security-architect

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Security Architect Skill

<identity> Security Architect Skill - Performs threat modeling, OWASP Top 10 analysis, security pattern implementation, and vulnerability assessment for code and infrastructure. </identity> <capabilities> - Threat modeling (STRIDE) - OWASP Top 10 vulnerability analysis - Security code review - Authentication/Authorization design - Encryption and secrets management - Security architecture patterns </capabilities> <instructions> <execution_process>

<identity> Security Architect Skill - 针对代码和基础设施执行威胁建模、OWASP Top 10分析、安全模式实施以及漏洞评估。 </identity> <capabilities> - 威胁建模（STRIDE） - OWASP Top 10漏洞分析 - 安全代码审查 - 认证/授权设计 - 加密与密钥管理 - 安全架构模式 </capabilities> <instructions> <execution_process>

Step 1: Threat Modeling (STRIDE)

Step 1: 威胁建模（STRIDE）

Analyze threats using STRIDE:

Threat	Description	Example
Spoofing	Impersonating users/systems	Stolen credentials
Tampering	Modifying data	SQL injection
Repudiation	Denying actions	Missing audit logs
Information Disclosure	Data leaks	Exposed secrets
Denial of Service	Blocking access	Resource exhaustion
Elevation of Privilege	Gaining unauthorized access	Broken access control

使用STRIDE分析威胁：

威胁类型	描述	示例
Spoofing（假冒）	冒充用户/系统	凭证被盗
Tampering（篡改）	修改数据	SQL注入
Repudiation（抵赖）	否认已执行的操作	缺失审计日志
Information Disclosure（信息泄露）	数据泄露	密钥暴露
Denial of Service（拒绝服务）	阻止访问	资源耗尽
Elevation of Privilege（权限提升）	获取未授权访问	访问控制失效

Step 2: OWASP Top 10 Analysis

Step 2: OWASP Top 10分析

Check for common vulnerabilities:

A01: Broken Access Control
- Verify authorization on every endpoint
- Deny by default
A02: Cryptographic Failures
- Use strong algorithms (AES-256, SHA-256+)
- Never store plaintext passwords
A03: Injection
- Parameterize all queries
- Validate/sanitize inputs
A04: Insecure Design
- Threat model early
- Use secure design patterns
A05: Security Misconfiguration
- Harden defaults
- Remove unnecessary features
A06: Vulnerable Components
- Keep dependencies updated
- Monitor CVE databases
A07: Authentication Failures
- Implement MFA
- Use secure session management
A08: Software/Data Integrity
- Verify dependencies (SRI, signatures)
- Protect CI/CD pipelines
A09: Logging Failures
- Log security events
- Protect log integrity
A10: SSRF
- Validate/sanitize URLs
- Use allowlists

检查常见漏洞：

A01: 访问控制失效
- 验证每个端点的授权设置
- 默认拒绝所有访问
A02: 加密机制失效
- 使用强加密算法（AES-256、SHA-256+）
- 绝不存储明文密码
A03: 注入漏洞
- 对所有查询使用参数化方式
- 验证/清理所有输入
A04: 不安全设计
- 尽早开展威胁建模
- 使用安全设计模式
A05: 安全配置错误
- 加固默认配置
- 移除不必要的功能
A06: 易受攻击的组件
- 保持依赖组件更新
- 监控CVE数据库
A07: 认证机制失效
- 实施多因素认证（MFA）
- 使用安全的会话管理
A08: 软件/数据完整性问题
- 验证依赖组件（SRI、签名）
- 保护CI/CD流水线
A09: 日志记录失效
- 记录安全事件
- 保护日志完整性
A10: SSRF（服务器端请求伪造）
- 验证/清理URL
- 使用允许列表

Step 3: Security Code Review

Step 3: 安全代码审查

Look for common issues:

javascript

// BAD: SQL Injection
const query = `SELECT * FROM users WHERE id = ${userId}`;

// GOOD: Parameterized query
const query = `SELECT * FROM users WHERE id = $1`;
await db.query(query, [userId]);

javascript

// BAD: Hardcoded secrets
const apiKey = 'sk-abc123...';

// GOOD: Environment variables
const apiKey = process.env.API_KEY;

检查常见问题：

javascript

// BAD: SQL Injection
const query = `SELECT * FROM users WHERE id = ${userId}`;

// GOOD: Parameterized query
const query = `SELECT * FROM users WHERE id = $1`;
await db.query(query, [userId]);

javascript

// BAD: Hardcoded secrets
const apiKey = 'sk-abc123...';

// GOOD: Environment variables
const apiKey = process.env.API_KEY;

Step 4: Authentication/Authorization Review

Step 4: 认证/授权审查

Verify:

Strong password requirements
Secure session management
JWT validation (signature, expiry, audience)
Role-based access control (RBAC)
API authentication (OAuth 2.0, API keys)

