security
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSecurity Engineering
安全工程
Threat-aware code review. Vulnerability detection. Risk-ranked remediation.
<when_to_use>
- Security audits and code reviews
- Authentication/authorization review
- Input validation and sanitization checks
- Cryptographic implementation review
- Dependency and supply chain security
- Threat modeling for new features
NOT for: performance optimization, general code review, feature implementation
</when_to_use>
<stages>
Load the maintain-tasks skill for stage tracking. Each stage feeds the next.
| Stage | Trigger | activeForm |
|---|---|---|
| Threat Model | Session start | "Building threat model" |
| Attack Surface | Model complete | "Mapping attack surface" |
| Vulnerability Scan | Surface mapped | "Scanning for vulnerabilities" |
| Risk Assessment | Vulns identified | "Assessing risk levels" |
| Remediation Plan | Risks assessed | "Planning remediation" |
Critical findings: add urgent remediation task immediately.
</stages>
<severity_levels>
CVSS-aligned severity for findings:
| Indicator | Severity | CVSS | Examples |
|---|---|---|---|
| Critical | 9.0-10.0 | RCE, auth bypass, mass data exposure, admin privesc | |
| High | 7.0-8.9 | SQLi, stored XSS, auth weakness, sensitive data leak | |
| Medium | 4.0-6.9 | CSRF, reflected XSS, info disclosure, weak crypto | |
| Low | 0.1-3.9 | Misconfig, missing headers, verbose errors |
Format: "Critical RCE via unsanitized shell command"
</severity_levels>
<threat_modeling>
具备威胁感知能力的代码审查、漏洞检测、按风险等级排序的修复方案。
<when_to_use>
- 安全审计与代码审查
- 认证/授权机制审查
- 输入验证与清理检查
- 加密实现审查
- 依赖与供应链安全
- 新功能的威胁建模
不适用于:性能优化、通用代码审查、功能实现
</when_to_use>
<stages>
加载maintain-tasks技能进行阶段跟踪,每个阶段为下一个阶段提供输入。
| 阶段 | 触发条件 | 活跃状态 |
|---|---|---|
| 威胁建模 | 会话启动 | "构建威胁模型" |
| 攻击面分析 | 模型完成 | "映射攻击面" |
| 漏洞扫描 | 攻击面映射完成 | "扫描漏洞" |
| 风险评估 | 识别漏洞后 | "评估风险等级" |
| 修复计划 | 风险评估完成 | "制定修复方案" |
关键发现:立即添加紧急修复任务。
</stages>
<severity_levels>
与CVSS对齐的发现严重等级:
| 指标 | 严重等级 | CVSS分数 | 示例 |
|---|---|---|---|
| Critical(严重) | 9.0-10.0 | 远程代码执行(RCE)、认证绕过、大规模数据泄露、管理员权限提升 | |
| High(高) | 7.0-8.9 | SQL注入(SQLi)、存储型跨站脚本(XSS)、认证机制缺陷、敏感数据泄露 | |
| Medium(中) | 4.0-6.9 | 跨站请求伪造(CSRF)、反射型跨站脚本(XSS)、信息泄露、弱加密 | |
| Low(低) | 0.1-3.9 | 配置错误、缺失安全头、详细错误信息暴露 |
格式示例:"Critical 未清理的Shell命令导致远程代码执行"
</severity_levels>
<threat_modeling>
STRIDE Framework
STRIDE框架
Systematic threat identification by category:
| Threat | Question | Check |
|---|---|---|
| Spoofing | Can attacker impersonate? | Auth mechanisms, tokens, sessions, API keys |
| Tampering | Can attacker modify data? | Input validation, integrity checks, DB access |
| Repudiation | Can actions be denied? | Audit logs, signatures, timestamps |
| Info Disclosure | Can attacker access secrets? | Encryption, access control, logging |
| Denial of Service | Can attacker disrupt? | Rate limits, timeouts, input size |
| Elevation | Can attacker gain access? | Authz checks, RBAC, least privilege |
按类别系统性识别威胁:
| 威胁类型 | 问题 | 检查项 |
|---|---|---|
| Spoofing(仿冒) | 攻击者能否冒充身份? | 认证机制、令牌、会话、API密钥 |
| Tampering(篡改) | 攻击者能否修改数据? | 输入验证、完整性校验、数据库访问控制 |
| Repudiation(抵赖) | 行为能否被否认? | 审计日志、签名、时间戳 |
| Info Disclosure(信息泄露) | 攻击者能否访问机密信息? | 加密、访问控制、日志记录 |
| Denial of Service(拒绝服务) | 攻击者能否破坏服务? | 速率限制、超时设置、输入大小限制 |
| Elevation(权限提升) | 攻击者能否获取更高权限? | 授权校验、基于角色的访问控制(RBAC)、最小权限原则 |
Attack Trees
攻击树
Map paths from attacker goal to entry points:
Goal: Steal credentials
- Attack login
- SQLi in username
- Brute force (no rate limit)
- Session fixation
- Intercept traffic
- HTTPS downgrade
- MITM
- Exploit reset
- Predictable token
- No expiryFor each branch assess: feasibility, impact, detection, current defenses.
