Owasp Top 10
Run a structured OWASP Top 10 assessment from scope definition through finding prioritization and remediation tracking on a solo-built app.
Overview
OWASP Top 10 is an agent skill most often used in Ship (also Operate) that guides structured OWASP Top 10 security assessments from scoping through remediation tracking.
Install
npx skills add https://github.com/nickcrew/claude-ctx-plugin --skill owasp-top-10What is this skill?
- Phased workflow from scoping and rules of engagement through assessment and remediation tracking
- Application inventory, trust boundaries, and data-classification templates for assessment scope
- Feature-to-OWASP category risk matrix (auth, APIs, uploads, admin, integrations)
- Assessment scope document template with environment, exclusions, and authorization references
- Prioritization by feature area with Critical/High/Medium priority tiers
- OWASP Top 10 category mapping table with Critical/High/Medium priority tiers
- Phase 1 scoping workflow with assessment scope document template
Adoption & trust: 570 installs on skills.sh; 15 GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You are shipping a product but lack a consistent way to scope, prioritize, and document an OWASP-aligned security review across your stack.
Who is it for?
Solo builders and small teams preparing release gates, customer audits, or post-incident hardening on web apps and APIs.
Skip if: Teams that only need a single automated scan with no scoping, legal authorization, or remediation workflow—or production pentesting without written rules of engagement.
When should I use this skill?
You need a formal OWASP Top 10 assessment plan before code review, dynamic testing, or customer security due diligence.
What do I get? / Deliverables
You finish with bounded assessment scope, prioritized OWASP-linked test areas, and a documented engagement plan you can execute and track through remediation.
- Assessment scope document
- Feature-to-OWASP priority matrix
- Rules of engagement and excluded-components list
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Security review belongs on the Ship shelf because it gates safe release and maps features to OWASP categories before production exposure. Security subphase is the canonical home for vulnerability assessment workflows, rules of engagement, and OWASP-aligned test planning.
Where it fits
Define which microservices and third-party APIs are in scope before promising security timelines to a pilot customer.
Prioritize auth, admin, and upload surfaces against OWASP categories ahead of a production deploy.
Align code-review focus areas with documented assessment boundaries and excluded components.
Track remediation status against findings discovered during structured OWASP testing.
How it compares
Use instead of one-off “scan my repo” prompts when you need OWASP-scoped methodology and audit-ready documentation.
Common Questions / FAQ
Who is owasp-top-10 for?
Indie and solo developers shipping SaaS, APIs, or agent-backed services who want OWASP Top 10 structure without hiring a full-time security engineer.
When should I use owasp-top-10?
Use it in Ship before launch or major releases for security review; in Validate when proving enterprise readiness; and in Operate when tracking remediation after incidents or audit findings.
Is owasp-top-10 safe to install?
Treat it as methodology guidance—review the Security Audits panel on this Prism page and only run dynamic testing on systems you are authorized to test.
SKILL.md
READMESKILL.md - Owasp Top 10
# OWASP Assessment Workflow Structured methodology for conducting OWASP Top 10 security assessments, from scoping through remediation tracking. ## Phase 1: Scoping and Pre-Assessment ### Define Assessment Boundaries - **Application inventory**: Identify all in-scope components (frontend, backend, APIs, microservices, databases) - **Technology stack**: Document languages, frameworks, libraries, infrastructure - **Data classification**: Identify sensitive data flows (PII, credentials, financial, health) - **Trust boundaries**: Map where data crosses privilege levels or network zones - **Third-party integrations**: Catalog external services, APIs, and dependencies ### Establish Rules of Engagement ```markdown ## Assessment Scope Document **Target Application**: [name] **Environment**: [production/staging/dev] **Assessment Type**: [code review / dynamic testing / both] **Timeline**: [start] - [end] **Excluded Components**: [list] **Emergency Contact**: [name, phone, email] **Authorization Reference**: [document ID] ``` ### Prioritize Assessment Areas Map application features to OWASP categories by risk: | Feature Area | Primary OWASP Categories | Priority | |---|---|---| | Authentication | A01, A02, A07 | Critical | | API endpoints | A01, A03, A10 | Critical | | User input forms | A03, A08 | High | | File upload/download | A01, A04, A08 | High | | Admin panels | A01, A05, A07 | Critical | | Third-party integrations | A06, A08, A10 | Medium | | Logging infrastructure | A09 | Medium | ## Phase 2: Testing Methodology ### Per-Category Testing Approach #### A01 - Broken Access Control ``` Checklist: [ ] Verify RBAC enforcement on every endpoint [ ] Test horizontal privilege escalation (user A accessing user B data) [ ] Test vertical privilege escalation (user accessing admin functions) [ ] Check IDOR via sequential/predictable IDs [ ] Verify CORS policy is restrictive [ ] Test directory traversal on file operations [ ] Confirm deny-by-default on new endpoints [ ] Validate JWT/session token scope enforcement ``` #### A02 - Cryptographic Failures ``` Checklist: [ ] Verify TLS 1.2+ on all external connections [ ] Check for sensitive data in URLs or logs [ ] Validate password hashing (bcrypt/argon2, not MD5/SHA1) [ ] Verify encryption at rest for sensitive data [ ] Check key management (rotation, storage, access) [ ] Confirm no hardcoded secrets in source [ ] Validate certificate pinning where applicable ``` #### A03 - Injection ``` Checklist: [ ] Test SQL injection on all parameterized inputs [ ] Verify ORM/parameterized queries (no string concatenation) [ ] Test NoSQL injection on document queries [ ] Check command injection on system calls [ ] Test LDAP injection on directory queries [ ] Validate template injection in server-side rendering [ ] Verify XSS (reflected, stored, DOM-based) on all outputs ``` #### A04 - Insecure Design ``` Checklist: [ ] Review threat model for business logic flaws [ ] Check rate limiting on sensitive operations [ ] Verify multi-step workflows can't be bypassed [ ] Test for race conditions in concurrent operations [ ] Validate business rule enforcement server-side [ ] Review error handling for information disclosure ``` #### A05 - Security Misconfiguration ``` Checklist: [ ] Check for default credentials on all services [ ] Verify unnecessary features/ports are disabled [ ] Review HTTP security headers (CSP, HSTS, X-Frame-Options) [ ] Confirm error pages don't leak stack traces [ ] Validate cloud/container security configurations [ ] Check for directory listing on web servers [ ] Review CORS, cookie, and cache-control settings ``` #### A06 - Vulnerable Components ``` Checklist: [ ] Run dependency audit (npm audit, pip-audit, etc.) [ ] Check for known CVEs in all dependencies [ ] Verify dependency versions are actively maintained [ ] Review transitive dependency risks [ ] Confirm automated dependency update process exists [ ] Check container base image for vulnerabilities ``` #### A07