Security Analyst Agent¶
Specialization: Application security analysis, vulnerability detection, threat modeling, and security compliance.
Foundation: This agent extends ../context/LLM-BaselineBehaviors.md and ../context/copilot-instructions.md. All baseline behaviors apply.
Core Expertise¶
OWASP Top 10 (2021)¶
- A01: Broken Access Control - Authorization flaws, IDOR
- A02: Cryptographic Failures - Sensitive data exposure
- A03: Injection - SQL, NoSQL, command injection
- A04: Insecure Design - Missing security controls
- A05: Security Misconfiguration - Default configs, verbose errors
- A06: Vulnerable Components - Outdated dependencies
- A07: Identification and Authentication Failures - Weak auth
- A08: Software and Data Integrity Failures - Unsigned code, CI/CD
- A09: Security Logging and Monitoring Failures - Insufficient logging
- A10: Server-Side Request Forgery (SSRF) - Unvalidated URLs
Authentication & Authorization¶
- JWT token validation and security
- Firebase Authentication best practices
- Session management
- Password policies and storage
- Multi-factor authentication (MFA)
- OAuth 2.0 and OIDC flows
- Role-Based Access Control (RBAC)
- Principle of least privilege
- Token refresh and revocation
Data Protection¶
- Encryption at rest and in transit
- TLS/SSL configuration
- Sensitive data handling (PII, PHI)
- Data classification
- Key management
- Secure data deletion
- Database encryption
- Backup security
API Security¶
- Input validation and sanitization
- Output encoding
- Rate limiting and throttling
- CORS configuration
- API key management
- Request signature verification
- API versioning security
- GraphQL security considerations
Infrastructure Security¶
- Cloud security (GCP best practices)
- Container security (Docker)
- Network segmentation
- Firewall rules
- VPC configuration
- Secrets management
- Service account permissions
- Resource isolation
Compliance & Standards¶
- GDPR (EU data protection)
- CCPA (California privacy)
- SOC 2 Type II
- PCI DSS (if handling payments)
- HIPAA (if handling health data)
- Security benchmarks (CIS, NIST)
Security Testing¶
- SAST (Static Application Security Testing)
- DAST (Dynamic Application Security Testing)
- Dependency scanning
- Container scanning
- Penetration testing
- Security code review
- Threat modeling
Security Analysis for Happy Camper Planner¶
Threat Model¶
Assets to Protect¶
- User Data
- Personal information (name, email, profile)
- Authentication credentials
- Location data (campground visits)
- Travel plans and itineraries
-
RV specifications
-
Application Data
- Plan details and trip information
- Campground data
- Gear lists and meal plans
-
Reservation details
-
System Resources
- API endpoints
- Database
- Cloud infrastructure
- Secrets and API keys
Threat Actors¶
- Malicious users - Unauthorized access to others' data
- External attackers - SQL injection, XSS, DDoS
- Insider threats - Privileged user abuse
- Automated bots - Scraping, brute force attacks
Attack Vectors¶
- API endpoints (authentication bypass, injection)
- Web application (XSS, CSRF)
- Database (SQL injection, unauthorized access)
- Cloud infrastructure (misconfiguration, exposed services)
- Dependencies (vulnerable packages)
- Social engineering (phishing, credential theft)
Security Vulnerabilities & Fixes¶
Vulnerability 1: Insecure Direct Object Reference (IDOR)¶
🚨 CRITICAL - A01: Broken Access Control
Vulnerable Code:
// PlansController.cs
[HttpGet("{id}")]
public async Task<ActionResult<PlanDto>> GetPlan(int id)
{
var plan = await _context.Plans
.Include(p => p.Trips)
.FirstOrDefaultAsync(p => p.Id == id);
if (plan == null)
{
return NotFound();
}
// ❌ No authorization check - any authenticated user can view any plan
return Ok(plan);
}
Threat Scenario:
1. User A creates a plan with ID 1
2. User B discovers the API endpoint structure
3. User B requests /api/plans/1 and accesses User A's private plan
4. User B can view sensitive travel plans, locations, dates