绘制从攻击者目标到入口点的路径:
目标:窃取凭证
- 攻击登录功能
- 用户名处SQL注入
- 暴力破解(无速率限制)
- 会话固定
- 拦截流量
- HTTPS降级攻击
- 中间人攻击(MITM)
- 利用密码重置功能
- 可预测的重置令牌
- 令牌无过期时间针对每个分支评估:可行性、影响、可检测性、当前防御措施。
Trust Boundaries
信任边界
Identify where data crosses trust levels:
- Browser to server
- Server to database
- Service to third-party API
- Internal service to service
Every boundary needs validation.
</threat_modeling>
<attack_surface>
识别数据跨越信任级别的节点:
- 浏览器到服务器
- 服务器到数据库
- 服务到第三方API
- 内部服务间通信
每个边界都需要验证。
</threat_modeling>
<attack_surface>
Entry Points
入口点
External:
- HTTP/API endpoints (REST, GraphQL, gRPC)
- WebSocket connections
- File uploads
- OAuth/SAML flows
- Webhooks
Data Inputs:
- User data (forms, query params, headers)
- File content (type, size, payload)
- API payloads (JSON, XML)
- Database queries
Auth Boundaries:
- Public (no auth)
- Authenticated
- Admin/privileged
- Service-to-service
外部入口:
- HTTP/API端点(REST、GraphQL、gRPC)
- WebSocket连接
- 文件上传
- OAuth/SAML流程
- Webhooks
数据输入:
- 用户数据(表单、查询参数、请求头)
- 文件内容(类型、大小、负载)
- API负载(JSON、XML)
- 数据库查询
认证边界:
- 公开(无需认证)
- 已认证
- 管理员/特权用户
- 服务间通信
Prioritize Review
审查优先级
- Unauthenticated external inputs
- Privileged operations
- Data persistence layers
- Third-party integrations
For each entry point document:
- Auth required? (none/user/admin)
- Input validated? (none/basic/strict)
- Rate limited?
- Logged?
- Encrypted?
</attack_surface>
<vulnerability_patterns>
- 未认证的外部输入
- 特权操作
- 数据持久化层
- 第三方集成
针对每个入口点记录:
- 是否需要认证?(无/普通用户/管理员)
- 输入是否经过验证?(无/基础/严格)
- 是否有速率限制?
- 是否记录日志?
- 是否加密?
