Vulnerability Scanner
Intermediatev1.0.0
> Think like an attacker, defend like an expert. 2025 threat landscape awareness.
Content
> Think like an attacker, defend like an expert. 2025 threat landscape awareness.
🔧 Runtime Scripts
Execute for automated validation:
| Script | Purpose | Usage |
|---|---|---|
| `scripts/security_scan.py` | Validate security principles applied | `python scripts/security_scan.py <project_path>` |
📋 Reference Files
| File | Purpose |
|---|---|
| [checklists.md](checklists.md) | OWASP Top 10, Auth, API, Data protection checklists |
---
1. Security Expert Mindset
Core Principles
| Principle | Application |
|---|---|
| **Assume Breach** | Design as if attacker already inside |
| **Zero Trust** | Never trust, always verify |
| **Defense in Depth** | Multiple layers, no single point |
| **Least Privilege** | Minimum required access only |
| **Fail Secure** | On error, deny access |
Threat Modeling Questions
Before scanning, ask:
1. What are we protecting? (Assets)
2. Who would attack? (Threat actors)
3. How would they attack? (Attack vectors)
4. What's the impact? (Business risk)
---
2. OWASP Top 10:2025
Risk Categories
| Rank | Category | Think About |
|---|---|---|
| **A01** | Broken Access Control | Who can access what? IDOR, SSRF |
| **A02** | Security Misconfiguration | Defaults, headers, exposed services |
| **A03** | Software Supply Chain 🆕 | Dependencies, CI/CD, build integrity |
| **A04** | Cryptographic Failures | Weak crypto, exposed secrets |
| **A05** | Injection | User input → system commands |
| **A06** | Insecure Design | Flawed architecture |
| **A07** | Authentication Failures | Session, credential management |
| **A08** | Integrity Failures | Unsigned updates, tampered data |
| **A09** | Logging & Alerting | Blind spots, no monitoring |
| **A10** | Exceptional Conditions 🆕 | Error handling, fail-open states |
2025 Key Changes
---
3. Supply Chain Security (A03)
Attack Surface
| Vector | Risk | Question to Ask |
|---|---|---|
| **Dependencies** | Malicious packages | Do we audit new deps? |
| **Lock files** | Integrity attacks | Are they committed? |
| **Build pipeline** | CI/CD compromise | Who can modify? |
| **Registry** | Typosquatting | Verified sources? |
Defense Principles
- -Verify package integrity (checksums)
- -Pin versions, audit updates
- -Use private registries for critical deps
- -Sign and verify artifacts
---
4. Attack Surface Mapping
What to Map
| Category | Elements |
|---|---|
| **Entry Points** | APIs, forms, file uploads |
| **Data Flows** | Input → Process → Output |
| **Trust Boundaries** | Where auth/authz checked |
| **Assets** | Secrets, PII, business data |
Prioritization Matrix
---
5. Risk Prioritization
CVSS + Context
| Factor | Weight | Question |
|---|---|---|
| **CVSS Score** | Base severity | How severe is the vuln? |
| **EPSS Score** | Exploit likelihood | Is it being exploited? |
| **Asset Value** | Business context | What's at risk? |
| **Exposure** | Attack surface | Internet-facing? |
Prioritization Decision Tree
---
6. Exceptional Conditions (A10 - New)
Fail-Open vs Fail-Closed
| Scenario | Fail-Open (BAD) | Fail-Closed (GOOD) |
|---|---|---|
| Auth error | Allow access | Deny access |
| Parsing fails | Accept input | Reject input |
| Timeout | Retry forever | Limit + abort |
What to Check
- -Exception handlers that catch-all and ignore
- -Missing error handling on security operations
- -Race conditions in auth/authz
- -Resource exhaustion scenarios
---
7. Scanning Methodology
Phase-Based Approach
---
8. Code Pattern Analysis
High-Risk Patterns
| Pattern | Risk | Look For |
|---|---|---|
| **String concat in queries** | Injection | `"SELECT * FROM " + user_input` |
| **Dynamic code execution** | RCE | `eval()`, `exec()`, `Function()` |
| **Unsafe deserialization** | RCE | `pickle.loads()`, `unserialize()` |
| **Path manipulation** | Traversal | User input in file paths |
| **Disabled security** | Various | `verify=False`, `--insecure` |
Secret Patterns
| Type | Indicators |
|---|---|
| API Keys | `api_key`, `apikey`, high entropy |
| Tokens | `token`, `bearer`, `jwt` |
| Credentials | `password`, `secret`, `key` |
| Cloud | `AWS_`, `AZURE_`, `GCP_` prefixes |
---
9. Cloud Security Considerations
Shared Responsibility
| Layer | You Own | Provider Owns |
|---|---|---|
| Data | ✅ | ❌ |
| Application | ✅ | ❌ |
| OS/Runtime | Depends | Depends |
| Infrastructure | ❌ | ✅ |
Cloud-Specific Checks
- -IAM: Least privilege applied?
- -Storage: Public buckets?
- -Network: Security groups tightened?
- -Secrets: Using secrets manager?
---
10. Anti-Patterns
| ❌ Don't | ✅ Do |
|---|---|
| Scan without understanding | Map attack surface first |
| Alert on every CVE | Prioritize by exploitability + asset |
| Ignore false positives | Maintain verified baseline |
| Fix symptoms only | Address root causes |
| Scan once before deploy | Continuous scanning |
| Trust third-party deps blindly | Verify integrity, audit code |
---
11. Reporting Principles
Finding Structure
Each finding should answer:
1. What? - Clear vulnerability description
2. Where? - Exact location (file, line, endpoint)
3. Why? - Root cause explanation
4. Impact? - Business consequence
5. How to fix? - Specific remediation
Severity Classification
| Severity | Criteria |
|---|---|
| **Critical** | RCE, auth bypass, mass data exposure |
| **High** | Data exposure, privilege escalation |
| **Medium** | Limited scope, requires conditions |
| **Low** | Informational, best practice |
---
> Remember: Vulnerability scanning finds issues. Expert thinking prioritizes what matters. Always ask: "What would an attacker do with this?"
When to Use
This skill is applicable to execute the workflow or actions described in the overview.
FAQ
Discussion
Loading comments...