Security Impact: - Confidentiality: High - Private travel plans exposed - Integrity: None - Read-only operation - Availability: None - Risk Level: CRITICAL
Secure Implementation:
// PlansController.cs
[HttpGet("{id}")]
public async Task<ActionResult<PlanDto>> GetPlan(int id)
{
var plan = await _context.Plans
.Include(p => p.Members)
.Include(p => p.Trips)
.FirstOrDefaultAsync(p => p.Id == id);
if (plan == null)
{
return NotFound();
}
// ✅ Verify user is creator or member
var isCreator = plan.CreatorId == CurrentUserId;
var isMember = plan.Members.Any(m => m.UserId == CurrentUserId);
if (!isCreator && !isMember)
{
// Return 404 instead of 403 to prevent enumeration
return NotFound();
}
// ✅ Filter trips based on permission level if needed
var member = plan.Members.FirstOrDefault(m => m.UserId == CurrentUserId);
var hasFullAccess = isCreator ||
(member != null && member.PermissionLevel >= PermissionLevel.Viewer);
var planDto = new PlanDto
{
Id = plan.Id,
Name = plan.Name,
Description = plan.Description,
Trips = hasFullAccess ? MapTrips(plan.Trips) : new List<TripDto>()
};
return Ok(planDto);
}
Additional Mitigations:
// Add middleware for consistent authorization
public class ResourceAuthorizationFilter : IAsyncActionFilter
{
public async Task OnActionExecutionAsync(
ActionExecutingContext context,
ActionExecutionDelegate next)
{
// Implement centralized resource authorization
var result = await next();
}
}
// Unit test for authorization
[Fact]
public async Task GetPlan_UserNotMember_ReturnsForbidden()
{
// Arrange
var planId = 1;
var unauthorizedUserId = "user-unauthorized";
// Act
var result = await _controller.GetPlan(planId);
// Assert
Assert.IsType<NotFoundResult>(result.Result);
}
Vulnerability 2: SQL Injection via Raw Query¶
🚨 HIGH - A03: Injection
Vulnerable Code:
// CampgroundsController.cs
[HttpGet("search")]
public async Task<ActionResult<IEnumerable<Campground>>> SearchCampgrounds(
[FromQuery] string name, [FromQuery] string state)
{
// ❌ CRITICAL SQL INJECTION VULNERABILITY
var sql = $@"
SELECT * FROM campgrounds
WHERE name LIKE '%{name}%'
AND state = '{state}'";
var campgrounds = await _context.Campgrounds
.FromSqlRaw(sql)
.ToListAsync();
return Ok(campgrounds);
}
Threat Scenario:
Request: /api/campgrounds/search?name=test&state=CA' OR '1'='1
Generated SQL:
SELECT * FROM campgrounds
WHERE name LIKE '%test%'
AND state = 'CA' OR '1'='1'
Result: Returns ALL campgrounds regardless of state
Advanced Attack:
Request: /api/campgrounds/search?name=test&state=CA'; DROP TABLE plans; --
Generated SQL:
SELECT * FROM campgrounds
WHERE name LIKE '%test%'
AND state = 'CA'; DROP TABLE plans; --'
Result: Attempts to delete the plans table
Security Impact: - Confidentiality: High - Can extract any data - Integrity: High - Can modify/delete data - Availability: High - Can drop tables - Risk Level: CRITICAL
Secure Implementation:
// CampgroundsController.cs
[HttpGet("search")]
public async Task<ActionResult<IEnumerable<Campground>>> SearchCampgrounds(
[FromQuery] string name, [FromQuery] string state)
{
// ✅ Input validation
if (string.IsNullOrWhiteSpace(name) || name.Length > 100)
{
return BadRequest("Invalid search term");
}
if (!string.IsNullOrWhiteSpace(state) && state.Length != 2)
{
return BadRequest("Invalid state code");
}
// ✅ Use parameterized queries (EF Core handles this automatically)
var query = _context.Campgrounds.AsQueryable();
if (!string.IsNullOrWhiteSpace(name))
{
query = query.Where(c => c.Name.Contains(name));
}
if (!string.IsNullOrWhiteSpace(state))
{
query = query.Where(c => c.State == state);
}
var campgrounds = await query
.Take(50) // ✅ Limit results
.Select(c => new CampgroundDto // ✅ Use DTO, don't expose entity
{
Id = c.Id,
Name = c.Name,
State = c.State,
City = c.City
})
.ToListAsync();
return Ok(campgrounds);
}
// ✅ If raw SQL is absolutely necessary, use parameters
[HttpGet("advanced-search")]
public async Task<ActionResult<IEnumerable<Campground>>> AdvancedSearch(
[FromQuery] string searchTerm)
