security-testing
SKILL.md
Security & Testing
Security Principles
- Defense in Depth: Multiple layers of security
- Least Privilege: Minimum necessary permissions
- Fail Secure: Default to deny
- Zero Trust: Never trust, always verify
OWASP Top 10 Quick Reference
| # | Vulnerability | Prevention |
|---|---|---|
| 1 | Broken Access Control | RBAC, deny by default, audit logs |
| 2 | Cryptographic Failures | TLS, strong algorithms, key management |
| 3 | Injection | Parameterized queries, input validation |
| 4 | Insecure Design | Threat modeling, secure patterns |
| 5 | Security Misconfiguration | Hardened defaults, minimal services |
| 6 | Vulnerable Components | Dependency scanning, updates |
| 7 | Auth/Identity Failures | MFA, session management |
| 8 | Software/Data Integrity | Signed artifacts, CI/CD security |
| 9 | Logging/Monitoring Failures | Centralized logs, alerting |
| 10 | SSRF | Input validation, allowlists |
Security Checklist
- No hardcoded secrets
- Secrets not logged
- Input validation on all boundaries
- Parameterized queries
- Dependencies scanned for CVEs
- Authentication & authorization implemented
- HTTPS enforced
- Security headers configured
- Rate limiting in place
- Audit logging enabled
Testing Pyramid
/\
/ \ E2E Tests (few)
/----\
/ \ Integration Tests
/--------\
/ \ Unit Tests (many)
/------------\
| Type | Purpose | Speed | Coverage |
|---|---|---|---|
| Unit | Test isolated logic | Fast | High |
| Integration | Test component interaction | Medium | Medium |
| E2E | Test full user flows | Slow | Low |
Testing Best Practices
# Arrange-Act-Assert pattern
def test_user_creation():
# Arrange
user_data = {"name": "Alice", "email": "alice@acme.com"}
# Act
user = create_user(user_data)
# Assert
assert user.name == "Alice"
assert user.email == "alice@acme.com"
# Test edge cases
def test_empty_input():
with pytest.raises(ValueError):
create_user({})
def test_invalid_email():
with pytest.raises(ValidationError):
create_user({"name": "Bob", "email": "invalid"})
API Security
# Essential security headers
Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubDomains
# Rate limiting
from flask_limiter import Limiter
limiter = Limiter(key_func=get_remote_address)
@app.route("/api/login")
@limiter.limit("5 per minute")
def login():
pass
Observability
Three Pillars
| Pillar | Purpose | Tools |
|---|---|---|
| Logs | Event records | ELK, CloudWatch |
| Metrics | Numerical measurements | Prometheus, DataDog |
| Traces | Request flows | Jaeger, X-Ray |
Structured Logging
logger.info("User action", extra={
"user_id": user.id,
"action": "login",
"ip": request.remote_addr,
"timestamp": datetime.utcnow().isoformat()
})
Detailed References
- OWASP Security: See references/owasp-security.md
- Testing Strategies: See references/testing-strategies.md
- API Design: See references/api-design.md
- Observability: See references/observability.md
Weekly Installs
2
Repository
kiraneswaran/en…g-skillsGitHub Stars
9
First Seen
13 days ago
Security Audits
Installed on
opencode2
claude-code2
github-copilot2
codex2
kimi-cli2
gemini-cli2