Security Standards
npx machina-cli add skill hoangnguyen0403/agent-skills-standard/security-standards --openclawFiles (1)
SKILL.md
2.1 KB
Security Standards - High-Density Standards
Universal security protocols for building safe and resilient software.
Priority: P0 (CRITICAL)
🛡 Data Safeguarding
- Zero Trust: Never trust external input. Sanitize and validate every data boundary (API, UI, CSV).
- Least Privilege: Grant minimum necessary permissions to users, services, and containers.
- No Hardcoded Secrets: Use environment variables or secret managers. Never commit keys or passwords.
- Encryption: Use modern, collision-resistant algorithms (AES-256 for data-at-rest; TLS 1.3 for data-in-transit).
🧱 Secure Coding Practices
- Injection Prevention: Use parameterized queries or ORMs to stop SQL, Command, and XSS injections.
- Dependency Management: Regularly scan (
audit) and update third-party libraries to patch CVEs. - Secure Auth: Implement Multi-Factor Authentication (MFA) and secure session management.
- Error Privacy: Never leak stack traces or internal implementation details to the end-user.
🔍 Continuous Security
- Shift Left: Integrate security scanners (SAST/DAST) early in the CI/CD pipeline.
- Data Minimization: Collect and store only the absolute minimum data required for the business logic.
- Logging: Maintain audit logs for sensitive operations (Auth, Deletion, Admin changes).
🚫 Anti-Patterns
- Hardcoded Secrets:
**No Secrets in Git**: Use Secret Managers or Env variables. - Raw SQL:
**No String Concatenation**: Use Parameterized queries or ORMs. - Leaking Context:
**No Stacktraces in Prod**: Return generic error codes to clients. - Insecure Defaults:
**No Default Passwords**: Force rotation and strong entropy.
📚 References
Source
git clone https://github.com/hoangnguyen0403/agent-skills-standard/blob/develop/.github/skills/common/security-standards/SKILL.mdView on GitHub Overview
Security Standards define Zero Trust, Least Privilege, and robust secret management to build safe and resilient software. It also covers secure coding, encryption, and continuous security practices to prevent data leakage and vulnerabilities.
How This Skill Works
The standard enforces strict data boundaries and least privilege across users, services, and containers. It uses modern encryption (AES-256 at rest, TLS 1.3 in transit), secret managers, MFA, and CI/CD security scanners (SAST/DAST) to detect and block risks early.
When to Use It
- When designing apps that handle sensitive data or require strong access control.
- When deploying microservices or containers needing least privilege.
- When migrating from hardcoded secrets to secret managers.
- When building secure CI/CD pipelines with SAST/DAST.
- When enforcing security logging, audit trails, and error privacy.
Quick Start
- Step 1: Map data boundaries and apply Zero Trust across APIs, UI, and data stores.
- Step 2: Replace hardcoded secrets with secret managers; enable environment vars and TLS.
- Step 3: Integrate SAST/DAST in CI/CD, implement MFA, data minimization, and logging.
Best Practices
- Enforce Zero Trust boundaries on API, UI, and data boundaries.
- Never hardcode secrets; use secret managers and environment variables.
- Implement MFA and secure session management.
- Use parameterized queries or ORMs to prevent injections.
- Integrate SAST/DAST in CI/CD and rotate CVEs/Patch dependencies.
Example Use Cases
- Switch a monolith to secret management and TLS 1.3.
- Add MFA and secure sessions to login.
- Replace raw SQL with parameterized queries.
- Implement audit logs for admin actions and sensitive operations.
- Shift security left by adding static/dynamic scanners in CI pipeline.
Frequently Asked Questions
Add this skill to your agents