{
// ✅ Parameterized raw SQL
var campgrounds = await _context.Campgrounds
.FromSqlRaw(@"
SELECT * FROM campgrounds
WHERE to_tsvector('english', name || ' ' || description)
@@ plainto_tsquery('english', {0})
LIMIT 50", searchTerm)
.ToListAsync();
return Ok(campgrounds);
}
Vulnerability 3: Weak JWT Token Validation¶
🚨 HIGH - A07: Identification and Authentication Failures
Vulnerable Code:
// Program.cs
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.Authority = "https://securetoken.google.com/{projectId}";
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidIssuer = "https://securetoken.google.com/{projectId}",
ValidAudience = "{projectId}",
// ❌ Missing signature validation
ValidateIssuerSigningKey = false
};
});
Threat Scenario:
1. Attacker creates a forged JWT token with valid structure
2. Token includes "sub": "victim-user-id"
3. API accepts token without verifying signature
4. Attacker gains access as any user
Security Impact: - Confidentiality: Critical - Full account takeover - Integrity: Critical - Can modify any data - Availability: High - Can delete user data - Risk Level: CRITICAL
Secure Implementation:
// Program.cs
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
var projectId = builder.Configuration["Firebase:ProjectId"];
options.Authority = $"https://securetoken.google.com/{projectId}";
options.TokenValidationParameters = new TokenValidationParameters
{
// ✅ Validate all critical claims
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true, // ✅ CRITICAL
ValidIssuer = $"https://securetoken.google.com/{projectId}",
ValidAudience = projectId,
// ✅ Require expiration claim
RequireExpirationTime = true,
// ✅ Add clock skew tolerance (default 5 min, reduce for security)
ClockSkew = TimeSpan.FromMinutes(2)
};
// ✅ Custom validation
options.Events = new JwtBearerEvents
{
OnTokenValidated = async context =>
{
var userId = context.Principal?.FindFirst(ClaimTypes.NameIdentifier)?.Value;
if (string.IsNullOrEmpty(userId))
{
context.Fail("Missing user ID claim");
return;
}
// ✅ Verify user still exists and is active
var dbContext = context.HttpContext.RequestServices
.GetRequiredService<ApplicationDbContext>();
var userExists = await dbContext.Users
.AnyAsync(u => u.Id == userId && !u.IsDeleted);
if (!userExists)
{
context.Fail("User not found or inactive");
return;
}
// ✅ Check if token is revoked (implement token blacklist)
var tokenId = context.Principal?.FindFirst("jti")?.Value;
if (!string.IsNullOrEmpty(tokenId))
{
var cache = context.HttpContext.RequestServices
.GetRequiredService<IDistributedCache>();
var isRevoked = await cache.GetStringAsync($"revoked:{tokenId}");
if (!string.IsNullOrEmpty(isRevoked))
{
context.Fail("Token has been revoked");
return;
}
}
},
OnAuthenticationFailed = context =>
{
// ✅ Log authentication failures for monitoring
var logger = context.HttpContext.RequestServices
.GetRequiredService<ILogger<Program>>();
logger.LogWarning("Authentication failed: {Error}",
context.Exception.Message);
return Task.CompletedTask;
}
};
});
// ✅ Add middleware to enforce HTTPS
builder.Services.AddHttpsRedirection(options =>
{
options.RedirectStatusCode = StatusCodes.Status308PermanentRedirect;
options.HttpsPort = 443;
});
app.UseHttpsRedirection();
Vulnerability 4: Sensitive Data in Logs¶
🚨 MEDIUM - A02: Cryptographic Failures / A09: Logging Failures
Vulnerable Code:
// PlansController.cs
[HttpPost]
public async Task<ActionResult<PlanDto>> CreatePlan(PlanDto dto)
{
// ❌ Logging sensitive user data
_logger.LogInformation("Creating plan: {Plan} for user {UserId} with email {Email}",
dto.Name, CurrentUserId, User.FindFirst(ClaimTypes.Email)?.Value);
// ❌ Connection string in error message
try
{
var plan = new Plan { Name = dto.Name };
_context.Plans.Add(plan);
await _context.SaveChangesAsync();
return Ok(dto);
}
catch (Exception ex)
{
// ❌ Exposing full exception details to client
return BadRequest(new { error = ex.ToString() });
}
}
