Вы не можете выбрать более 25 тем
Темы должны начинаться с буквы или цифры, могут содержать дефисы(-) и должны содержать не более 35 символов.
step-04a-subagent-security.md 3.1KB
step-04a-subagent-security.md 3.1KB
name: ‘step-04a-subagent-security’ description: ‘Subagent: Security NFR evidence audit’ subagent: true
outputFile: ‘/tmp/tea-nfr-security-{{timestamp}}.json’
Subagent 4A: Security NFR Evidence Audit
SUBAGENT CONTEXT
This is an isolated subagent running in parallel with other NFR domain evidence audits.
Your task: Assess SECURITY NFR domain only.
MANDATORY EXECUTION RULES
- ✅ Assess SECURITY only (not performance, reliability, scalability)
- ✅ Output structured JSON to temp file
- ❌ Do NOT assess other NFR domains
SUBAGENT TASK
1. Security Evidence Audit Categories
Assess the following security dimensions:
A) Authentication & Authorization:
- OAuth2/JWT implementation
- Session management
- Multi-factor authentication
- Role-based access control (RBAC)
B) Data Protection:
- Encryption at rest
- Encryption in transit (HTTPS/TLS)
- Sensitive data handling (PII, passwords)
- Database encryption
C) Input Validation:
- SQL injection prevention
- XSS prevention
- CSRF protection
- Input sanitization
D) API Security:
- Rate limiting
- API authentication
- CORS configuration
- Security headers
E) Secrets Management:
- Environment variables for secrets
- No hardcoded credentials
- Secret rotation policies
- Key management systems
2. Risk Assessment
For each category, determine status:
- PASS: Properly implemented
- CONCERN: Partially implemented or weak
- FAIL: Not implemented or critical vulnerability
- N/A: Not applicable to this system
3. Compliance Check
Common compliance standards:
- SOC2
- GDPR
- HIPAA
- PCI-DSS
- ISO 27001
OUTPUT FORMAT
{
"domain": "security",
"risk_level": "MEDIUM",
"findings": [
{
"category": "Authentication",
"status": "PASS",
"description": "OAuth2 with JWT tokens implemented",
"evidence": ["src/auth/oauth.ts", "JWT refresh token rotation"],
"recommendations": []
},
{
"category": "Data Encryption",
"status": "CONCERN",
"description": "Database encryption at rest not enabled",
"evidence": ["Database config shows no encryption"],
"recommendations": ["Enable database encryption at rest", "Use AWS RDS encryption or equivalent", "Implement key rotation policy"]
},
{
"category": "Input Validation",
"status": "FAIL",
"description": "SQL injection vulnerability in search endpoint",
"evidence": ["src/api/search.ts:42 - direct SQL concatenation"],
"recommendations": ["URGENT: Use parameterized queries", "Add input sanitization library", "Implement WAF rules"]
}
],
"compliance": {
"SOC2": "PARTIAL",
"GDPR": "PASS",
"HIPAA": "N/A",
"PCI-DSS": "FAIL"
},
"priority_actions": [
"Fix SQL injection vulnerability (URGENT)",
"Enable database encryption within 30 days",
"Implement rate limiting for all APIs"
],
"summary": "Security posture is MEDIUM risk with 1 critical vulnerability requiring immediate attention"
}
EXIT CONDITION
Subagent completes when JSON output written to temp file.
Subagent terminates here.