Senior Security
Run STRIDE threat models, OWASP-aligned reviews, vulnerability assessments, and secure architecture guidance before or after shipping code.
Overview
senior-security is an agent skill most often used in Ship (also Build and Operate) that delivers threat modeling, OWASP-aligned reviews, and vulnerability assessment workflows for solo builders.
Install
npx skills add https://github.com/alirezarezvani/claude-skills --skill senior-securityWhat is this skill?
- Five workflow areas: threat modeling, security architecture, vulnerability assessment, secure code review, incident resp
- STRIDE-based threat modeling workflow with scoped system boundaries
- OWASP-oriented secure coding and application security references
- Tooling lanes for secret scanning, CVE remediation, and penetration testing preparation
- Table of contents maps long-form senior security engineer playbook sections
- 5 named security workflows in the table of contents
- STRIDE methodology called out for threat modeling
Adoption & trust: 815 installs on skills.sh; 17.5k GitHub stars; 2/3 security scanners passed (skills.sh audits).
What problem does it solve?
You are shipping or operating software without a staffed security team and need credible threat models, audits, and remediation—not generic checklists.
Who is it for?
Founders and full-stack solos preparing launch security reviews, API hardening, or post-incident triage on real architectures.
Skip if: Replacing licensed penetration tests, formal compliance attestations, or environments where you only need a single linter rule with no threat context.
When should I use this skill?
User asks about security reviews, threat analysis, vulnerability assessments, secure coding, audits, attack surface, CVE remediation, OWASP, or penetration testing.
What do I get? / Deliverables
You get workflow-guided STRIDE analysis, architecture recommendations, prioritized findings, and incident steps tailored to the system you describe.
- Threat model and mitigations (STRIDE-oriented)
- Vulnerability assessment priorities and secure architecture notes
- Incident response action list when operating under active suspicion
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Ship/security is the canonical shelf because explicit triggers center security reviews, audits, and secure coding before release. Security subphase covers threat modeling, penetration testing patterns, cryptography guidance, and formal vulnerability workflows—not generic debugging.
Where it fits
Model STRIDE threats for a new OAuth callback and session store before implementing endpoints.
Run a secure code review workflow on payment webhooks ahead of production cutover.
Translate OWASP guidance into prioritized fixes after an agent-generated API surface lands in PR.
Follow incident response workflow when secret scanning or logs suggest credential exposure.
Frame attack surface and data classification while scoping an MVP that will handle PII.
How it compares
Methodology-first security engineering skill—not a single-purpose secret scanner or CI gate plugin.
Common Questions / FAQ
Who is senior-security for?
Solo builders and small teams who own secure architecture, reviews, and incident response alongside feature development.
When should I use senior-security?
Use it during Ship for audits and secure coding before release, during Build when designing auth or crypto, and during Operate for CVE remediation or incident workflows.
Is senior-security safe to install?
It is advisory procedural knowledge; review the Security Audits panel on this Prism page and restrict any suggested scanning tools to non-production data until you validate scope.
SKILL.md
READMESKILL.md - Senior Security
# Senior Security Engineer Security engineering tools for threat modeling, vulnerability analysis, secure architecture design, and penetration testing. --- ## Table of Contents - [Threat Modeling Workflow](#threat-modeling-workflow) - [Security Architecture Workflow](#security-architecture-workflow) - [Vulnerability Assessment Workflow](#vulnerability-assessment-workflow) - [Secure Code Review Workflow](#secure-code-review-workflow) - [Incident Response Workflow](#incident-response-workflow) - [Security Tools Reference](#security-tools-reference) - [Tools and References](#tools-and-references) --- ## Threat Modeling Workflow Identify and analyze security threats using STRIDE methodology. ### Workflow: Conduct Threat Model 1. Define system scope and boundaries: - Identify assets to protect - Map trust boundaries - Document data flows 2. Create data flow diagram: - External entities (users, services) - Processes (application components) - Data stores (databases, caches) - Data flows (APIs, network connections) 3. Apply STRIDE to each DFD element (see [STRIDE per Element Matrix](#stride-per-element-matrix) below) 4. Score risks using DREAD: - Damage potential (1-10) - Reproducibility (1-10) - Exploitability (1-10) - Affected users (1-10) - Discoverability (1-10) 5. Prioritize threats by risk score 6. Define mitigations for each threat 7. Document in threat model report 8. **Validation:** All DFD elements analyzed; STRIDE applied; threats scored; mitigations mapped ### STRIDE Threat Categories | Category | Security Property | Mitigation Focus | |----------|-------------------|------------------| | Spoofing | Authentication | MFA, certificates, strong auth | | Tampering | Integrity | Signing, checksums, validation | | Repudiation | Non-repudiation | Audit logs, digital signatures | | Information Disclosure | Confidentiality | Encryption, access controls | | Denial of Service | Availability | Rate limiting, redundancy | | Elevation of Privilege | Authorization | RBAC, least privilege | ### STRIDE per Element Matrix | DFD Element | S | T | R | I | D | E | |-------------|---|---|---|---|---|---| | External Entity | X | | X | | | | | Process | X | X | X | X | X | X | | Data Store | | X | X | X | X | | | Data Flow | | X | | X | X | | See: [references/threat-modeling-guide.md](references/threat-modeling-guide.md) --- ## Security Architecture Workflow Design secure systems using defense-in-depth principles. ### Workflow: Design Secure Architecture 1. Define security requirements: - Compliance requirements (GDPR, HIPAA, PCI-DSS) - Data classification (public, internal, confidential, restricted) - Threat model inputs 2. Apply defense-in-depth layers: - Perimeter: WAF, DDoS protection, rate limiting - Network: Segmentation, IDS/IPS, mTLS - Host: Patching, EDR, hardening - Application: Input validation, authentication, secure coding - Data: Encryption at rest and in transit 3. Implement Zero Trust principles: - Verify explicitly (every request) - Least privilege access (JIT/JEA) - Assume breach (segment, monitor) 4. Configure authentication and authorization: - Identity provider selection - MFA requirements - RBAC/ABAC model 5. De