Back to Details

security-audit

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security Audit Skill

安全审计Skill

This skill provides a comprehensive framework for security auditing, ensuring that common vulnerabilities are identified and addressed during development and review.
本Skill提供了一个全面的安全审计框架,确保在开发和审查过程中识别并解决常见漏洞。

Audit Checklist

审计检查清单

1. OWASP Top 10 & Common Vulnerabilities

1. OWASP Top 10 与常见漏洞

  • Injection: Check for SQL, Command, or NoSQL injection points. Ensure parameterized queries or proper escaping is used.
  • Broken Access Control: Verify that users cannot access resources outside of their intended permissions.
  • Insecure Design: Evaluate the overall architecture for security flaws.
  • Cryptographic Failures: Ensure sensitive data (passwords, PII) is encrypted at rest and in transit using modern algorithms (e.g., AES-256, TLS 1.3).
  • 注入漏洞:检查SQL、命令或NoSQL注入点。确保使用参数化查询或正确的转义处理。
  • 访问控制失效:验证用户无法访问超出其权限范围的资源。
  • 不安全设计:评估整体架构是否存在安全缺陷。
  • 加密失败:确保敏感数据(密码、个人可识别信息PII)在静态存储和传输过程中使用现代算法(如AES-256、TLS 1.3)进行加密。

2. Dependency Management

2. 依赖项管理

  • Vulnerability Scanning: Check for known vulnerabilities in third-party libraries (e.g., using 
    npm audit
    , 
    pip-audit
    , or 
    snyk
    ).
  • Outdated Packages: Identify and update significantly outdated dependencies.
  • 漏洞扫描:检查第三方库中的已知漏洞(例如使用
    npm audit
    pip-audit
    snyk
    工具)。
  • 过时包:识别并更新严重过时的依赖项。

3. Authentication & Authorization

3. 身份验证与授权

  • Credential Management: Ensure passwords are never stored in plain text (use Argon2, bcrypt, or scrypt).
  • Session Management: Verify secure session handling (HttpOnly, Secure, SameSite flags for cookies).
  • MFA/2FA: Check for the implementation or requirement of multi-factor authentication where appropriate.
  • 凭证管理:确保密码永远不会以明文形式存储(使用Argon2、bcrypt或scrypt算法)。
  • 会话管理:验证会话处理的安全性(Cookie需设置HttpOnly、Secure、SameSite标志)。
  • MFA/2FA:检查是否在合适场景下实现或要求多因素身份验证。

4. Input Validation & Data Handling

4. 输入验证与数据处理

  • Sanitization: Validate and sanitize all user-supplied data at the trust boundary.
  • Encoding: Ensure output encoding is used to prevent Cross-Site Scripting (XSS).
  • Secret Management: Confirm that API keys, secrets, and credentials are NOT committed to the repository (use environment variables or secret managers).
  • 数据清理:在信任边界处验证并清理所有用户提供的数据。
  • 编码处理:确保使用输出编码以防止跨站脚本攻击(XSS)。
  • 密钥管理:确认API密钥、密钥和凭证未提交到代码仓库(使用环境变量或密钥管理工具)。

Usage Guidelines

使用指南

When asked to "audit" or "perform a security review":
  1. Systematically go through each category above.
  2. For each finding, categorize it by severity (Critical, High, Medium, Low).
  3. Provide clear remediation steps for every identified issue.
  4. Document any positive security practices already in place.
当被要求“审计”或“执行安全审查”时:
  1. 系统地检查上述每个类别。
  2. 对每个发现的问题按严重程度分类(关键、高、中、低)。
  3. 为每个已识别的问题提供清晰的修复步骤。
  4. 记录已有的良好安全实践。