Advanced vulnerability analysis principles. OWASP 2025, Supply Chain Security, attack surface mapping, risk prioritization.
Add this skill
npx mdskills install sickn33/vulnerability-scannerComprehensive security reference with clear threat modeling and OWASP 2025 coverage
1---2name: vulnerability-scanner3description: Advanced vulnerability analysis principles. OWASP 2025, Supply Chain Security, attack surface mapping, risk prioritization.4allowed-tools: Read, Glob, Grep, Bash5---67# Vulnerability Scanner89> Think like an attacker, defend like an expert. 2025 threat landscape awareness.1011## 🔧 Runtime Scripts1213**Execute for automated validation:**1415| Script | Purpose | Usage |16|--------|---------|-------|17| `scripts/security_scan.py` | Validate security principles applied | `python scripts/security_scan.py <project_path>` |1819## 📋 Reference Files2021| File | Purpose |22|------|---------|23| [checklists.md](checklists.md) | OWASP Top 10, Auth, API, Data protection checklists |2425---2627## 1. Security Expert Mindset2829### Core Principles3031| Principle | Application |32|-----------|-------------|33| **Assume Breach** | Design as if attacker already inside |34| **Zero Trust** | Never trust, always verify |35| **Defense in Depth** | Multiple layers, no single point |36| **Least Privilege** | Minimum required access only |37| **Fail Secure** | On error, deny access |3839### Threat Modeling Questions4041Before scanning, ask:421. What are we protecting? (Assets)432. Who would attack? (Threat actors)443. How would they attack? (Attack vectors)454. What's the impact? (Business risk)4647---4849## 2. OWASP Top 10:20255051### Risk Categories5253| Rank | Category | Think About |54|------|----------|-------------|55| **A01** | Broken Access Control | Who can access what? IDOR, SSRF |56| **A02** | Security Misconfiguration | Defaults, headers, exposed services |57| **A03** | Software Supply Chain 🆕 | Dependencies, CI/CD, build integrity |58| **A04** | Cryptographic Failures | Weak crypto, exposed secrets |59| **A05** | Injection | User input → system commands |60| **A06** | Insecure Design | Flawed architecture |61| **A07** | Authentication Failures | Session, credential management |62| **A08** | Integrity Failures | Unsigned updates, tampered data |63| **A09** | Logging & Alerting | Blind spots, no monitoring |64| **A10** | Exceptional Conditions 🆕 | Error handling, fail-open states |6566### 2025 Key Changes6768```692021 → 2025 Shifts:70├── SSRF merged into A01 (Access Control)71├── A02 elevated (Cloud/Container configs)72├── A03 NEW: Supply Chain (major focus)73├── A10 NEW: Exceptional Conditions74└── Focus shift: Root causes > Symptoms75```7677---7879## 3. Supply Chain Security (A03)8081### Attack Surface8283| Vector | Risk | Question to Ask |84|--------|------|-----------------|85| **Dependencies** | Malicious packages | Do we audit new deps? |86| **Lock files** | Integrity attacks | Are they committed? |87| **Build pipeline** | CI/CD compromise | Who can modify? |88| **Registry** | Typosquatting | Verified sources? |8990### Defense Principles9192- Verify package integrity (checksums)93- Pin versions, audit updates94- Use private registries for critical deps95- Sign and verify artifacts9697---9899## 4. Attack Surface Mapping100101### What to Map102103| Category | Elements |104|----------|----------|105| **Entry Points** | APIs, forms, file uploads |106| **Data Flows** | Input → Process → Output |107| **Trust Boundaries** | Where auth/authz checked |108| **Assets** | Secrets, PII, business data |109110### Prioritization Matrix111112```113Risk = Likelihood × Impact114115High Impact + High Likelihood → CRITICAL116High Impact + Low Likelihood → HIGH117Low Impact + High Likelihood → MEDIUM118Low Impact + Low Likelihood → LOW119```120121---122123## 5. Risk Prioritization124125### CVSS + Context126127| Factor | Weight | Question |128|--------|--------|----------|129| **CVSS Score** | Base severity | How severe is the vuln? |130| **EPSS Score** | Exploit