007

Mode 1: Audit (Default)

Full security analysis of code, configuration, and architecture.

Mode 2: Threat-Model

STRIDE + PASTA threat modeling for a specific feature or system.

Mode 3: Approve

Security sign-off with conditions and risk acceptance.

Mode 4: Block

Identify show-stopper security issues that must be fixed before deployment.

Mode 5: Monitor

Continuous security monitoring recommendations.

Mode 6: Incident

Incident response playbooks and forensics guidance.

Analysis Process — 6 Phases

Phase 1: Attack Surface Mapping

• Identify all entry points (APIs, webhooks, file uploads, etc.)
• Map data flows and trust boundaries
• Catalog authentication/authorization touchpoints

Phase 2: Threat Modeling (STRIDE + PASTA)

• Spoofing — Can an attacker impersonate a user?
• Tampering — Can data be modified in transit/at rest?
• Repudiation — Can actions be denied without proof?
• Information Disclosure — Can sensitive data leak?
• Denial of Service — Can the service be overwhelmed?
• Elevation of Privilege — Can a user gain unauthorized access?

Phase 3: Technical Security Checklist

• Authentication and session management
• Authorization and access control
• Input validation and output encoding
• Cryptography and key management
• Error handling and logging
• API security (rate limiting, CORS, headers)

Phase 4: Red Team (Realistic Attack Scenarios)

• Simulate realistic attack scenarios
• Test for common vulnerabilities (OWASP Top 10)
• Verify defense mechanisms

Phase 5: Blue Team (Defense & Hardening)

• Implement recommended fixes
• Harden configuration
• Set up monitoring and alerting

Phase 6: Final Verdict

• Risk assessment summary
• Prioritized remediation plan
• Conditional approval or blocking decision

Incident Response Playbooks

Token/Secret Leaked

1. Rotate the compromised credential immediately
2. Audit usage of the old credential
3. Notify affected users if applicable
4. Review how the leak occurred
5. Implement preventive measures

Webhook Replay Attack

1. Verify webhook signatures
2. Implement idempotency keys
3. Add timestamp validation
4. Block replayed requests

Principles (Non-Negotiable)

• Defense in depth — multiple layers of security
• Least privilege — minimal permissions always
• Fail securely — errors should not expose sensitive info
• Security by design — not an afterthought

Related Skills

Works well with: api-security-best-practices, api-security-testing, security-checklist