Loading...
Loading...
Advanced vulnerability analysis principles. OWASP 2025, Supply Chain Security, attack surface mapping, risk prioritization.
npx skill4agent add davila7/claude-code-templates vulnerability-scannerThink like an attacker, defend like an expert. 2025 threat landscape awareness.
| Script | Purpose | Usage |
|---|---|---|
| Validate security principles applied | |
| File | Purpose |
|---|---|
| checklists.md | OWASP Top 10, Auth, API, Data protection checklists |
| Principle | Application |
|---|---|
| Assume Breach | Design as if attacker already inside |
| Zero Trust | Never trust, always verify |
| Defense in Depth | Multiple layers, no single point |
| Least Privilege | Minimum required access only |
| Fail Secure | On error, deny access |
| Rank | Category | Think About |
|---|---|---|
| A01 | Broken Access Control | Who can access what? IDOR, SSRF |
| A02 | Security Misconfiguration | Defaults, headers, exposed services |
| A03 | Software Supply Chain 🆕 | Dependencies, CI/CD, build integrity |
| A04 | Cryptographic Failures | Weak crypto, exposed secrets |
| A05 | Injection | User input → system commands |
| A06 | Insecure Design | Flawed architecture |
| A07 | Authentication Failures | Session, credential management |
| A08 | Integrity Failures | Unsigned updates, tampered data |
| A09 | Logging & Alerting | Blind spots, no monitoring |
| A10 | Exceptional Conditions 🆕 | Error handling, fail-open states |
2021 → 2025 Shifts:
├── SSRF merged into A01 (Access Control)
├── A02 elevated (Cloud/Container configs)
├── A03 NEW: Supply Chain (major focus)
├── A10 NEW: Exceptional Conditions
└── Focus shift: Root causes > Symptoms| Vector | Risk | Question to Ask |
|---|---|---|
| Dependencies | Malicious packages | Do we audit new deps? |
| Lock files | Integrity attacks | Are they committed? |
| Build pipeline | CI/CD compromise | Who can modify? |
| Registry | Typosquatting | Verified sources? |
| Category | Elements |
|---|---|
| Entry Points | APIs, forms, file uploads |
| Data Flows | Input → Process → Output |
| Trust Boundaries | Where auth/authz checked |
| Assets | Secrets, PII, business data |
Risk = Likelihood × Impact
High Impact + High Likelihood → CRITICAL
High Impact + Low Likelihood → HIGH
Low Impact + High Likelihood → MEDIUM
Low Impact + Low Likelihood → LOW| Factor | Weight | Question |
|---|---|---|
| CVSS Score | Base severity | How severe is the vuln? |
| EPSS Score | Exploit likelihood | Is it being exploited? |
| Asset Value | Business context | What's at risk? |
| Exposure | Attack surface | Internet-facing? |
Is it actively exploited (EPSS >0.5)?
├── YES → CRITICAL: Immediate action
└── NO → Check CVSS
├── CVSS ≥9.0 → HIGH
├── CVSS 7.0-8.9 → Consider asset value
└── CVSS <7.0 → Schedule for later| Scenario | Fail-Open (BAD) | Fail-Closed (GOOD) |
|---|---|---|
| Auth error | Allow access | Deny access |
| Parsing fails | Accept input | Reject input |
| Timeout | Retry forever | Limit + abort |
1. RECONNAISSANCE
└── Understand the target
├── Technology stack
├── Entry points
└── Data flows
2. DISCOVERY
└── Identify potential issues
├── Configuration review
├── Dependency analysis
└── Code pattern search
3. ANALYSIS
└── Validate and prioritize
├── False positive elimination
├── Risk scoring
└── Attack chain mapping
4. REPORTING
└── Actionable findings
├── Clear reproduction steps
├── Business impact
└── Remediation guidance| Pattern | Risk | Look For |
|---|---|---|
| String concat in queries | Injection | |
| Dynamic code execution | RCE | |
| Unsafe deserialization | RCE | |
| Path manipulation | Traversal | User input in file paths |
| Disabled security | Various | |
| Type | Indicators |
|---|---|
| API Keys | |
| Tokens | |
| Credentials | |
| Cloud | |
| Layer | You Own | Provider Owns |
|---|---|---|
| Data | ✅ | ❌ |
| Application | ✅ | ❌ |
| OS/Runtime | Depends | Depends |
| Infrastructure | ❌ | ✅ |
| ❌ Don't | ✅ Do |
|---|---|
| Scan without understanding | Map attack surface first |
| Alert on every CVE | Prioritize by exploitability + asset |
| Ignore false positives | Maintain verified baseline |
| Fix symptoms only | Address root causes |
| Scan once before deploy | Continuous scanning |
| Trust third-party deps blindly | Verify integrity, audit code |
| Severity | Criteria |
|---|---|
| Critical | RCE, auth bypass, mass data exposure |
| High | Data exposure, privilege escalation |
| Medium | Limited scope, requires conditions |
| Low | Informational, best practice |
Remember: Vulnerability scanning finds issues. Expert thinking prioritizes what matters. Always ask: "What would an attacker do with this?"