likelihood | Is it being exploited? |131| **Asset Value** | Business context | What's at risk? |132| **Exposure** | Attack surface | Internet-facing? |133134### Prioritization Decision Tree135136```137Is it actively exploited (EPSS >0.5)?138├── YES → CRITICAL: Immediate action139└── NO → Check CVSS140 ├── CVSS ≥9.0 → HIGH141 ├── CVSS 7.0-8.9 → Consider asset value142 └── CVSS <7.0 → Schedule for later143```144145---146147## 6. Exceptional Conditions (A10 - New)148149### Fail-Open vs Fail-Closed150151| Scenario | Fail-Open (BAD) | Fail-Closed (GOOD) |152|----------|-----------------|---------------------|153| Auth error | Allow access | Deny access |154| Parsing fails | Accept input | Reject input |155| Timeout | Retry forever | Limit + abort |156157### What to Check158159- Exception handlers that catch-all and ignore160- Missing error handling on security operations161- Race conditions in auth/authz162- Resource exhaustion scenarios163164---165166## 7. Scanning Methodology167168### Phase-Based Approach169170```1711. RECONNAISSANCE172 └── Understand the target173 ├── Technology stack174 ├── Entry points175 └── Data flows1761772. DISCOVERY178 └── Identify potential issues179 ├── Configuration review180 ├── Dependency analysis181 └── Code pattern search1821833. ANALYSIS184 └── Validate and prioritize185 ├── False positive elimination186 ├── Risk scoring187 └── Attack chain mapping1881894. REPORTING190 └── Actionable findings191 ├── Clear reproduction steps192 ├── Business impact193 └── Remediation guidance194```195196---197198## 8. Code Pattern Analysis199200### High-Risk Patterns201202| Pattern | Risk | Look For |203|---------|------|----------|204| **String concat in queries** | Injection | `"SELECT * FROM " + user_input` |205| **Dynamic code execution** | RCE | `eval()`, `exec()`, `Function()` |206| **Unsafe deserialization** | RCE | `pickle.loads()`, `unserialize()` |207| **Path manipulation** | Traversal | User input in file paths |208| **Disabled security** | Various | `verify=False`, `--insecure` |209210### Secret Patterns211212| Type | Indicators |213|------|-----------|214| API Keys | `api_key`, `apikey`, high entropy |215| Tokens | `token`, `bearer`, `jwt` |216| Credentials | `password`, `secret`, `key` |217| Cloud | `AWS_`, `AZURE_`, `GCP_` prefixes |218219---220221## 9. Cloud Security Considerations222223### Shared Responsibility224225| Layer | You Own | Provider Owns |226|-------|---------|---------------|227| Data | ✅ | ❌ |228| Application | ✅ | ❌ |229| OS/Runtime | Depends | Depends |230| Infrastructure | ❌ | ✅ |231232### Cloud-Specific Checks233234- IAM: Least privilege applied?235- Storage: Public buckets?236- Network: Security groups tightened?237- Secrets: Using secrets manager?238239---240241## 10. Anti-Patterns242243| ❌ Don't | ✅ Do |244|----------|-------|245| Scan without understanding | Map attack surface first |246| Alert on every CVE | Prioritize by exploitability + asset |247| Ignore false positives | Maintain verified baseline |248| Fix symptoms only | Address root causes |249| Scan once before deploy | Continuous scanning |250| Trust third-party deps blindly | Verify integrity, audit code |251252---253254## 11. Reporting Principles255256### Finding Structure257258Each finding should answer:2591. **What?** - Clear vulnerability description2602. **Where?** - Exact location (file, line, endpoint)2613. **Why?** - Root cause explanation2624. **Impact?** - Business consequence2635. **How to fix?** - Specific remediation264265### Severity Classification266267| Severity | Criteria |268|----------|----------|269| **Critical** | RCE, auth bypass, mass data exposure |270| **High** | Data exposure, privilege escalation |271| **Medium** | Limited scope, requires conditions |272| **Low** | Informational, best practice |273274---275276> **Remember:** Vulnerability scanning finds issues. Expert thinking prioritizes what matters. Always ask: "What would an attacker do with this?"277
Full transparency — inspect the skill content before installing.