Back to Details

security-scanning-security-hardening

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese
Implement comprehensive security hardening with defense-in-depth strategy through coordinated multi-agent orchestration:
[Extended thinking: This workflow implements a defense-in-depth security strategy across all application layers. It coordinates specialized security agents to perform comprehensive assessments, implement layered security controls, and establish continuous security monitoring. The approach follows modern DevSecOps principles with shift-left security, automated scanning, and compliance validation. Each phase builds upon previous findings to create a resilient security posture that addresses both current vulnerabilities and future threats.]
通过协调多Agent编排,采用纵深防御策略实施全面的安全加固:
[扩展思考:此工作流在所有应用层实施纵深防御安全策略。它协调专业安全Agent执行全面评估,实施分层安全控制,并建立持续安全监控。该方法遵循现代DevSecOps原则,包含左移安全、自动化扫描和合规验证。每个阶段都基于之前的发现,构建能够应对当前漏洞和未来威胁的弹性安全态势。]

Use this skill when

适用场景

  • Running a coordinated security hardening program
  • Establishing defense-in-depth controls across app, infra, and CI/CD
  • Prioritizing remediation from scans and threat modeling
  • 运行协调式安全加固项目时
  • 在应用、基础设施和CI/CD中建立纵深防御控制时
  • 优先处理扫描和威胁建模得出的整改任务时

Do not use this skill when

不适用场景

  • You only need a quick scan without remediation work
  • You lack authorization for security testing or changes
  • The environment cannot tolerate invasive security controls
  • 仅需快速扫描而无需整改工作时
  • 未获得安全测试或变更授权时
  • 环境无法承受侵入式安全控制时

Instructions

操作步骤

  1. Execute Phase 1 to establish a security baseline.
  2. Apply Phase 2 remediations for high-risk issues.
  3. Implement Phase 3 controls and validate defenses.
  4. Complete Phase 4 validation and compliance checks.
  1. 执行第一阶段,建立安全基线。
  2. 应用第二阶段的整改措施,解决高风险问题。
  3. 实施第三阶段的控制措施并验证防御效果。
  4. 完成第四阶段的验证与合规检查。

Safety

安全注意事项

  • Avoid intrusive testing in production without approval.
  • Ensure rollback plans exist before hardening changes.
  • 未经批准,请勿在生产环境中进行侵入式测试。
  • 在进行加固变更前,确保存在回滚计划。

Phase 1: Comprehensive Security Assessment

第一阶段:全面安全评估

1. Initial Vulnerability Scanning

1. 初始漏洞扫描

  • Use Task tool with subagent_type="security-auditor"
  • Prompt: "Perform comprehensive security assessment on: $ARGUMENTS. Execute SAST analysis with Semgrep/SonarQube, DAST scanning with OWASP ZAP, dependency audit with Snyk/Trivy, secrets detection with GitLeaks/TruffleHog. Generate SBOM for supply chain analysis. Identify OWASP Top 10 vulnerabilities, CWE weaknesses, and CVE exposures."
  • Output: Detailed vulnerability report with CVSS scores, exploitability analysis, attack surface mapping, secrets exposure report, SBOM inventory
  • Context: Initial baseline for all remediation efforts
  • 使用Task工具,设置subagent_type="security-auditor"
  • 提示语:"对$ARGUMENTS执行全面安全评估。使用Semgrep/SonarQube进行SAST分析,使用OWASP ZAP进行DAST扫描,使用Snyk/Trivy进行依赖项审计,使用GitLeaks/TruffleHog进行密钥检测。生成SBOM用于供应链分析。识别OWASP Top 10漏洞、CWE弱点和CVE暴露。"
  • 输出结果:包含CVSS评分、可利用性分析、攻击面映射、密钥暴露报告、SBOM清单的详细漏洞报告
  • 背景:为所有整改工作提供初始基线