</attack_surface>
<vulnerability_patterns>
Quick Reference
快速参考
| Vulnerability | Vulnerable | Secure |
|---|---|---|
| SQL Injection | String concat in query | Parameterized queries |
| XSS | innerHTML with user data | textContent or DOMPurify |
| Command Injection | exec() with user input | execFile() with array |
| Path Traversal | Direct path concat | basename + prefix check |
| Weak Password | MD5/SHA1/plain | bcrypt (12+) or argon2 |
| Predictable Token | Math.random/Date.now | crypto.randomBytes(32) |
| Broken Auth | Client-side role check | Server-side every request |
| IDOR | No ownership check | Verify user owns resource |
| Hardcoded Secret | API key in code | Environment variable |
| Info Leak | Stack trace to user | Generic error, log detail |
| 漏洞类型 | 不安全实现 | 安全实现 |
|---|---|---|
| SQL注入 | 查询中字符串拼接 | 参数化查询 |
| XSS | 使用innerHTML处理用户数据 | 使用textContent或DOMPurify |
| 命令注入 | 使用exec()执行含用户输入的命令 | 使用execFile()并传入数组参数 |
| 路径遍历 | 直接拼接路径 | 使用basename加前缀检查 |
| 弱密码 | MD5/SHA1/明文 | bcrypt(成本因子12+)或argon2 |
| 可预测令牌 | Math.random/Date.now | crypto.randomBytes(32) |
| 认证机制缺陷 | 客户端侧角色校验 | 每次请求都在服务端校验 |
| 不安全的直接对象引用(IDOR) | 无归属校验 | 验证用户是否拥有资源访问权限 |
| 硬编码机密 | 代码中嵌入API密钥 | 使用环境变量存储 |
| 信息泄露 | 向用户返回堆栈跟踪 | 返回通用错误信息,详细信息仅记录到日志 |
Critical Checks
关键检查项
Authentication:
- Passwords: bcrypt/argon2, cost 12+
- Sessions: crypto.randomBytes(32), httpOnly, secure, sameSite
- JWT: verify signature, specify algorithm, short expiry
- Reset: random token, 1hr expiry, hash stored token
Authorization:
- Server-side on every request
- Verify ownership before resource access
- Explicit allowlist for mass assignment
- No role elevation from client input
Input Validation:
- Type, length, format on all inputs
- Parameterized queries (never concat)
- Escape/sanitize HTML output
- Validate file uploads (type, size, content)
Cryptography:
- AES-256-GCM, SHA-256+
- Never MD5, SHA1, DES, ECB
- Secrets from env, never hardcoded
- crypto.randomBytes for all tokens
See vulnerability-patterns.md for code examples.
</vulnerability_patterns>
<owasp_top_10>
2021 OWASP Top 10 categories. Check each during vulnerability scan.
| # | Category | Key CWEs | Top Mitigations |
|---|---|---|---|
| A01 | Broken Access Control | 200, 352, 639 | Server-side checks, ownership validation |
| A02 | Cryptographic Failures | 259, 327, 331 | TLS, bcrypt, no hardcoded secrets |
| A03 | Injection | 20, 79, 89 | Parameterized queries, input validation |
| A04 | Insecure Design | 209, 256, 434 | Threat modeling, rate limiting |
| A05 | Security Misconfiguration | 16, 611, 614 | Security headers, disable debug |
| A06 | Vulnerable Components | 1035, 1104 | npm audit, Dependabot |
| A07 | Auth Failures | 287, 307, 521 | Strong passwords, MFA, rate limiting |
| A08 | Integrity Failures | 502, 494 | Verify signatures, schema validation |
| A09 | Logging Failures | 117, 532, 778 | Audit logs, redact sensitive data |
| A10 | SSRF | 918 | URL allowlist, block private IPs |
See owasp-top-10.md for detailed breakdowns with code examples.
</owasp_top_10>
<workflow>
Loop: Model Threats -> Map Surface -> Scan Vulnerabilities -> Assess Risk -> Plan Remediation
-
Threat Model
- STRIDE analysis for component
- Attack trees for critical paths
- Identify trust boundaries
- Document threat actors
-
Attack Surface
- Inventory all inputs
- Classify by auth level
- Map data flows across boundaries
- Prioritize high-risk entry points
-
Vulnerability Scan
- Check each entry against OWASP Top 10
- Review auth/authz
- Validate input handling
- Check crypto usage
- Scan deps: ,
npm auditcargo audit
-
Risk Assessment
- Rate severity (Critical/High/Medium/Low)
- Consider exploitability
- Assess impact (CIA triad)
- Calculate risk score
-
Remediation Plan
- Critical: immediate action
- High: fix before release
- Medium: schedule in sprint
- Low: backlog or accept
Update todos as you progress. Use review-checklist.md for verification.
