security-review
보안, 보안 리뷰, 보안 검토, 취약점, 보안 분석 - Use when reviewing code for security vulnerabilities, designing authentication/authorization, or ensuring secure architecture. Provides systematic security analysis based on OWASP guidelines.
When & Why to Use This Skill
The Security Review skill is a comprehensive security auditing tool designed to perform systematic vulnerability assessments and code reviews. By leveraging OWASP Top 10 guidelines and Zero Trust principles, it helps developers identify critical flaws, design secure authentication systems, and ensure robust architectural integrity across the software development lifecycle.
Use Cases
- Automated Vulnerability Scanning: Systematically auditing source code to detect OWASP Top 10 risks such as SQL injection, broken access control, and cryptographic failures.
- Secure Architecture Design: Providing expert recommendations for designing multi-layer defense mechanisms, including RBAC/ABAC authorization models and JWT-based authentication.
- Sensitive Data Flow Analysis: Mapping and tracing how sensitive information is handled, stored, and transmitted to ensure compliance with data protection standards.
- Pre-deployment Security Checklists: Executing a final security verification phase to classify risks by severity and ensure all security configurations are hardened before production.
| name | security-review |
|---|---|
| description | "보안, 보안 리뷰, 보안 검토, 취약점, 보안 분석 - Use when reviewing code for security vulnerabilities, designing authentication/authorization, or ensuring secure architecture. Provides systematic security analysis based on OWASP guidelines." |
| allowed-tools | Read, Write, Grep, Glob, Bash, WebSearch |
Security Review Skill
Systematic workflow for security review and vulnerability analysis.
When to Use
- Reviewing code for security vulnerabilities
- Designing authentication/authorization systems
- Establishing sensitive data handling practices
- Pre-deployment security checklist verification
The Process
Phase 1: Security Scope Assessment
Codebase Analysis:
- Identify authentication/authorization code
- Map external input handling points
- Trace sensitive data flow
- Check external API integration points
Attack Surface Definition:
- User input: forms, URL params, headers
- File uploads: type, size, storage location
- API endpoints: public/private, auth requirements
- Database: query generation methods
Phase 2: OWASP Top 10 Check
Perform systematic check against OWASP Top 10 (2021):
- A01: Broken Access Control
- A02: Cryptographic Failures
- A03: Injection
- A04: Insecure Design
- A05: Security Misconfiguration
- A06: Vulnerable Components
- A07: Authentication Failures
- A08: Data Integrity Failures
- A09: Logging Failures
- A10: SSRF
For detailed checklist, code patterns, and search queries:
Read OWASP-CHECKLIST.md in this skill directory.
Phase 3: Vulnerability Report
Severity Classification:
| Level | Description | Response Time |
|---|---|---|
| 🔴 Critical | Immediately exploitable, severe impact | Within 24h |
| 🟠 High | Exploitable, significant impact | Within 1 week |
| 🟡 Medium | Conditional exploit, limited impact | Within 1 month |
| 🟢 Low | Hard to exploit, minimal impact | Next release |
Phase 4: Security Design Recommendations
Provide recommendations for:
- Authentication design (JWT, session management)
- Authorization model (RBAC, ABAC)
- Data encryption strategies
- Secure coding practices
Key Principles
- Zero Trust: Never trust any input
- Defense in Depth: Multi-layer defense
- Least Privilege: Minimum required permissions
- Fail Secure: Safe state on failure
- Security by Design: Consider security from design phase
Detailed Reference
For OWASP checklist, vulnerable code patterns, search queries, and report templates:
Read OWASP-CHECKLIST.md in this skill directory.