2. Threat Modeling and Risk Analysis

2. 威胁建模与风险分析

  • Use Task tool with subagent_type="security-auditor"
  • Prompt: "Conduct threat modeling using STRIDE methodology for: $ARGUMENTS. Analyze attack vectors, create attack trees, assess business impact of identified vulnerabilities. Map threats to MITRE ATT&CK framework. Prioritize risks based on likelihood and impact."
  • Output: Threat model diagrams, risk matrix with prioritized vulnerabilities, attack scenario documentation, business impact analysis
  • Context: Uses vulnerability scan results to inform threat priorities
  • 使用Task工具,设置subagent_type="security-auditor"
  • 提示语:"使用STRIDE方法论对$ARGUMENTS进行威胁建模。分析攻击向量,创建攻击树,评估已识别漏洞的业务影响。将威胁映射到MITRE ATT&CK框架。根据可能性和影响对风险进行优先级排序。"
  • 输出结果:威胁模型图、带有优先级漏洞的风险矩阵、攻击场景文档、业务影响分析
  • 背景:利用漏洞扫描结果确定威胁优先级

3. Architecture Security Review

3. 架构安全评审

  • Use Task tool with subagent_type="backend-api-security::backend-architect"
  • Prompt: "Review architecture for security weaknesses in: $ARGUMENTS. Evaluate service boundaries, data flow security, authentication/authorization architecture, encryption implementation, network segmentation. Design zero-trust architecture patterns. Reference threat model and vulnerability findings."
  • Output: Security architecture assessment, zero-trust design recommendations, service mesh security requirements, data classification matrix
  • Context: Incorporates threat model to address architectural vulnerabilities
  • 使用Task工具,设置subagent_type="backend-api-security::backend-architect"
  • 提示语:"评审$ARGUMENTS中的架构安全弱点。评估服务边界、数据流安全性、认证/授权架构、加密实现、网络分段。设计零信任架构模式。参考威胁模型和漏洞发现结果。"
  • 输出结果:安全架构评估报告、零信任设计建议、服务网格安全要求、数据分类矩阵
  • 背景:结合威胁模型解决架构层面的漏洞

Phase 2: Vulnerability Remediation

第二阶段:漏洞整改

4. Critical Vulnerability Fixes

4. 关键漏洞修复

  • Use Task tool with subagent_type="security-auditor"
  • Prompt: "Coordinate immediate remediation of critical vulnerabilities (CVSS 7+) in: $ARGUMENTS. Fix SQL injections with parameterized queries, XSS with output encoding, authentication bypasses with secure session management, insecure deserialization with input validation. Apply security patches for CVEs."
  • Output: Patched code with vulnerability fixes, security patch documentation, regression test requirements
  • Context: Addresses high-priority items from vulnerability assessment
  • 使用Task工具,设置subagent_type="security-auditor"
  • 提示语:"协调对$ARGUMENTS中关键漏洞(CVSS 7+)的即时整改。使用参数化查询修复SQL注入,使用输出编码修复XSS,使用安全会话管理修复认证绕过,使用输入验证修复不安全反序列化。为CVE应用安全补丁。"
  • 输出结果:包含漏洞修复的补丁代码、安全补丁文档、回归测试要求
  • 背景:解决漏洞评估中优先级最高的问题

5. Backend Security Hardening

5. 后端安全加固

  • Use Task tool with subagent_type="backend-api-security::backend-security-coder"
  • Prompt: "Implement comprehensive backend security controls for: $ARGUMENTS. Add input validation with OWASP ESAPI, implement rate limiting and DDoS protection, secure API endpoints with OAuth2/JWT validation, add encryption for data at rest/transit using AES-256/TLS 1.3. Implement secure logging without PII exposure."
  • Output: Hardened API endpoints, validation middleware, encryption implementation, secure configuration templates
  • Context: Builds upon vulnerability fixes with preventive controls
  • 使用Task工具,设置subagent_type="backend-api-security::backend-security-coder"
  • 提示语:"为$ARGUMENTS实施全面的后端安全控制。使用OWASP ESAPI添加输入验证,实现速率限制和DDoS防护,使用OAuth2/JWT验证保护API端点,使用AES-256/TLS 1.3实现静态/传输数据加密。实施不暴露PII的安全日志记录。"
  • 输出结果:加固后的API端点、验证中间件、加密实现代码、安全配置模板
  • 背景:在漏洞修复基础上添加预防性控制

