菜单
Defend before attackers find the gaps - OWASP, STRIDE, and Microsoft SFI
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Create and maintain ASCII visual dashboards for project tracking with parallel lane progress bars
Store and manage voice samples for TTS cloning — portable, version-controlled audio references
Clear documentation through visual excellence
AI music generation via Replicate — 5 models for background tracks, lyrics, and sound design
Practitioner methodology for longitudinal case study research, evidence-based documentation, and publication-ready academic writing in AI-assisted development.
First impressions matter. Set projects up for success.
| name | security-review |
| description | Defend before attackers find the gaps - OWASP, STRIDE, and Microsoft SFI |
| tier | core |
| applyTo | **/*security*,**/*auth*,**/*password*,**/*token*,**/*credential*,**/*vulnerability*,**/*CVE*,**/*secret* |
Defend before attackers find the gaps.
Security practices evolve with new threats, vulnerabilities, and industry standards.
Refresh triggers:
Last validated: February 2026
Check current state: Microsoft SFI, OWASP, CVE Database
Security is not a feature—it's a property. Review code with adversarial thinking.
Microsoft's approach to security-first development:
| Principle | Focus |
|---|---|
| Secure by Design | Security comes first when designing any product or service |
| Secure by Default | Protections enabled/enforced by default, require no extra effort, not optional |
| Secure Operations | Security controls and monitoring continuously improved for current/future threats |
Satya's Mandate (May 2024): "If you're faced with the tradeoff between security and another priority, your answer is clear: Do security."
Four foundations that underpin successful security operations:
| Foundation | Description |
|---|---|
| Security-first Culture | Daily behaviors reinforced through regular meetings between engineering and SFI leaders |
| Security Governance | Framework led by CISO, partnering with engineering teams to oversee SFI and manage risks |
| Continuous Improvement | Growth mindset integrating feedback and learnings from incidents into standards |
| Paved Paths & Standards | Best practices that optimize productivity, compliance, and security at scale |
| Pillar | Focus |
|---|---|
| Protect Identities & Secrets | Best-in-class standards for identity/secrets infrastructure, phishing-resistant MFA |
| Protect Tenants & Isolate Systems | Tenant isolation and production system protection |
| Protect Networks | Network security and segmentation |
| Protect Engineering Systems | Secure development infrastructure and CI/CD |
| Monitor & Detect Cyberthreats | Continuous threat monitoring and detection |
| Accelerate Response & Remediation | Fast incident response and recovery |
Before coding:
// Bad: Optional security
createServer({ https: false, cors: '*' });
// Good: Secure by default
createServer({
https: true,
cors: ['https://trusted.com'],
helmet: true
});
Principle of Least Privilege:
// Bad: Admin access by default
const user = { role: 'admin', permissions: ['*'] };
// Good: Minimum permissions
const user = { role: 'viewer', permissions: ['read:own'] };
Input Validation:
// Validate and sanitize ALL input
function processInput(input: unknown) {
const validated = schema.parse(input); // Zod, Joi, etc.
const sanitized = sanitize(validated);
return sanitized;
}
| # | Vulnerability | What to Check | Prevention |
|---|---|---|---|
| 1 | Broken Access Control | Check permissions on every request | Authorization on all routes |
| 2 | Cryptographic Failures | Use strong, modern crypto | TLS 1.2+, proper key management |
| 3 | Injection | SQL, NoSQL, LDAP, OS commands | Parameterized queries, no string concat |
| 4 | Insecure Design | Threat modeling, secure patterns | STRIDE analysis pre-implementation |
| 5 | Security Misconfiguration | Secure defaults, remove unused features | Hardened configs, no default passwords |
| 6 | Vulnerable Components | Dependency scanning, updates | npm audit, regular updates |
| 7 | Auth Failures | MFA, secure session management | Strong passwords, session timeout |
| 8 | Data Integrity | Signatures, checksums | Tamper detection |
| 9 | Logging Failures | Comprehensive audit logging | Monitor security events |
| 10 | SSRF | Allowlist URLs, validate requests | Input validation, URL allowlisting |
| Threat | Question | Mitigation |
|---|---|---|
| Spoofing | Can attacker impersonate? | Strong authentication, phishing-resistant MFA |
| Tampering | Can data be modified? | Integrity checks, signatures, checksums |
| Repudiation | Can actions be denied? | Audit logging, non-repudiation mechanisms |
| Information Disclosure | Can secrets leak? | Encryption at rest/transit, access control |
| Denial of Service | Can system be overwhelmed? | Rate limiting, quotas, redundancy |
| Elevation of Privilege | Can attacker gain access? | Least privilege, authorization checks |
□ Passwords hashed with bcrypt/argon2 (not MD5/SHA1)
□ No hardcoded credentials
□ Session tokens are random, rotated, and expire
□ Failed login attempts are rate-limited
□ MFA supported where appropriate
□ Every endpoint has explicit access control
□ No security through obscurity (hidden URLs)
□ Resource ownership verified before access
□ Admin functions require elevated auth
□ Deny by default, allow explicitly
□ All input validated on server (not just client)
□ Allowlist validation preferred over blocklist
□ File uploads restricted by type and size
□ URL redirects validated against allowlist
□ JSON/XML parsing has size limits
□ Sensitive data encrypted at rest
□ TLS 1.2+ for data in transit
□ API keys/secrets in env vars, not code
□ PII minimized and retention limited
□ Logs don't contain passwords/tokens/PII
□ npm audit / pip audit / cargo audit clean
□ No deprecated or unmaintained packages
□ Dependabot or Renovate enabled
□ Lock files committed
□ Known CVE check before release
// NEVER
const apiKey = 'sk-1234567890abcdef';
// ALWAYS
const apiKey = process.env.API_KEY;
// Or: Azure Key Vault, AWS Secrets Manager, etc.
| Credential Type | Rotation Period |
|---|---|
| API Keys | 90 days |
| Service Passwords | 90 days |
| Certificates | 1 year |
| User Passwords | User discretion + breach response |
If secrets accidentally committed:
git filter-branch or BFG# npm
npm audit
npm audit fix
# Check for outdated
npm outdated
| Severity | Response Time |
|---|---|
| Critical | 24-48 hours |
| High | 1 week |
| Medium | 2 weeks |
| Low | Next release |
🚩 eval(), exec(), dangerouslySetInnerHTML
🚩 String concatenation in queries
🚩 Disabled security features
🚩 Overly permissive CORS
🚩 Secrets in code or config files
🚩 Missing rate limiting
🚩 Verbose error messages
| Language | Watch For |
|---|---|
| JavaScript | Prototype pollution, eval(), innerHTML |
| TypeScript | Type assertions bypassing validation |
| Python | pickle deserialization, format strings |
| SQL | String concatenation in queries |
| Shell | Command injection, unquoted variables |
Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000
X-XSS-Protection: 0 (deprecated, use CSP)
Before shipping, ask:
When vulnerability found:
See incident-response for full IR workflow.