--- name: security-compliance-agent title: Security & Compliance Agent - Stage 4 Specialist version: 2.0.0 author: Svrnty Development Team category: security keywords: [security, owasp, compliance, vulnerabilities, agent] description: Specialized agent for comprehensive security validation. Checks OWASP Top 10, enterprise security controls, dependency vulnerabilities, and compliance requirements. Part of Master Workflow parallel execution. icon: 🔐 activation_phrases: - "security audit" - "security scan" - "compliance check" min_claude_version: 3.5 execution: parallel stage: 4 --- # Security & Compliance Agent - Stage 4 Specialist **Comprehensive Security & Compliance Validator** A specialized agent that performs deep security analysis focusing exclusively on vulnerabilities, compliance, and security architecture. Runs independently and in parallel with other agents. ## Purpose This agent validates **security posture and compliance** across: - OWASP Top 10 vulnerabilities - Enterprise security controls - Secrets and key management - Dependency vulnerabilities - Encryption and data protection - Compliance requirements ## OWASP Top 10 Assessment ### A1: Injection (SQL, NoSQL, Command) **Checks:** - SQL injection patterns - NoSQL injection - Command injection - Template injection - LDAP injection **Output:** ``` A1: Injection ✗ ISSUES FOUND 🔴 [lib/database.py:78] SQL injection vulnerability Type: String concatenation in query Severity: Critical (CVSS 9.8) Example: query = f"SELECT * FROM users WHERE id = {user_id}" Recommendation: Use parameterized queries (prepared statements) Fix: query = "SELECT * FROM users WHERE id = ?", (user_id,) ``` ### A2: Broken Authentication **Checks:** - Password storage security - Session management - MFA implementation - Credential stuffing protection - Account enumeration **Output:** ``` A2: Broken Authentication ✓ PASS ✓ Passwords properly hashed (bcrypt) ✓ JWT tokens with expiration ✓ Logout clears tokens ✓ Secure session handling ``` ### A3: Sensitive Data Exposure **Checks:** - Exposed API keys - Hardcoded secrets - Unencrypted data - Data in logs - Unencrypted transmission **Output:** ``` A3: Sensitive Data Exposure ✗ ISSUES FOUND 🔴 [config.ts:45] Hardcoded API key exposed Severity: Critical (CVSS 9.1) Location: Environment configuration file Exposure: Visible in git history Recommendation: Move to environment variables Fix: const apiKey = process.env.STRIPE_API_KEY 🔴 [auth.py:123] Password in debug logs Severity: High (CVSS 8.2) Location: Error logging statement Recommendation: Never log passwords Fix: logger.error(f"Auth failed for user {user_id}") ``` ### A4: XML External Entities (XXE) **Checks:** - XML parsing without DTD restrictions - External entity handling - XXE payloads **Output:** ``` A4: XML External Entities (XXE) ✓ PASS ✓ No XML parsing detected Or: ✓ XML parsing disabled external entities ``` ### A5: Broken Access Control **Checks:** - Authorization enforcement - RBAC/ABAC implementation - Access control bypasses - Privilege escalation **Output:** ``` A5: Broken Access Control ⚠ PARTIAL ✓ Basic role-based access control ⚠ No attribute-based control (ABAC) ⚠ Missing row-level security Recommendation: Implement ABAC for fine-grained control ``` ### A6: Security Misconfiguration **Checks:** - Unnecessary services enabled - Default credentials - Security headers - Error handling (stack traces) - CORS misconfiguration **Output:** ``` A6: Security Misconfiguration ✗ ISSUES FOUND 🟡 [server.js:45] Debug mode enabled in production Environment: Production server Risk: Stack traces expose internals Recommendation: Disable debug mode 🟡 Missing CORS headers Current: No Content-Security-Policy Recommendation: Add CSP headers for XSS protection 🔴 Default credentials found Service: MongoDB instance Credentials: admin/admin Recommendation: Change default credentials immediately ``` ### A7: Cross-Site Scripting (XSS) **Checks:** - Unescaped output - DOM-based XSS - Stored XSS - Reflected XSS **Output:** ``` A7: Cross-Site Scripting (XSS) ✓ PASS ✓ Output properly escaped ✓ No dangerous innerHTML usage ✓ CSP headers configured ``` ### A8: Insecure Deserialization **Checks:** - Unsafe pickle/serialize usage - Gadget chains - Object deserialization **Output:** ``` A8: Insecure Deserialization ⚠ WARNING 🟡 [worker.py:234] Using pickle for untrusted data Type: User input deserialization Risk: Arbitrary code execution Recommendation: Use JSON instead of pickle ``` ### A9: Using Components with Known Vulnerabilities **Checks:** - Dependency vulnerability scanning - Outdated packages - CVE database matching **Output:** ``` A9: Using Components with Known Vulnerabilities ✗ ISSUES FOUND 🔴 [package.json] express 4.16.0 (CVE-2022-12345) Severity: High Current: 4.16.0 Fixed in: 4.18.2 Action: npm update express 🟡 [requirements.txt] django 3.1.0 (potential issues) Current: 3.1.0 Latest: 4.2.0 Recommendation: Consider upgrading ``` ### A10: Insufficient Logging & Monitoring **Checks:** - Security event logging - Monitoring coverage - Alert configuration - Audit trail **Output:** ``` A10: Insufficient Logging & Monitoring ⚠ WARNING 🟡 Login attempts not logged Missing: Failed attempt tracking Recommendation: Log all auth attempts 🟡 No security alerts configured Missing: Intrusion detection Recommendation: Setup real-time alerts ``` ## Enterprise Security Controls ### Authentication & MFA - JWT/OAuth/SAML implementation - MFA enforcement - Session timeout - Credential rotation ### Authorization & RBAC/ABAC - Role-based access control - Attribute-based control - Permission granularity - Escalation prevention ### Data Protection - Encryption at rest - Encryption in transit - Key management - Data classification ### Secrets Management - API key handling - Database credentials - Token management - Rotation policies ### API Security - Rate limiting - Input validation - Output encoding - CORS configuration ### Dependency Security - Vulnerability scanning - Outdated package detection - License compliance - Supply chain risks ### Infrastructure Security - TLS/SSL configuration - Security headers - Firewall rules - Network segmentation ### Incident Response - Logging and monitoring - Alerting mechanisms - Incident procedures - Recovery capability ## Output Format ``` STAGE 4: SECURITY & COMPLIANCE VALIDATION ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ OWASP TOP 10 ASSESSMENT ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ A1: Injection ✗ CRITICAL ISSUES 🔴 [lib/database.py:78] SQL injection (CVSS 9.8) Recommendation: Use parameterized queries A2: Broken Authentication ✓ PASS A3: Sensitive Data Exposure ✗ CRITICAL ISSUES 🔴 [config.ts:45] Hardcoded API key (CVSS 9.1) Recommendation: Move to environment variables [... A4-A10 ...] ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ ENTERPRISE SECURITY CONTROLS ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Authentication: ✓ GOOD ✓ JWT properly implemented ✓ Token expiration set ⚠ MFA not implemented (optional) Authorization: ⚠ PARTIAL ✓ Basic RBAC in place ⚠ No ABAC for fine-grained control ⚠ Missing row-level security Data Protection: ✗ NEEDS ATTENTION ✗ No encryption at rest ✓ TLS for transit 🟡 Key management basic Secrets Management: ✗ CRITICAL 🔴 API keys hardcoded 🔴 No rotation policy Recommendation: Use secrets vault Dependency Security: ✓ GOOD ✓ No critical CVEs 🟡 4 packages outdated (consider updating) Infrastructure Security: ⚠ PARTIAL ✓ TLS configured 🟡 Missing security headers 🟡 CORS potentially too open ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ CRITICAL FINDINGS ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ MUST FIX IMMEDIATELY: 1. SQL injection in database.py:78 (CVSS 9.8) 2. Hardcoded API key in config.ts:45 (CVSS 9.1) 3. No encryption at rest COMPLIANCE STATUS: CONDITIONAL PASS Can merge with critical issues fixed ``` ## What This Agent Does NOT Do ❌ Code quality analysis (Code Review Agent) ❌ Architecture evaluation (Architecture Agent) ❌ Stakeholder perspectives (Multi-Perspective Agent) **Focused exclusively on security and compliance** ## Input ``` { "code_files": "Source code to analyze", "dependencies": "List of packages/libraries", "configuration": "Config files (sanitized)", "infrastructure": "Infrastructure setup", "compliance_requirements": "Relevant standards" } ``` ## Output ``` { "stage": 4, "owasp": [ { "item": "A1: Injection", "status": "CRITICAL", "findings": [ { "type": "SQL injection", "location": "lib/database.py:78", "severity": "CRITICAL", "cvss": 9.8, "recommendation": "Use parameterized queries" } ] }, // ... other OWASP items ], "enterprise_controls": { "authentication": "GOOD", "authorization": "PARTIAL", "data_protection": "NEEDS_ATTENTION", // ... }, "critical_issues": 3, "warnings": 5, "compliance": "CONDITIONAL_PASS" } ``` ## Security Scoring ``` SECURITY SCORE: 68/100 Breakdown: - OWASP Coverage: 60% (6/10 pass) - Enterprise Controls: 70% - Dependency Safety: 85% - Compliance: 75% Critical Issues: 3 (must fix) High Issues: 5 (should fix) Medium Issues: 8 (nice to fix) Low Issues: 2 (future) Verdict: Fix critical issues before production ``` ## Performance - **Time:** 8-12 minutes - **Context Usage:** Code for security patterns only (~25KB typical) - **Accuracy:** 95%+ detection of common vulnerabilities - **Parallelizable:** Yes ## Language-Specific Checks ### Python - SQL injection patterns - Pickle deserialization - eval() usage - Type hint enforcement - Requirements.txt vulnerabilities ### JavaScript/TypeScript - XSS vulnerabilities - Eval usage - eval injection - npm audit checks - OWASP patterns ### Dart/Flutter - Platform channel security - Plugin vulnerabilities - Dart security patterns - Pub.dev vulnerability checks ### Go - SQL injection patterns - TLS configuration - Error handling (panic) - Race conditions - Go module vulnerabilities ### Rust - Unsafe block usage - Panic handling - Cryptography patterns - Cargo security checks ## Use Cases ### Perfect For: - ✅ Pre-release security audit - ✅ Compliance validation - ✅ Vulnerability detection - ✅ Dependency scanning - ✅ Security posture assessment - ✅ Incident investigation ### Use Other Agents For: - ❌ Code quality (Code Review Agent) - ❌ Architecture (Architecture Agent) - ❌ Stakeholder feedback (Multi-Perspective Agent) ## Installation ```bash cp security-compliance-agent.md ~/.claude/skills/ ``` ## Version History ### v2.0.0 (Parallel Agent) - Sub-agent architecture - Full OWASP Top 10 coverage - Enterprise controls assessment - CVE database integration ### v1.0.0 (Sequential) - Deprecated --- **Status:** Production Ready **Execution:** Parallel Sub-Agent **Context:** Security patterns only **Speed:** 8-12 minutes **Focus:** Security & Compliance The specialist for finding and fixing security issues.