ReddRadar
Agent skill
security
Secure backend applications against OWASP threats. Implement authentication, encryption, scanning, compliance, and incident response procedures.
Install this agent skill to your Project
npx add-skill https://github.com/pluginagentmarketplace/custom-plugin-backend/tree/main/skills/security
SKILL.md
Security Skill
Bonded to: testing-security-agent
Quick Start
# Invoke security skill
"Check my code for OWASP vulnerabilities"
"Implement JWT authentication securely"
"Prepare for GDPR compliance audit"
Instructions
- Assess Risks: Identify threats and vulnerabilities
- Implement Controls: Add authentication, encryption
- Configure Scanning: Set up SAST, DAST, SCA
- Ensure Compliance: Meet regulatory requirements
- Prepare Response: Create incident response plan
OWASP Top 10 (2025)
| # | Vulnerability | Prevention | Severity |
|---|---|---|---|
| 1 | Broken Access Control | RBAC, least privilege | Critical |
| 2 | Cryptographic Failures | Strong encryption, TLS | Critical |
| 3 | Injection | Parameterized queries | Critical |
| 4 | Insecure Design | Threat modeling | High |
| 5 | Security Misconfiguration | Hardening | High |
| 6 | Vulnerable Components | SCA scanning | High |
| 7 | Auth Failures | MFA, secure sessions | High |
| 8 | Data Integrity Failures | Signatures | Medium |
| 9 | Logging Failures | Audit logging | Medium |
| 10 | SSRF | Input validation | Medium |
Security Scanning Tools
| Type | Purpose | Tools |
|---|---|---|
| SAST | Static code | SonarQube, Semgrep |
| DAST | Dynamic testing | OWASP ZAP, Burp |
| SCA | Dependencies | Snyk, Dependabot |
| Container | Images | Trivy, Grype |
| Secrets | Detection | GitLeaks, TruffleHog |
Examples
Example 1: Secure Authentication
from fastapi import Depends, HTTPException
from fastapi.security import OAuth2PasswordBearer
from passlib.context import CryptContext
from jose import jwt
import secrets
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")
def hash_password(password: str) -> str:
return pwd_context.hash(password)
def verify_password(plain: str, hashed: str) -> bool:
return pwd_context.verify(plain, hashed)
def create_token(user_id: str) -> str:
return jwt.encode(
{"sub": user_id, "jti": secrets.token_urlsafe(16)},
SECRET_KEY,
algorithm="HS256"
)
Example 2: SQL Injection Prevention
# BAD - Vulnerable to SQL injection
def get_user_bad(user_id: str):
query = f"SELECT * FROM users WHERE id = '{user_id}'"
return db.execute(query)
# GOOD - Parameterized query
def get_user_good(user_id: str):
query = "SELECT * FROM users WHERE id = :id"
return db.execute(query, {"id": user_id})
Example 3: Security Headers
from fastapi import FastAPI
from starlette.middleware.base import BaseHTTPMiddleware
class SecurityHeadersMiddleware(BaseHTTPMiddleware):
async def dispatch(self, request, call_next):
response = await call_next(request)
response.headers["X-Content-Type-Options"] = "nosniff"
response.headers["X-Frame-Options"] = "DENY"
response.headers["X-XSS-Protection"] = "1; mode=block"
response.headers["Strict-Transport-Security"] = "max-age=31536000"
response.headers["Content-Security-Policy"] = "default-src 'self'"
return response
app = FastAPI()
app.add_middleware(SecurityHeadersMiddleware)
Compliance Checklists
GDPR
- Lawful basis for processing
- Data minimization
- Right to access/deletion
- Breach notification (72h)
- DPO if required
PCI-DSS
- Encrypt cardholder data
- No CVV storage
- Access controls
- Regular testing
- Audit logging
Troubleshooting
Common Issues
| Issue | Cause | Solution |
|---|---|---|
| Token expired | Short TTL | Implement refresh tokens |
| CORS blocked | Missing headers | Configure CORS properly |
| Weak encryption | Old algorithms | Use AES-256, RSA-2048+ |
| SQL injection | String concat | Use parameterized queries |
Incident Response
Incident Detected
│
├─→ Contain: Isolate affected systems
├─→ Assess: Determine scope
├─→ Remediate: Fix vulnerability
├─→ Recover: Restore services
└─→ Post-mortem: Document & improve
Test Template
# tests/test_security.py
import pytest
class TestSecurityControls:
def test_password_is_hashed(self):
password = "secure123"
hashed = hash_password(password)
assert password not in hashed
assert verify_password(password, hashed)
def test_sql_injection_prevented(self):
malicious_input = "'; DROP TABLE users; --"
# Should not execute the DROP TABLE
result = get_user(malicious_input)
assert result is None # User not found, not table dropped
def test_auth_required_for_protected_routes(self, client):
response = client.get("/api/v1/users/me")
assert response.status_code == 401
Resources
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
pluginagentmarketplace/custom-plugin-backend
languages
Master programming languages for backend development. Learn language selection, fundamentals, and ecosystem for JavaScript, Python, Go, Java, C#, PHP, Ruby, and Rust.
pluginagentmarketplace/custom-plugin-backend
api-design
Design and build professional APIs with REST, GraphQL, and gRPC. Master authentication, documentation, testing, and operational concerns.
pluginagentmarketplace/custom-plugin-backend
architecture
Master architectural design with SOLID principles, design patterns, microservices, and event-driven systems. Learn to design scalable backend systems.
pluginagentmarketplace/custom-plugin-backend
testing
Backend testing strategies and test automation. Unit, integration, E2E, and load testing with best practices.
pluginagentmarketplace/custom-plugin-backend
devops
Deploy applications with Docker and Kubernetes, automate with CI/CD, manage infrastructure with code, and configure cloud platforms and networking.
pluginagentmarketplace/custom-plugin-backend
databases
Master relational and NoSQL databases. Learn PostgreSQL, MySQL, MongoDB, Redis, and other technologies for data persistence, optimization, and scaling.
Didn't find tool you were looking for?