Comprehensive security audits identifying vulnerabilities, misconfigurations, and best-practice violations across applications, APIs, infrastructure, and data pipelines. Use for OWASP Top 10 reviews, compliance assessments (SOC2, PCI-DSS, HIPAA, GDPR), threat modeling, risk assessment, and hardening.
Instalação
Instalar com Codex ou Claude Copie este prompt, cole no Codex, Claude ou outro assistente e deixe que ele revise a página da skill e instale para você.
Comprehensive security audits identifying vulnerabilities, misconfigurations, and best-practice violations across applications, APIs, infrastructure, and data pipelines. Use for OWASP Top 10 reviews, compliance assessments (SOC2, PCI-DSS, HIPAA, GDPR), threat modeling, risk assessment, and hardening.
Scope — assets, data classification, compliance obligations, threat model (pull from loom-threat-model). Define what "in scope" means before touching anything.
Review by layer — app code, APIs, infra/IaC, data pipelines, ML (sections below).
Evidence — every finding cites file:line or config path + a concrete exploit scenario. A finding without a repro is a guess.
Rate — CVSS or Likelihood×Impact; rank most-severe first.
Remediate — specific fix (ideally a diff), not "sanitize inputs".
Run tooling first (loom-security-scan) to clear known-pattern noise, then spend human effort on logic and authorization flaws that scanners miss — that's where audits earn their keep.
No audit trail, secrets in logs, no alerting, tamperable logs
A10
SSRF
Server fetches attacker-controlled URLs → internal/metadata (see below)
For APIs, cross-check the OWASP API Security Top 10 — API1 is BOLA (object-level authz), the single most frequent API defect.
Vulnerability Patterns (wrong → right)
# A03 SQL injection
query = f"SELECT * FROM users WHERE id = {uid}"# ✗ string interpolation
cursor.execute("SELECT * FROM users WHERE id = %s", (uid,)) # ✓ parameterized# A03 Command injection
os.system(f"ping {host}") # ✗
subprocess.run(["ping", "-c", "1", host]) # ✓ arg vector, no shell# A03 XSSreturnf"<h1>Welcome {username}</h1>"# ✗returnf"<h1>Welcome {escape(username)}</h1>"# ✓ context-aware output encoding# A01 Path traversalopen(os.path.join(base, filename)) # ✗ filename="../../etc/passwd"
p = os.path.normpath(os.path.join(base, filename)) # ✓ normalize then confineifnot p.startswith(base + os.sep): raise SecurityError
# A08 Insecure deserialization
pickle.loads(user_input) # ✗ RCE by design
json.loads(user_input) # ✓ data-only format
A10 SSRF — defense is an allowlist, never a blocklist
Any server-side fetch of a user-influenced URL (webhooks, image proxies, PDF renderers, URL previews, importers) can be pointed at internal services or the cloud metadata endpoint 169.254.169.254 to steal IAM credentials.
# ✗ blocklist — bypassed by DNS rebinding, redirects, encoded IPsif host in ("localhost", "127.0.0.1"): reject()
# ✓ allowlist scheme + host; resolve then re-check; forbid redirects to non-allowlistedif scheme notin {"https"} or host notin ALLOWED_HOSTS: reject()
ip = resolve(host)
if ip_is_private(ip) or host notin ALLOWED_HOSTS: reject() # re-check post-DNS (rebinding)
fetch(url, allow_redirects=False, timeout=5)
Blocklists miss: DNS-rebinding, HTTP→internal redirects, IPv6 ([::1], [::ffff:127.0.0.1]), and decimal/octal/hex IP encodings (http://2130706433/ = 127.0.0.1). Enforce IMDSv2 on AWS so a bare SSRF can't read credentials.
Access-control (IDOR/BOLA), timing-safe secret comparison, JWT algorithm confusion, and password-hash choice (argon2id, bcrypt 72-byte truncation) are covered with wrong-vs-right in loom-auth — audit against that checklist rather than duplicating here. Runtime secret leakage (argv/ps, env inheritance, logs/stack traces) is in loom-security-scan.
Infrastructure & Cloud
IAM — least privilege; no *:*; audit privilege-escalation paths (pass-role, policy-attach); no long-lived keys where roles work.
Storage — no public buckets/blobs; encryption at rest (KMS-managed keys, not hardcoded); block public ACLs org-wide.
Network — no 0.0.0.0/0 on 22/3389/DB ports; segment; security-group minimalism.
Metadata — IMDSv2 required (SSRF hardening).
Containers — non-root, read-only rootfs, drop capabilities, no --privileged, no secrets in image layers/env; scan images (loom-security-scan).
K8s — RBAC least-privilege, NetworkPolicies default-deny, Pod Security Standards (restricted), etcd encryption, no automountServiceAccountToken unless needed.
IaC — scan Terraform/CFN with tfsec/checkov (loom-security-scan); review before apply.
Handy audit probes (tool details in loom-security-scan):
aws s3api get-bucket-policy-status --bucket B # public?
aws ec2 describe-security-groups \
--query "SecurityGroups[?IpPermissions[?IpRanges[?CidrIp=='0.0.0.0/0']]]"
kubectl get networkpolicies -A # gaps = flat network
Map findings to CWE/CVE/OWASP IDs so they're deduplicable and trackable.
Compliance (essentials)
SOC2 — access control (MFA, quarterly access reviews, least privilege), encryption at rest/transit, monitoring/SIEM + alerting, incident-response runbooks, change management. It's controls + evidence.
PCI-DSS — never store CAV2/CVC2/PIN; encrypt PAN, mask to last-4 in UI/logs; segment the CDE; audit trails for all cardholder-data access; quarterly scans + annual pentest.