6. Frontend Security Implementation

6. 前端安全实施

  • Use Task tool with subagent_type="frontend-mobile-security::frontend-security-coder"
  • Prompt: "Implement frontend security measures for: $ARGUMENTS. Configure CSP headers with nonce-based policies, implement XSS prevention with DOMPurify, secure authentication flows with PKCE OAuth2, add SRI for external resources, implement secure cookie handling with SameSite/HttpOnly/Secure flags."
  • Output: Secure frontend components, CSP policy configuration, authentication flow implementation, security headers configuration
  • Context: Complements backend security with client-side protections
  • 使用Task工具,设置subagent_type="frontend-mobile-security::frontend-security-coder"
  • 提示语:"为$ARGUMENTS实施前端安全措施。配置基于nonce的CSP头策略,使用DOMPurify实现XSS防护,使用PKCE OAuth2实现安全认证流程,为外部资源添加SRI,使用SameSite/HttpOnly/Secure标志实现安全Cookie处理。"
  • 输出结果:安全的前端组件、CSP策略配置、认证流程实现代码、安全头配置
  • 背景:通过客户端防护补充后端安全

7. Mobile Security Hardening

7. 移动安全加固

  • Use Task tool with subagent_type="frontend-mobile-security::mobile-security-coder"
  • Prompt: "Implement mobile app security for: $ARGUMENTS. Add certificate pinning, implement biometric authentication, secure local storage with encryption, obfuscate code with ProGuard/R8, implement anti-tampering and root/jailbreak detection, secure IPC communications."
  • Output: Hardened mobile application, security configuration files, obfuscation rules, certificate pinning implementation
  • Context: Extends security to mobile platforms if applicable
  • 使用Task工具,设置subagent_type="frontend-mobile-security::mobile-security-coder"
  • 提示语:"为$ARGUMENTS实施移动应用安全。添加证书绑定,实现生物特征认证,使用加密保护本地存储,使用ProGuard/R8混淆代码,实现反篡改和Root/越狱检测,保护IPC通信。"
  • 输出结果:加固后的移动应用、安全配置文件、混淆规则、证书绑定实现代码
  • 背景:将安全覆盖扩展到移动平台(如适用)

Phase 3: Security Controls Implementation

第三阶段:安全控制实施

8. Authentication and Authorization Enhancement

8. 认证与授权增强

  • Use Task tool with subagent_type="security-auditor"
  • Prompt: "Implement modern authentication system for: $ARGUMENTS. Deploy OAuth2/OIDC with PKCE, implement MFA with TOTP/WebAuthn/FIDO2, add risk-based authentication, implement RBAC/ABAC with principle of least privilege, add session management with secure token rotation."
  • Output: Authentication service configuration, MFA implementation, authorization policies, session management system
  • Context: Strengthens access controls based on architecture review
  • 使用Task工具,设置subagent_type="security-auditor"
  • 提示语:"为$ARGUMENTS实施现代认证系统。部署带PKCE的OAuth2/OIDC,实现基于TOTP/WebAuthn/FIDO2的MFA,添加基于风险的认证,实现遵循最小权限原则的RBAC/ABAC,添加带安全令牌轮换的会话管理。"
  • 输出结果:认证服务配置、MFA实现代码、授权策略、会话管理系统
  • 背景:基于架构评审结果强化访问控制