</workflow>
<reporting>认证机制:
- 密码:使用bcrypt/argon2,成本因子12+
- 会话:使用crypto.randomBytes(32)生成,设置httpOnly、secure、sameSite属性
- JWT:验证签名,指定算法,设置短有效期
- 密码重置:使用随机令牌,有效期1小时,存储令牌的哈希值
授权机制:
- 每次请求都在服务端校验
- 访问资源前验证归属权
- 批量赋值使用明确的允许列表
- 不允许通过客户端输入提升角色权限
输入验证:
- 对所有输入进行类型、长度、格式校验
- 使用参数化查询(绝不拼接字符串)
- 转义/清理HTML输出
- 验证文件上传(类型、大小、内容)
加密技术:
- 使用AES-256-GCM、SHA-256+
- 绝不使用MD5、SHA1、DES、ECB
- 机密信息从环境变量获取,绝不硬编码
- 所有令牌使用crypto.randomBytes生成
查看vulnerability-patterns.md获取代码示例。
</vulnerability_patterns>
<owasp_top_10>
2021版OWASP Top 10分类,漏洞扫描时需逐一检查。
| 编号 | 分类 | 关键CWE | 主要缓解措施 |
|---|---|---|---|
| A01 | 访问控制缺陷 | 200, 352, 639 | 服务端校验、归属权验证 |
| A02 | 加密机制失败 | 259, 327, 331 | TLS协议、bcrypt加密、不硬编码机密 |
| A03 | 注入攻击 | 20, 79, 89 | 参数化查询、输入验证 |
| A04 | 不安全设计 | 209, 256, 434 | 威胁建模、速率限制 |
| A05 | 安全配置错误 | 16, 611, 614 | 安全头配置、禁用调试模式 |
| A06 | 存在漏洞的组件 | 1035, 1104 | npm audit、Dependabot |
| A07 | 认证机制失败 | 287, 307, 521 | 强密码、多因素认证(MFA)、速率限制 |
| A08 | 完整性失败 | 502, 494 | 验证签名、 schema校验 |
| A09 | 日志记录失败 | 117, 532, 778 | 审计日志、脱敏敏感数据 |
| A10 | 服务器端请求伪造(SSRF) | 918 | URL允许列表、阻止私有IP |
查看owasp-top-10.md获取带代码示例的详细说明。
</owasp_top_10>
<workflow>
循环流程:建模威胁 → 映射攻击面 → 扫描漏洞 → 评估风险 → 制定修复计划
-
威胁建模
- 对组件进行STRIDE分析
- 为关键路径绘制攻击树
- 识别信任边界
- 记录威胁主体
-
攻击面映射
- 盘点所有输入
- 按认证级别分类
- 绘制跨边界的数据流
- 优先处理高风险入口点
-
漏洞扫描
- 对照OWASP Top 10检查每个入口点
- 审查认证/授权机制
- 验证输入处理逻辑
- 检查加密使用情况
- 扫描依赖:、
npm auditcargo audit
-
风险评估
- 划分严重等级(Critical/High/Medium/Low)
- 考虑可利用性
- 评估影响(CIA三元组:保密性、完整性、可用性)
- 计算风险分数
-
修复计划
- Critical:立即处理
- High:发布前修复
- Medium:纳入迭代计划
- Low:放入待办列表或接受风险
推进过程中更新任务清单,使用review-checklist.md进行验证。
</workflow>
<reporting>Finding Format
漏洞发现记录格式
markdown
undefinedmarkdown
undefined{SEVERITY} {VULN_NAME}
{严重等级} {漏洞名称}
Category: {OWASP} | CWE: {ID} | File: {PATH}:{LINES}
分类:{OWASP分类} | CWE:{编号} | 文件:{路径}:{行号}
Issue
问题描述
{CLEAR_EXPLANATION}
{清晰的问题说明}
Impact
影响
{WHAT_ATTACKER_COULD_DO}
{攻击者可实施的操作}
Fix
修复方案
{SPECIFIC_REMEDIATION_WITH_CODE}
undefined{带代码示例的具体修复措施}
undefinedSummary Format
审计总结格式
markdown
undefinedmarkdown
undefinedSecurity Audit: {SCOPE}
安全审计:{审计范围}
| Severity | Count |
|---|---|
| Critical | N |
| High | N |
| Medium | N |
| Low | N |
| 严重等级 | 数量 |
|---|---|
| Critical | N |
| High | N |
| Medium | N |
| Low | N |
Key Findings
关键发现
- {TOP_CRITICAL}
- {SECOND}
- {THIRD}
- {首要Critical问题}
- {次要问题}
- {第三问题}
Recommendations
建议
- Immediate: {CRITICAL_FIXES}
- Short-term: {HIGH_MEDIUM}
- Long-term: {HARDENING}
See [report-templates.md](references/report-templates.md) for full templates.
