Security Audit Workflow
Comprehensive security assessment process.
Phase 1: Threat Assessment
Agents: security-auditor
Scope:
- Authentication & authorization
- Data protection
- API security
- Dependency vulnerabilities
- Infrastructure security
Output: Threat model, risk assessment, priority list
Phase 2: Automated Scanning
Agents: security-auditor
Tools to run:
- Dependency check (npm audit, pip-audit, cargo audit)
- Static analysis (semgrep, bandit, etc.)
- Secret scanning (trufflehog, gitleaks)
Output: Vulnerability report with severity ratings
Phase 3: Manual Code Review
Agents: security-auditor
Focus areas:
- Input validation
- Output encoding
- Authentication logic
- Authorization checks
- Cryptography usage
- Session management
Phase 4: Penetration Testing
Agents: security-auditor
Test for:
- SQL injection
- XSS attacks
- CSRF attacks
- Authentication bypass
- Privilege escalation
Phase 5: Remediation Planning
Agents: requirements-analyst
- Create fix tasks from vulnerability report
- Prioritize by severity
- Estimate timeline
- Allocate resources
Phase 6: Fix Implementation
Blocking: Validation required before proceeding
Phase 7: Security Validation
Agents: security-auditor
- Retest all identified vulnerabilities
- Regression checks
- Verify fixes don't introduce new issues
Phase 8: Documentation
Agents: technical-writer
- Security audit report
- Compliance documentation
- Security best practices guide
Phase 9: Compliance Check
Agents: security-auditor
Standards:
- OWASP Top 10
- GDPR (if applicable)
- SOC2 (if applicable)
- HIPAA (if applicable)
Success Criteria
- [ ] All critical vulnerabilities fixed
- [ ] All high vulnerabilities fixed
- [ ] Compliance requirements met
- [ ] Security tests pass
Severity Levels
| Level | Response Time | Examples | |-------|---------------|----------| | Critical | Immediate | RCE, auth bypass, data breach | | High | 24-48h | SQL injection, privilege escalation | | Medium | 1 week | XSS, CSRF, information disclosure | | Low | Next sprint | Best practice violations |