9. Infrastructure Security Controls

9. 基础设施安全控制

  • Use Task tool with subagent_type="deployment-strategies::deployment-engineer"
  • Prompt: "Deploy infrastructure security controls for: $ARGUMENTS. Configure WAF rules for OWASP protection, implement network segmentation with micro-segmentation, deploy IDS/IPS systems, configure cloud security groups and NACLs, implement DDoS protection with rate limiting and geo-blocking."
  • Output: WAF configuration, network security policies, IDS/IPS rules, cloud security configurations
  • Context: Implements network-level defenses
  • 使用Task工具,设置subagent_type="deployment-strategies::deployment-engineer"
  • 提示语:"为$ARGUMENTS部署基础设施安全控制。配置用于OWASP防护的WAF规则,实施微分段网络隔离,部署IDS/IPS系统,配置云安全组和NACL,通过速率限制和地理阻断实现DDoS防护。"
  • 输出结果:WAF配置、网络安全策略、IDS/IPS规则、云安全配置
  • 背景:实施网络层面的防御措施

10. Secrets Management Implementation

10. 密钥管理实施

  • Use Task tool with subagent_type="deployment-strategies::deployment-engineer"
  • Prompt: "Implement enterprise secrets management for: $ARGUMENTS. Deploy HashiCorp Vault or AWS Secrets Manager, implement secret rotation policies, remove hardcoded secrets, configure least-privilege IAM roles, implement encryption key management with HSM support."
  • Output: Secrets management configuration, rotation policies, IAM role definitions, key management procedures
  • Context: Eliminates secrets exposure vulnerabilities
  • 使用Task工具,设置subagent_type="deployment-strategies::deployment-engineer"
  • 提示语:"为$ARGUMENTS实施企业级密钥管理。部署HashiCorp Vault或AWS Secrets Manager,实施密钥轮换策略,移除硬编码密钥,配置最小权限IAM角色,实现支持HSM的加密密钥管理。"
  • 输出结果:密钥管理配置、轮换策略、IAM角色定义、密钥管理流程
  • 背景:消除密钥暴露漏洞

Phase 4: Validation and Compliance

第四阶段:验证与合规

11. Penetration Testing and Validation

11. 渗透测试与验证

  • Use Task tool with subagent_type="security-auditor"
  • Prompt: "Execute comprehensive penetration testing for: $ARGUMENTS. Perform authenticated and unauthenticated testing, API security testing, business logic testing, privilege escalation attempts. Use Burp Suite, Metasploit, and custom exploits. Validate all security controls effectiveness."
  • Output: Penetration test report, proof-of-concept exploits, remediation validation, security control effectiveness metrics
  • Context: Validates all implemented security measures
  • 使用Task工具,设置subagent_type="security-auditor"
  • 提示语:"对$ARGUMENTS执行全面渗透测试。进行已认证和未认证测试、API安全测试、业务逻辑测试、权限提升尝试。使用Burp Suite、Metasploit和自定义漏洞利用工具。验证所有安全控制的有效性。"
  • 输出结果:渗透测试报告、概念验证漏洞利用代码、整改验证结果、安全控制有效性指标
  • 背景:验证所有已实施的安全措施

12. Compliance and Standards Verification

12. 合规与标准验证

  • Use Task tool with subagent_type="security-auditor"
  • Prompt: "Verify compliance with security frameworks for: $ARGUMENTS. Validate against OWASP ASVS Level 2, CIS Benchmarks, SOC2 Type II requirements, GDPR/CCPA privacy controls, HIPAA/PCI-DSS if applicable. Generate compliance attestation reports."
  • Output: Compliance assessment report, gap analysis, remediation requirements, audit evidence collection
  • Context: Ensures regulatory and industry standard compliance
  • 使用Task工具,设置subagent_type="security-auditor"
  • 提示语:"验证$ARGUMENTS是否符合安全框架要求。对照OWASP ASVS Level 2、CIS基准、SOC2 Type II要求、GDPR/CCPA隐私控制,以及适用的HIPAA/PCI-DSS进行验证。生成合规证明报告。"
  • 输出结果:合规评估报告、差距分析、整改要求、审计证据收集
  • 背景:确保符合监管和行业标准