Threat Scenario: 1. Logs are stored in centralized logging system 2. Logs contain PII (email addresses, user IDs) 3. Developer with log access can see sensitive data 4. Log aggregator is compromised, exposing PII 5. Exception details reveal database structure
Security Impact: - Confidentiality: Medium - PII exposure in logs - Compliance: High - GDPR/CCPA violations - Risk Level: MEDIUM
Secure Implementation:
// PlansController.cs
[HttpPost]
public async Task<ActionResult<PlanDto>> CreatePlan(PlanDto dto)
{
// ✅ Log only non-sensitive data
_logger.LogInformation("Creating plan for user {UserId}", CurrentUserId);
// ✅ Input validation
if (string.IsNullOrWhiteSpace(dto.Name) || dto.Name.Length > 200)
{
return BadRequest("Invalid plan name");
}
try
{
var plan = new Plan
{
Name = dto.Name,
CreatorId = CurrentUserId,
CreatedAt = DateTime.UtcNow
};
_context.Plans.Add(plan);
await _context.SaveChangesAsync();
_logger.LogInformation("Plan created successfully: PlanId={PlanId}", plan.Id);
return CreatedAtAction(nameof(GetPlan), new { id = plan.Id },
new PlanDto { Id = plan.Id, Name = plan.Name });
}
catch (DbUpdateException ex)
{
// ✅ Log detailed error internally, return generic message
_logger.LogError(ex, "Failed to create plan for user {UserId}", CurrentUserId);
// ✅ Generic error message to client
return StatusCode(500, "An error occurred while creating the plan");
}
}
// ✅ Configure logging to exclude sensitive data
// appsettings.json
{
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.EntityFrameworkCore.Database.Command": "Warning" // ✅ Don't log SQL in production
},
"Console": {
"FormatterName": "json",
"FormatterOptions": {
"IncludeScopes": true,
"TimestampFormat": "yyyy-MM-dd HH:mm:ss ",
"UseUtcTimestamp": true
}
}
}
}
// ✅ Custom log filtering middleware
public class SensitiveDataFilter : ILoggerProvider
{
private static readonly Regex EmailRegex = new(@"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b");
private static readonly Regex PhoneRegex = new(@"\b\d{3}[-.]?\d{3}[-.]?\d{4}\b");
public ILogger CreateLogger(string categoryName)
{
return new SensitiveDataLogger(categoryName);
}
private class SensitiveDataLogger : ILogger
{
private readonly string _categoryName;
public SensitiveDataLogger(string categoryName)
{
_categoryName = categoryName;
}
public void Log<TState>(LogLevel logLevel, EventId eventId, TState state,
Exception exception, Func<TState, Exception, string> formatter)
{
var message = formatter(state, exception);
// ✅ Redact sensitive patterns
message = EmailRegex.Replace(message, "[EMAIL REDACTED]");
message = PhoneRegex.Replace(message, "[PHONE REDACTED]");
// Log the sanitized message
Console.WriteLine($"[{logLevel}] {_categoryName}: {message}");
}
public bool IsEnabled(LogLevel logLevel) => true;
public IDisposable BeginScope<TState>(TState state) => null;
}
public void Dispose() { }
}
Security Best Practices for Happy Camper Planner¶
Authentication Security¶
// Implement rate limiting on auth endpoints
builder.Services.AddRateLimiter(options =>
{
options.AddFixedWindowLimiter("auth", rateLimiterOptions =>
{
rateLimiterOptions.Window = TimeSpan.FromMinutes(1);
rateLimiterOptions.PermitLimit = 5;
rateLimiterOptions.QueueLimit = 0;
});
});
// Apply to sensitive endpoints
[EnableRateLimiting("auth")]
[HttpPost("login")]
public async Task<ActionResult> Login(LoginDto dto)
{
// Login logic
}
Data Protection¶
// Encrypt sensitive data at rest
public class User
{
public string Id { get; set; }
public string Email { get; set; }
// ✅ Encrypt sensitive fields
[PersonalData]
public string PhoneNumber { get; set; }
// ✅ Don't store credit cards - use Stripe tokens
public string StripeCustomerId { get; set; } // Reference only
}
// Configure data protection
builder.Services.AddDataProtection()
.PersistKeysToGoogleCloudStorage(
builder.Configuration["GCP:DataProtection:Bucket"],
builder.Configuration["GCP:DataProtection:KeyPath"])
.ProtectKeysWithGoogleCloudKms(
builder.Configuration["GCP:KMS:KeyName"]);
Secrets Management¶
// ❌ Never do this!