</reporting>
<rules>
ALWAYS:
- Start with threat modeling before code review
- Map complete attack surface
- Check against all OWASP Top 10 categories
- Use severity indicators consistently
- Provide specific remediation with code
- Verify fixes don't introduce new vulnerabilities
- Document security assumptions
- Update todos when transitioning stages
NEVER:
- Skip threat modeling for "simple" features
- Assume input is trustworthy
- Rely on client-side security
- Use deprecated crypto (MD5, SHA1, DES)
- Log sensitive data
- Disable security checks "temporarily"
- Mark complete without remediation plan
</rules>
<references>
**Deep dives**:
- [vulnerability-patterns.md](references/vulnerability-patterns.md) - secure vs vulnerable code examples
- [owasp-top-10.md](references/owasp-top-10.md) - detailed OWASP categories with CWE mappings
- [review-checklist.md](references/review-checklist.md) - complete security review checklist
- [report-templates.md](references/report-templates.md) - finding and audit report templates
**Related skills**:
- codebase-recon - evidence-based investigation foundation
- debugging - when security issues manifest as bugs
**External**:
- [OWASP Top 10](https://owasp.org/Top10/)
- [CWE Database](https://cwe.mitre.org/)
- [OWASP Cheat Sheets](https://cheatsheetseries.owasp.org/)
</references>- 立即处理:{Critical修复项}
- 短期处理:{High/Medium修复项}
- 长期优化:{安全加固措施}
查看[report-templates.md](references/report-templates.md)获取完整的发现记录和审计报告模板。
</reporting>
<rules>
必须遵守:
- 代码审查前先进行威胁建模
- 完整映射攻击面
- 对照所有OWASP Top 10分类检查
- 统一使用严重等级标识
- 提供带代码示例的具体修复方案
- 验证修复不会引入新漏洞
- 记录安全假设
- 阶段转换时更新任务清单
绝对禁止:
- 为“简单”功能跳过威胁建模
- 假设输入是可信的
- 依赖客户端侧安全控制
- 使用已弃用的加密算法(MD5、SHA1、DES)
- 记录敏感数据
- “临时”禁用安全检查
- 未制定修复计划就标记完成
</rules>
<references>
**深度资料**:
- [vulnerability-patterns.md](references/vulnerability-patterns.md) - 安全与不安全代码示例对比
- [owasp-top-10.md](references/owasp-top-10.md) - 带CWE映射的详细OWASP分类说明
- [review-checklist.md](references/review-checklist.md) - 完整的安全审查清单
- [report-templates.md](references/report-templates.md) - 漏洞发现和审计报告模板
**相关技能**:
- codebase-recon - 基于证据的调查基础技能
- debugging - 当安全问题表现为bug时使用
**外部资源**:
- [OWASP Top 10](https://owasp.org/Top10/)
- [CWE数据库](https://cwe.mitre.org/)
- [OWASP cheat Sheets](https://cheatsheetseries.owasp.org/)
</references>