Name: vulnerability-scanner
Availability: InStock
Author: davila7
Advanced vulnerability analysis principles. OWASP 2025, Supply Chain Security, attack surface mapping, risk prioritization.
SKILL.md

Vulnerability Scanner

Think like an attacker, defend like an expert. 2025 threat landscape awareness.

🔧 Runtime Scripts

Execute for automated validation:

Script
Purpose
Usage

scripts/security_scan.py
Validate security principles applied
python scripts/security_scan.py <project_path>

📋 Reference Files

File
Purpose

checklists.md
OWASP Top 10, Auth, API, Data protection checklists

1. Security Expert Mindset

Core Principles

Principle
Application

Assume Breach
Design as if attacker already inside

Zero Trust
Never trust, always verify

Defense in Depth
Multiple layers, no single point

Least Privilege
Minimum required access only

Fail Secure
On error, deny access

Threat Modeling Questions

Before scanning, ask:

What are we protecting? (Assets)

Who would attack? (Threat actors)

How would they attack? (Attack vectors)

What's the impact? (Business risk)

2. OWASP Top 10:2025

Risk Categories

Rank
Category
Think About

A01
Broken Access Control
Who can access what? IDOR, SSRF

A02
Security Misconfiguration
Defaults, headers, exposed services

A03
Software Supply Chain 🆕
Dependencies, CI/CD, build integrity

A04
Cryptographic Failures
Weak crypto, exposed secrets

A05
Injection
User input → system commands

A06
Insecure Design
Flawed architecture

A07
Authentication Failures
Session, credential management

A08
Integrity Failures
Unsigned updates, tampered data

A09
Logging & Alerting
Blind spots, no monitoring

A10
Exceptional Conditions 🆕
Error handling, fail-open states

2025 Key Changes

2021 → 2025 Shifts:
├── SSRF merged into A01 (Access Control)
├── A02 elevated (Cloud/Container configs)
├── A03 NEW: Supply Chain (major focus)
├── A10 NEW: Exceptional Conditions
└── Focus shift: Root causes > Symptoms

3. Supply Chain Security (A03)

Attack Surface

Vector
Risk
Question to Ask

Dependencies
Malicious packages
Do we audit new deps?

Lock files
Integrity attacks
Are they committed?

Build pipeline
CI/CD compromise
Who can modify?

Registry
Typosquatting
Verified sources?

Defense Principles

Verify package integrity (checksums)

Pin versions, audit updates

Use private registries for critical deps

Sign and verify artifacts

4. Attack Surface Mapping

What to Map

Category
Elements

Entry Points
APIs, forms, file uploads

Data Flows
Input → Process → Output

Trust Boundaries
Where auth/authz checked

Assets
Secrets, PII, business data

Prioritization Matrix

Risk = Likelihood × Impact

High Impact + High Likelihood → CRITICAL
High Impact + Low Likelihood  → HIGH
Low Impact + High Likelihood  → MEDIUM
Low Impact + Low Likelihood   → LOW

5. Risk Prioritization

CVSS + Context

Factor
Weight
Question

CVSS Score
Base severity
How severe is the vuln?

EPSS Score
Exploit likelihood
Is it being exploited?

Asset Value
Business context
What's at risk?

Exposure
Attack surface
Internet-facing?

Prioritization Decision Tree

Is it actively exploited (EPSS >0.5)?
├── YES → CRITICAL: Immediate action
└── NO → Check CVSS
         ├── CVSS ≥9.0 → HIGH
         ├── CVSS 7.0-8.9 → Consider asset value
         └── CVSS <7.0 → Schedule for later

6. Exceptional Conditions (A10 - New)

Fail-Open vs Fail-Closed

Scenario
Fail-Open (BAD)
Fail-Closed (GOOD)

Auth error
Allow access
Deny access

Parsing fails
Accept input
Reject input

Timeout
Retry forever
Limit + abort

What to Check

Exception handlers that catch-all and ignore

Missing error handling on security operations

Race conditions in auth/authz

Resource exhaustion scenarios

7. Scanning Methodology

Phase-Based Approach

1. RECONNAISSANCE
   └── Understand the target
       ├── Technology stack
       ├── Entry points
       └── Data flows

2. DISCOVERY
   └── Identify potential issues
       ├── Configuration review
       ├── Dependency analysis
       └── Code pattern search

3. ANALYSIS
   └── Validate and prioritize
       ├── False positive elimination
       ├── Risk scoring
       └── Attack chain mapping

4. REPORTING
   └── Actionable findings
       ├── Clear reproduction steps
       ├── Business impact
       └── Remediation guidance

8. Code Pattern Analysis

High-Risk Patterns

Pattern
Risk
Look For

String concat in queries
Injection
"SELECT * FROM " + user_input

Dynamic code execution
RCE
eval(), exec(), Function()

Unsafe deserialization
RCE
pickle.loads(), unserialize()

Path manipulation
Traversal
User input in file paths

Disabled security
Various
verify=False, --insecure

Secret Patterns

Type
Indicators

API Keys
api_key, apikey, high entropy

Tokens
token, bearer, jwt

Credentials
password, secret, key

Cloud
AWS_, AZURE_, GCP_ prefixes

9. Cloud Security Considerations

Shared Responsibility

Layer
You Own
Provider Owns

Data
✅
❌

Application
✅
❌

OS/Runtime
Depends
Depends

Infrastructure
❌
✅

Cloud-Specific Checks

IAM: Least privilege applied?

Storage: Public buckets?

Network: Security groups tightened?

Secrets: Using secrets manager?

10. Anti-Patterns

❌ Don't
✅ Do

Scan without understanding
Map attack surface first

Alert on every CVE
Prioritize by exploitability + asset

Ignore false positives
Maintain verified baseline

Fix symptoms only
Address root causes

Scan once before deploy
Continuous scanning

Trust third-party deps blindly
Verify integrity, audit code

11. Reporting Principles

Finding Structure

Each finding should answer:

What? - Clear vulnerability description

Where? - Exact location (file, line, endpoint)

Why? - Root cause explanation

Impact? - Business consequence

How to fix? - Specific remediation

Severity Classification

Severity
Criteria

Critical
RCE, auth bypass, mass data exposure

High
Data exposure, privilege escalation

Medium
Limited scope, requires conditions

Low
Informational, best practice

Remember: Vulnerability scanning finds issues. Expert thinking prioritizes what matters. Always ask: "What would an attacker do with this?"