13. Security Monitoring and SIEM Integration

13. 安全监控与SIEM集成

  • Use Task tool with subagent_type="incident-response::devops-troubleshooter"
  • Prompt: "Implement security monitoring and SIEM for: $ARGUMENTS. Deploy Splunk/ELK/Sentinel integration, configure security event correlation, implement behavioral analytics for anomaly detection, set up automated incident response playbooks, create security dashboards and alerting."
  • Output: SIEM configuration, correlation rules, incident response playbooks, security dashboards, alert definitions
  • Context: Establishes continuous security monitoring
  • 使用Task工具,设置subagent_type="incident-response::devops-troubleshooter"
  • 提示语:"为$ARGUMENTS实施安全监控与SIEM。部署Splunk/ELK/Sentinel集成,配置安全事件关联,实施用于异常检测的行为分析,设置自动化事件响应剧本,创建安全仪表板和告警规则。"
  • 输出结果:SIEM配置、关联规则、事件响应剧本、安全仪表板、告警定义
  • 背景:建立持续安全监控

Configuration Options

配置选项

  • scanning_depth: "quick" | "standard" | "comprehensive" (default: comprehensive)
  • compliance_frameworks: ["OWASP", "CIS", "SOC2", "GDPR", "HIPAA", "PCI-DSS"]
  • remediation_priority: "cvss_score" | "exploitability" | "business_impact"
  • monitoring_integration: "splunk" | "elastic" | "sentinel" | "custom"
  • authentication_methods: ["oauth2", "saml", "mfa", "biometric", "passwordless"]
  • scanning_depth: "quick" | "standard" | "comprehensive"(默认值:comprehensive)
  • compliance_frameworks: ["OWASP", "CIS", "SOC2", "GDPR", "HIPAA", "PCI-DSS"]
  • remediation_priority: "cvss_score" | "exploitability" | "business_impact"
  • monitoring_integration: "splunk" | "elastic" | "sentinel" | "custom"
  • authentication_methods: ["oauth2", "saml", "mfa", "biometric", "passwordless"]

Success Criteria

成功标准

  • All critical vulnerabilities (CVSS 7+) remediated
  • OWASP Top 10 vulnerabilities addressed
  • Zero high-risk findings in penetration testing
  • Compliance frameworks validation passed
  • Security monitoring detecting and alerting on threats
  • Incident response time < 15 minutes for critical alerts
  • SBOM generated and vulnerabilities tracked
  • All secrets managed through secure vault
  • Authentication implements MFA and secure session management
  • Security tests integrated into CI/CD pipeline
  • 所有关键漏洞(CVSS 7+)已整改
  • OWASP Top 10漏洞已解决
  • 渗透测试中无高风险发现
  • 已通过合规框架验证
  • 安全监控能够检测并告警威胁
  • 关键告警的事件响应时间<15分钟
  • 已生成SBOM并跟踪漏洞
  • 所有密钥通过安全Vault管理
  • 认证系统已实现MFA和安全会话管理
  • 安全测试已集成到CI/CD流水线

Coordination Notes

协调说明

  • Each phase provides detailed findings that inform subsequent phases
  • Security-auditor agent coordinates with domain-specific agents for fixes
  • All code changes undergo security review before implementation
  • Continuous feedback loop between assessment and remediation
  • Security findings tracked in centralized vulnerability management system
  • Regular security reviews scheduled post-implementation
Security hardening target: $ARGUMENTS
  • 每个阶段都会提供详细发现,为后续阶段提供依据
  • Security-auditor Agent与领域特定Agent协调进行修复
  • 所有代码变更在实施前都经过安全评审
  • 评估与整改之间存在持续反馈循环
  • 安全发现在集中式漏洞管理系统中跟踪
  • 实施后定期安排安全评审
安全加固目标:$ARGUMENTS