security-test-planning
Security Test Planning
When to Use This Skill
Use this skill when:
- Security Test Planning tasks - Planning security testing strategies for applications
- Planning or design - Need guidance on OWASP testing, pen test scoping, SAST/DAST
- Best practices - Want to follow established security testing standards
Overview
Security testing validates that applications are protected against threats and vulnerabilities. A comprehensive security test strategy combines automated scanning, manual testing, and threat-based test case design.
Security Testing Pyramid
┌───────────┐
/ Pentest \ Manual, Expert
/ Red Team \ (Quarterly)
/─────────────────\
/ DAST \ Dynamic Scanning
/ (Runtime) \ (Weekly/Release)
/───────────────────────\
/ SAST \ Static Analysis
/ (Build Time) \ (Every Commit)
/─────────────────────────────\
/ Secret Scanning \ Pre-Commit
/ Dependency Scanning \ (Continuous)
└───────────────────────────────────┘
Quick Reference: Testing Layers
| Layer | Tools | Frequency | Gate |
|---|---|---|---|
| Layer 1 (CI/CD) | Gitleaks, SonarQube, Snyk, Trivy | Every commit | Block Critical |
| Layer 2 (Periodic) | OWASP ZAP, Burp, 42Crunch | Weekly/Release | Block High+ |
| Layer 3 (Manual) | Penetration testing, Code review | Quarterly | Block All |
OWASP Top 10 Quick Coverage
| Category | Testing Approach |
|---|---|
| A01: Broken Access Control | Manual + Automated |
| A02: Cryptographic Failures | Code review + SAST |
| A03: Injection | SAST + DAST + Manual |
| A04: Insecure Design | Threat modeling |
| A05: Security Misconfiguration | Config scanning |
| A06: Vulnerable Components | SCA |
| A07: Auth Failures | Manual + Automated |
| A08: Data Integrity | Manual testing |
| A09: Logging Failures | Log review |
| A10: SSRF | DAST + Manual |
Remediation SLAs
| Severity | SLA | Verification |
|---|---|---|
| Critical | 24 hours | Immediate retest |
| High | 7 days | Next sprint retest |
| Medium | 30 days | Quarterly scan |
| Low | 90 days | Annual review |
References
| Reference | Content | When to Load |
|---|---|---|
| security-strategy-template.md | Full strategy template, scope, compliance, metrics | Planning security test strategy |
| owasp-testing.md | WSTG test categories, test case template | Writing OWASP-aligned test cases |
| dotnet-security-tests.md | Auth, input validation, rate limiting tests | Implementing .NET security tests |
| sast-dast-integration.md | CI/CD gates, ZAP integration, tool comparison | Setting up automated security scanning |
Integration Points
Inputs from:
- Threat model → Test priorities
- Security requirements → Coverage targets
test-strategy-planningskill → Overall strategy
Outputs to:
- CI/CD pipeline → Security gates
devsecops-practicesskill (security plugin) → Remediation- Compliance reporting → Evidence
Test Scenarios
Scenario 1: Planning security test strategy
Query: "Help me create a security test plan for our web application"
Expected: Skill activates, provides strategy template, guides through scope and layers
Scenario 2: OWASP-aligned testing
Query: "What OWASP tests should I run for authentication?"
Expected: Skill activates, loads owasp-testing.md reference, provides WSTG-ATHN tests
Scenario 3: .NET security tests
Query: "Show me how to test for SQL injection in .NET"
Expected: Skill activates, loads dotnet-security-tests.md reference, provides code examples
Last Updated: 2025-12-28
Version History
- v1.1.0 (2025-12-28): Refactored to progressive disclosure - extracted tests/templates to references/
- v1.0.0 (2025-12-26): Initial release
More from melodic-software/claude-code-plugins
design-thinking
Design Thinking methodology for human-centered innovation. Covers the 5-phase IDEO/Stanford d.school approach (Empathize, Define, Ideate, Prototype, Test) with workshop facilitation and exercise templates.
191plantuml-syntax
Authoritative reference for PlantUML diagram syntax. Provides UML and non-UML diagram types, syntax patterns, examples, and setup guidance for generating accurate PlantUML diagrams.
161system-prompt-engineering
Design effective system prompts for custom agents. Use when creating agent system prompts, defining agent identity and rules, or designing high-impact prompts that shape agent behavior.
141architecture-documentation
Generate architecture documents using templates with diagram integration. Use for creating C4 diagrams, viewpoint documents, and technical overviews.
126data-modeling
Data modeling with Entity-Relationship Diagrams (ERDs), data dictionaries, and conceptual/logical/physical models. Documents data structures, relationships, and attributes.
101resume-optimization
Resume structure, achievement bullet formulas, ATS optimization, and job-targeted tailoring for software engineers. Use when reviewing resumes, crafting achievement bullets, extracting keywords from job descriptions, or tailoring content for specific roles.
93