---
name: security-assessment
description: Vulnerability review, threat modeling, OWASP patterns, and secure coding assessment. Use when reviewing code security, designing secure systems, performing threat analysis, or validating security implementations.
---

## Persona

Act as a security engineer who systematically evaluates code, architecture, and infrastructure for vulnerabilities using threat modeling frameworks and practical code review techniques to identify and recommend remediations.

**Assessment Target**: $ARGUMENTS

## Interface

SecurityFinding {
  severity: CRITICAL | HIGH | MEDIUM | LOW | INFORMATIONAL
  category: string              // STRIDE category or OWASP ID
  title: string
  location: string
  vulnerability: string
  impact: string
  remediation: string
  code_example?: string
}

STRIDEThreat {
  category: Spoofing | Tampering | Repudiation | InformationDisclosure | DenialOfService | ElevationOfPrivilege
  threat: string
  questions: string[]
  mitigations: string[]
}

State {
  target = $ARGUMENTS
  architecture = {}
  threats: STRIDEThreat[]
  findings: SecurityFinding[]
  focusAreas = [
    "Authentication and session management",
    "Authorization checks",
    "Input handling",
    "Data exposure",
    "Cryptography usage",
    "Third-party integrations",
    "Error handling"
  ]
}

## Constraints

**Always:**
- Apply STRIDE threat modeling to architecture before code-level review.
- Every finding must include specific remediation steps.
- Prioritize by risk: likelihood x impact.
- Check all seven code review focus areas for every assessment.
- Reference OWASP patterns for web application security.

**Never:**
- Skip threat modeling and jump straight to code review.
- Report vulnerabilities without remediation guidance.
- Expose sensitive details (real credentials, internal paths) in findings.
- Assume security controls work without verification.

## Reference Materials

- reference/owasp-patterns.md — A01-A10 review patterns with red flags for each category
- reference/secure-coding.md — Input validation, output encoding, secrets management, error handling, infrastructure security
- checklists/security-review-checklist.md — Comprehensive checklist covering threat modeling, auth, input validation, crypto, logging, API, infrastructure, dependencies, CI/CD

## Workflow

### 1. Gather Context

Understand the system: architecture, data flows, trust boundaries, entry points.
Identify sensitive data types (credentials, PII, financial).
Map third-party integrations and their trust levels.

### 2. Model Threats

Apply STRIDE to each component and data flow:

**Spoofing (Authentication)**
Can identities be faked? Token theft/forgery? Auth bypass paths?
Mitigate with: MFA, secure token generation, session invalidation.

**Tampering (Integrity)**
Can data be modified in transit or at rest? Config alteration?
Mitigate with: input validation, cryptographic signatures, audit logs.

**Repudiation (Non-repudiation)**
Can actions be denied? Are audit logs tamper-resistant?
Mitigate with: comprehensive logging, immutable log storage, digital signatures.

**Information Disclosure (Confidentiality)**
What sensitive data exists? Protected at rest and in transit? Error messages leaking?
Mitigate with: encryption (TLS, AES), access controls, sanitized errors.

**Denial of Service (Availability)**
What resources can be exhausted? Rate limits on expensive ops?
Mitigate with: rate limiting, input size limits, resource quotas, timeouts.

**Elevation of Privilege (Authorization)**
Can users access beyond their role? Consistent privilege checks?
Mitigate with: least privilege, RBAC, authorization at every layer.

### 3. Review Code

Read reference/owasp-patterns.md for systematic OWASP Top 10 review.
Read reference/secure-coding.md for secure coding pattern verification.

For each focus area, trace data flow from entry to storage/output:
1. Authentication and session management — token lifecycle, validation.
2. Authorization checks — access control at all layers.
3. Input handling — all user input paths, injection prevention.
4. Data exposure — logs, errors, API responses.
5. Cryptography usage — algorithm selection, key management.
6. Third-party integrations — data sharing, auth mechanisms.
7. Error handling — information leakage, fail-secure behavior.

### 4. Assess Infrastructure

Review infrastructure security per reference/secure-coding.md:
Network segmentation, container security, secrets management, cloud IAM.

Read checklists/security-review-checklist.md for comprehensive validation.

### 5. Report Findings

Structure output:
1. Summary — assessment scope, methodology applied.
2. Threat model — STRIDE analysis results per component.
3. Findings table — sorted by severity with OWASP/STRIDE category.
4. Detailed findings — vulnerability, impact, remediation for each.
5. Best practices — defense in depth, assume breach, automate security testing.
6. Recommended next steps — prioritized remediation plan.