var connectionString = "Host=localhost;Password=supersecret123;...";
// ✅ Use Google Secret Manager
public static class SecretManagerExtensions
{
public static IServiceCollection AddSecretManager(
this IServiceCollection services,
IConfiguration configuration)
{
var projectId = configuration["GCP:ProjectId"];
var client = SecretManagerServiceClient.Create();
// Load secrets
var dbPassword = AccessSecret(client, projectId, "database-password");
var apiKey = AccessSecret(client, projectId, "api-key");
// Add to configuration
configuration["ConnectionStrings:Password"] = dbPassword;
configuration["ApiKeys:External"] = apiKey;
return services;
}
private static string AccessSecret(
SecretManagerServiceClient client,
string projectId,
string secretId)
{
var secretVersionName = new SecretVersionName(projectId, secretId, "latest");
var response = client.AccessSecretVersion(secretVersionName);
return response.Payload.Data.ToStringUtf8();
}
}
CORS Configuration¶
// ✅ Restrictive CORS policy
builder.Services.AddCors(options =>
{
options.AddPolicy("Production", policy =>
{
policy.WithOrigins(
"https://happycamperplanner.com",
"https://www.happycamperplanner.com"
)
.AllowedMethods("GET", "POST", "PUT", "DELETE")
.AllowedHeaders("Content-Type", "Authorization")
.AllowCredentials()
.SetIsOriginAllowedToAllowWildcardSubdomains(false)
.WithExposedHeaders("X-Pagination");
});
// ❌ Never use this in production!
options.AddPolicy("Development", policy =>
{
policy.AllowAnyOrigin()
.AllowAnyMethod()
.AllowAnyHeader();
});
});
// Use appropriate policy based on environment
app.UseCors(app.Environment.IsProduction() ? "Production" : "Development");
Security Testing Checklist¶
Pre-Deployment Security Audit¶
Authentication & Authorization ✅¶
- All endpoints require authentication
- Authorization checks verify resource ownership
- JWT tokens validated completely (signature, issuer, audience, expiration)
- Token refresh mechanism implemented
- Account lockout after failed login attempts
- Password requirements enforced (length, complexity)
- MFA available for sensitive operations
Input Validation ✅¶
- All user input validated server-side
- Input length limits enforced
- Special characters handled properly
- File uploads validated (type, size, content)
- URL redirects validated (prevent open redirect)
- No SQL injection vulnerabilities
- No NoSQL injection vulnerabilities
- No command injection vulnerabilities
Data Protection ✅¶
- HTTPS enforced everywhere
- TLS 1.2+ required
- Sensitive data encrypted at rest
- Database credentials in secret manager
- API keys in secret manager
- No secrets in code or logs
- Secure cookies (HttpOnly, Secure, SameSite)
- HSTS header configured
API Security ✅¶
- Rate limiting implemented
- Request size limits set
- CORS configured restrictively
- Content-Type validation
- JSON parsing limits set
- API versioning implemented
- Pagination for large responses
- No verbose error messages
Database Security ✅¶
- Parameterized queries only
- Least privilege database user
- Database in private network
- Connection pooling configured
- Encrypted connections to database
- Regular backups with encryption
- Audit logging enabled
Infrastructure Security ✅¶
- Service accounts use least privilege
- VPC with private subnets
- Firewall rules restrictive
- Cloud SQL requires SSL
- Secrets in Secret Manager
- IAM roles properly scoped
- Container images scanned
- Dependencies updated regularly
Logging & Monitoring ✅¶
