admin)\n- Missing function-level access control (direct API calls)\n- IDOR on every resource endpoint (change IDs systematically)\n- GraphQL introspection + unauthorized field access\n- Mass assignment (send extra fields in requests)\n\n\nPhase 3 — Injection Testing\n\n- SQL injection on all user inputs (including headers, cookies)\n- XSS (reflected, stored, DOM-based) on all output points\n- Command injection on any server-side execution\n- SSRF on any URL input or file fetch\n- Template injection (if server-side templating)\n- LDAP/XML/XXE injection where applicable\n\n\nPhase 4 — Business Logic Testing\n\n- Price manipulation (change prices in requests)\n- Quantity manipulation (negative numbers, decimals, MAX_INT)\n- Race conditions (concurrent requests for same resource)\n- Workflow bypass (skip steps in multi-step processes)\n- Coupon/discount abuse (reuse, stacking)\n- Rate limit bypass (header rotation, distributed requests)\n\nPenetration Test Report Template\nreport:\n executive_summary:\n overall_risk: \"critical|high|medium|low\"\n critical_findings: 0\n high_findings: 0\n medium_findings: 0\n low_findings: 0\n key_recommendations:\n - \"[top 3 fixes by impact]\"\n\n scope:\n targets: \"[URLs, IPs, apps tested]\"\n methodology: \"OWASP Testing Guide v4.2 + PTES\"\n dates: \"YYYY-MM-DD to YYYY-MM-DD\"\n type: \"black-box|grey-box|white-box\"\n exclusions: \"[what was out of scope]\"\n\n findings:\n - id: \"F-001\"\n title: \"[descriptive title]\"\n severity: \"critical|high|medium|low|info\"\n cvss: 0.0\n location: \"[URL/endpoint/component]\"\n description: \"[what the vulnerability is]\"\n impact: \"[what an attacker could do]\"\n evidence: \"[screenshots, request/response pairs]\"\n reproduction_steps:\n - \"[step by step]\"\n remediation: \"[specific fix with code examples]\"\n references:\n - \"[OWASP, CWE, CVE links]\"\n\n positive_observations:\n - \"[security controls that were effective]\"\n\nPhase 11: Supply Chain Security\nDependency Security\nsupply_chain:\n dependencies:\n - lock_files: \"always commit (package-lock.json, poetry.lock, go.sum)\"\n - pin_versions: \"exact versions, not ranges\"\n - audit_frequency: \"every CI build\"\n - auto_update: \"Dependabot/Renovate with auto-merge for patch, review for minor/major\"\n - review_new_deps:\n check: \"maintainer count, last update, download count, known issues\"\n rule: \"no single-maintainer deps for critical paths\"\n - sbom: \"generate SPDX or CycloneDX on every release\"\n\n build_pipeline:\n - reproducible_builds: true\n - artifact_signing: true\n - build_provenance: true # SLSA Level 2+\n - no_curl_pipe_bash: true # Never pipe internet scripts to shell\n - verify_checksums: true\n\n ci_cd:\n - pin_action_versions: \"use SHA, not tags (actions/checkout@SHA)\"\n - least_privilege_tokens: true\n - no_secrets_in_logs: true\n - protected_branches: true\n - required_reviews: true\n - signed_commits: \"recommended\"\n\nPhase 12: Security Scoring Rubric\n\nRate any application/system 0-100:\n\nDimension\tWeight\t0 (Critical)\t5 (Adequate)\t10 (Excellent)\nAuthentication & Access\t20%\tNo auth or default creds\tPassword + basic RBAC\tMFA + ABAC + zero trust\nData Protection\t15%\tPlaintext secrets, no encryption\tEncryption at rest + transit\tE2E encryption, key rotation, classification\nVulnerability Management\t15%\tNo scanning, known CVEs\tAutomated scanning, SLAs met\tFull coverage, MTTD < 1h, bug bounty\nInfrastructure Security\t15%\tOpen ports, no firewall\tHardened baseline, least privilege\tZero trust, microsegmentation, IaC\nLogging & Monitoring\t10%\tNo security logging\tCentralized logs, basic alerts\tSIEM, anomaly detection, 24/7 SOC\nIncident Response\t10%\tNo plan\tDocumented plan, tested annually\tAutomated response, < 1h MTTR\nCode Security\t10%\tNo reviews, injection vulns\tSAST in CI, peer review\tFull pipeline, threat modeling, security champions\nSupply Chain\t5%\tNo dependency management\tLock files, automated scanning\tSBOM, signed artifacts, SLSA\n\nScore interpretation:\n\n90-100: Excellent — security is a competitive advantage\n70-89: Good — solid foundation, keep improving\n50-69: Needs work — significant gaps exist\nBelow 50: Critical — stop feature work, fix security\nCommon Mistakes\nSecurity through obscurity — hiding admin panel at /secret-admin is not security\nClient-side only validation — always validate server-side\nTrusting internal networks — assume breach, verify everything\nLogging sensitive data — passwords, tokens, PII in logs = breach waiting to happen\n\"We're too small to be targeted\" — automated attacks don't check company size\nOne-time audit mentality — security is continuous, not a checkbox\nIgnoring security in dev/staging — attackers find your staging environment too\nOver-permissioning for convenience — least privilege, always\nNo backup testing — backups you haven't tested are hopes, not backups\nTreating compliance as security — SOC 2 ≠ secure; it's a starting point\nEdge Cases\nStartup with zero security: Start with Phase 9 Quarter 1 — foundation first\nLegacy application: Focus on network segmentation + WAF + monitoring before code fixes\nMicroservices: Service mesh for mTLS, centralized auth (OAuth/OIDC), API gateway\nIoT/embedded: Assume physical access, encrypt firmware, signed updates, minimal attack surface\nMobile apps: Certificate pinning, root/jailbreak detection, binary protection, secure local storage\nServerless: Function-level IAM, no secrets in code, API Gateway throttling, cold start timing attacks\nMulti-tenant SaaS: Tenant isolation verification, noisy neighbor prevention, cross-tenant data leak testing\nNatural Language Commands\n\"Audit security of [project/repo]\" → Full assessment (Phase 1-4)\n\"Threat model [system/feature]\" → STRIDE analysis (Phase 2)\n\"Check OWASP top 10 for [app]\" → Application security review (Phase 3)\n\"Harden [server/container/cloud]\" → Infrastructure checklist (Phase 4)\n\"Create incident response plan\" → IR playbook (Phase 6)\n\"Design security program\" → Phased program build (Phase 9)\n\"Pentest methodology for [target]\" → Testing phases (Phase 10)\n\"Score security of [system]\" → 100-point rubric (Phase 12)\n\"Review auth implementation\" → Auth deep dive (Phase 8)\n\"Check security headers\" → Header audit (Phase 7)\n\"Vulnerability report for [finding]\" → Report template (Phase 5)\n\"Supply chain security review\" → Dependency audit (Phase 11)" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/1kalin/afrexai-cybersecurity-engine", "publisherUrl": "https://clawhub.ai/1kalin/afrexai-cybersecurity-engine", "owner": "1kalin", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/afrexai-cybersecurity-engine", "downloadUrl": "https://openagent3.xyz/downloads/afrexai-cybersecurity-engine", "agentUrl": "https://openagent3.xyz/skills/afrexai-cybersecurity-engine/agent", "manifestUrl": "https://openagent3.xyz/skills/afrexai-cybersecurity-engine/agent.json", "briefUrl": "https://openagent3.xyz/skills/afrexai-cybersecurity-engine/agent.md" } }