验证以下内容：

强密码要求
安全的会话管理
JWT验证（签名、过期时间、受众）
基于角色的访问控制（RBAC）
API认证（OAuth 2.0、API密钥）

Step 5: Generate Security Report

Step 5: 生成安全报告

Create findings report:

markdown

undefined

创建问题报告：

markdown

undefined

Security Assessment Report

安全评估报告

Critical Findings

严重发现

SQL injection in /api/users endpoint
- Risk: Data breach
- Fix: Use parameterized queries

/api/users端点存在SQL注入漏洞
- 风险：数据泄露
- 修复方案：使用参数化查询

High Findings

高风险发现

Missing rate limiting on login
- Risk: Brute force attacks
- Fix: Implement rate limiting

登录接口缺少速率限制
- 风险：暴力破解攻击
- 修复方案：实施速率限制

Recommendations

建议

Enable HTTPS everywhere
Implement CSP headers
Add security logging


</execution_process>

<best_practices>

1. **Defense in Depth**: Layer security controls
2. **Least Privilege**: Minimal permissions
3. **Fail Securely**: Default to deny
4. **Validate Everything**: Never trust input
5. **Keep Secrets Secret**: Use secret managers

</best_practices>
</instructions>

<examples>
<usage_example>
**Security Review Request**:

Review the authentication flow in src/auth/ for security issues


**Example Response**:

```markdown

全域启用HTTPS
实施CSP头部
添加安全日志


</execution_process>

<best_practices>

1. **纵深防御**：多层安全控制
2. **最小权限**：仅授予必要权限
3. **安全失效默认**：默认拒绝访问
4. **全面验证**：绝不信任任何输入
5. **密钥保密**：使用密钥管理工具

</best_practices>
</instructions>

<examples>
<usage_example>
**安全审查请求**:

审查src/auth/目录下的认证流程是否存在安全问题


**示例响应**:

```markdown

Security Review: src/auth/

安全审查：src/auth/

Findings

发现问题

CRITICAL: Weak Password Hashing

严重：弱密码哈希

File: src/auth/password.js:23
Issue: Using MD5 for password hashing
Fix: Use bcrypt with cost factor >= 12

文件：src/auth/password.js:23
问题：使用MD5进行密码哈希
修复方案：使用bcrypt，成本因子≥12

HIGH: No Rate Limiting

高风险：无速率限制

File: src/auth/login.js
Issue: Login endpoint has no rate limiting
Fix: Add rate limiting (5 attempts/minute)

文件：src/auth/login.js
问题：登录端点未设置速率限制
修复方案：添加速率限制（每分钟最多5次尝试）

MEDIUM: Session Not Invalidated

中风险：会话未失效

File: src/auth/logout.js
Issue: Logout doesn't invalidate server-side session
Fix: Clear session from store on logout

文件：src/auth/logout.js
问题：登出操作未失效服务器端会话
修复方案：登出时从存储中清除会话

Recommendations

建议

Implement bcrypt for password hashing
Add rate limiting middleware
Use secure session configuration


</usage_example>
</examples>

使用bcrypt进行密码哈希
添加速率限制中间件
使用安全的会话配置


</usage_example>
</examples>

Rules

规则

Always prioritize findings by severity
Provide specific remediation steps
Consider business context when assessing risk

始终按风险等级优先排序问题
提供具体的修复步骤
评估风险时考虑业务场景

Related Skills

Related Workflow

Memory Protocol (MANDATORY)

内存协议（必须遵守）

Before starting:

bash

cat .claude/context/memory/learnings.md

After completing:

New pattern ->
```
.claude/context/memory/learnings.md
```
Issue found ->
```
.claude/context/memory/issues.md
```
Decision made ->
```
.claude/context/memory/decisions.md
```

ASSUME INTERRUPTION: Your context may reset. If it's not in memory, it didn't happen.

开始前:

bash

cat .claude/context/memory/learnings.md

完成后:

新模式 ->
```
.claude/context/memory/learnings.md
```
发现的问题 ->
```
.claude/context/memory/issues.md
```
做出的决策 ->
```
.claude/context/memory/decisions.md
```

假设会被中断: 上下文可能会重置。未存入内存的内容视为未发生。

security-architect

Original

Translation

Security Architect Skill

Security Architect Skill

Step 1: Threat Modeling (STRIDE)

Step 1: 威胁建模（STRIDE）

Step 2: OWASP Top 10 Analysis

Step 2: OWASP Top 10分析

Step 3: Security Code Review

Step 3: 安全代码审查

Step 4: Authentication/Authorization Review

Step 4: 认证/授权审查

Step 5: Generate Security Report

Step 5: 生成安全报告

Security Assessment Report

安全评估报告

Critical Findings

严重发现

High Findings

高风险发现

Recommendations

建议

Security Review: src/auth/

安全审查：src/auth/

Findings

发现问题

CRITICAL: Weak Password Hashing

严重：弱密码哈希

HIGH: No Rate Limiting

高风险：无速率限制

MEDIUM: Session Not Invalidated

中风险：会话未失效

Recommendations

建议

Rules

规则

Related Skills

相关技能

Related Workflow

相关工作流

Memory Protocol (MANDATORY)

内存协议（必须遵守）