senior-security
Security engineering toolkit for threat modeling, vulnerability analysis, secure architecture, and penetration testing. Includes STRIDE analysis, OWASP guidance, cryptography patterns, and security scanning tools. Use when the user asks about security reviews, threat analysis, vulnerability assessments, secure coding practices, security audits, attack surface analysis, CVE remediation, or security best practices.
90
78%
Does it follow best practices?
Impact
99%
1.06xAverage score across 6 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./engineering-team/senior-security/SKILL.mdEvaluation results
100%
18%Payment Microservice Threat Model
STRIDE/DREAD threat modeling
DFD elements present
100%
100%
Trust boundary shown
100%
100%
STRIDE applied to Process
0%
100%
STRIDE per element matrix
100%
100%
DREAD scores present
100%
100%
DREAD formula correct
0%
100%
Threats table structure
100%
100%
Mitigations mapped
100%
100%
Residual risks documented
100%
100%
Recommendations section
100%
100%
threat_modeler.py used
100%
100%
JSON summary produced
100%
100%
Payment-specific threats
100%
100%
100%
Security Audit: Fix Cryptographic Vulnerabilities in Python Module
Cryptography algorithm selection and implementation
ECB mode replaced
100%
100%
Fixed IV eliminated
100%
100%
Authenticated encryption used
100%
100%
MD5 password hashing replaced
100%
100%
Fixed salt eliminated
100%
100%
Secure token generation
100%
100%
Hardcoded secret removed
100%
100%
HMAC-SHA256 for signing
100%
100%
Constant-time comparison
100%
100%
MD5 checksum replaced
100%
100%
Findings report produced
100%
100%
99%
11%Security Architecture Document: Multi-Tenant SaaS Platform
Security architecture design
OAuth 2.0 + PKCE for web
0%
100%
OIDC for identity federation
100%
100%
mTLS for service-to-service
100%
100%
JWT short expiration
100%
100%
All 5 defense-in-depth layers
60%
100%
Zero Trust: verify explicitly
100%
100%
Zero Trust: least privilege / JIT
100%
100%
Zero Trust: assume breach
100%
100%
AES-256-GCM for data at rest
100%
100%
TLS 1.3 for transit
100%
87%
Security headers listed
100%
100%
HSTS specified
100%
100%
Architecture decisions JSON
100%
100%
Rate limiting at perimeter
100%
100%
100%
2%Security Review: User Authentication Service
Secret scanning and secure code review
secret_scanner.py executed
80%
100%
Hardcoded secret flagged
100%
100%
SAST tool recommended
100%
100%
SQL injection identified
100%
100%
Parameterized queries recommended
100%
100%
Weak password hashing flagged
100%
100%
Argon2id or bcrypt recommended
100%
100%
Cookie flags missing flagged
100%
100%
Sensitive data logging flagged
100%
100%
Command injection via shell=True flagged
100%
100%
Four-tier severity used
100%
100%
Remediation plan produced
100%
100%
96%
Pre-Production Vulnerability Assessment: ShipTrack API
Vulnerability assessment and severity classification
Scope and methodology defined
100%
100%
Four-tier severity used
50%
50%
Impact x exploitability reasoning
100%
100%
SQL injection classified Critical
100%
100%
IDOR identified
100%
100%
Weak authentication identified
100%
100%
Hardcoded secret identified
100%
100%
Information exposure identified
100%
100%
Infrastructure issues identified
100%
100%
Remediation plan structured
100%
100%
Remediation deadlines present
100%
100%
Priority ordering by risk
100%
100%
Minimum 5 distinct findings
100%
100%
100%
2%Security Incident Response: Suspected Data Exfiltration
Incident response workflow and severity classification
All 6 phases present
100%
100%
Severity level assigned
100%
100%
Correct P1/P2 escalation
100%
100%
Response time target stated
100%
100%
Containment: isolate system
100%
100%
Containment: block IP/credentials
100%
100%
Evidence preservation mentioned
100%
100%
Eradication actions specified
100%
100%
Post-mortem timeline section
75%
100%
Root cause analysis section
100%
100%
Improvement actions specified
100%
100%
HIPAA/breach notification mentioned
100%
100%
- Repository
- alirezarezvani/claude-skills
- Commit
967fe01
- Evaluated
- Agent
- Claude Code
- Model
- Claude Sonnet 4.6
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.