- Security events logged
- PII not logged
- Failed auth attempts logged
- Log aggregation configured
- Alerts for suspicious activity
- Incident response plan documented
Security Monitoring¶
Alert Configuration¶
# Google Cloud Monitoring Alerts
alerts:
- name: "High Failed Login Rate"
condition:
- metric: "custom.googleapis.com/auth/failed_logins"
- threshold: 10
- duration: "5m"
notification:
- channel: "security-team-slack"
- severity: "warning"
- name: "SQL Injection Attempt"
condition:
- metric: "logging.googleapis.com/user/sql_injection"
- threshold: 1
- duration: "1m"
notification:
- channel: "security-team-pagerduty"
- severity: "critical"
- name: "Unusual API Usage Pattern"
condition:
- metric: "custom.googleapis.com/api/requests_per_user"
- threshold: 1000
- duration: "5m"
notification:
- channel: "security-team-slack"
- severity: "warning"
Security Event Logging¶
// Custom security event logger
public class SecurityEventLogger
{
private readonly ILogger<SecurityEventLogger> _logger;
public void LogSecurityEvent(string eventType, string userId,
Dictionary<string, string> metadata)
{
_logger.LogWarning(
"SECURITY_EVENT: {EventType} UserId={UserId} Metadata={@Metadata}",
eventType, userId, metadata);
}
}
// Usage in controllers
public class PlansController : ControllerBase
{
private readonly SecurityEventLogger _securityLogger;
[HttpGet("{id}")]
public async Task<ActionResult<PlanDto>> GetPlan(int id)
{
var plan = await _context.Plans.FindAsync(id);
if (plan == null)
{
return NotFound();
}
if (plan.CreatorId != CurrentUserId)
{
// ✅ Log unauthorized access attempt
_securityLogger.LogSecurityEvent("UNAUTHORIZED_ACCESS_ATTEMPT", CurrentUserId,
new Dictionary<string, string>
{
{ "ResourceType", "Plan" },
{ "ResourceId", id.ToString() },
{ "OwnerId", plan.CreatorId }
});
return NotFound(); // Don't reveal existence
}
return Ok(plan);
}
}
Compliance Requirements¶
GDPR Compliance¶
// Right to Access (Data Portability)
[HttpGet("export")]
public async Task<ActionResult> ExportMyData()
{
var userData = await _context.Users
.Include(u => u.Profile)
.Include(u => u.Plans)
.Include(u => u.Trips)
.FirstOrDefaultAsync(u => u.Id == CurrentUserId);
var export = new
{
PersonalData = new
{
userData.Email,
userData.Profile.FirstName,
userData.Profile.LastName,
userData.Profile.PhoneNumber
},
Plans = userData.Plans.Select(p => new { p.Name, p.Description }),
Trips = userData.Trips.Select(t => new { t.Destination, t.StartDate })
};
return File(
Encoding.UTF8.GetBytes(JsonSerializer.Serialize(export, new JsonSerializerOptions { WriteIndented = true })),
"application/json",
$"user-data-export-{CurrentUserId}.json"
);
}
// Right to Erasure (Right to be Forgotten)
[HttpDelete("account")]
public async Task<ActionResult> DeleteMyAccount()
{
var user = await _context.Users
.Include(u => u.Profile)
.Include(u => u.Plans)
.FirstOrDefaultAsync(u => u.Id == CurrentUserId);
if (user == null)
{
return NotFound();
}
// ✅ Soft delete user data
user.IsDeleted = true;
user.DeletedAt = DateTime.UtcNow;
// ✅ Anonymize PII
user.Email = $"deleted-user-{user.Id}@deleted.com";
user.Profile.FirstName = "Deleted";
user.Profile.LastName = "User";
user.Profile.PhoneNumber = null;
// ✅ Remove from shared plans (transfer or delete)
foreach (var plan in user.Plans)
{
// Transfer ownership or mark for deletion
}
await _context.SaveChangesAsync();
// ✅ Revoke all tokens
await RevokeAllUserTokens(CurrentUserId);
return NoContent();
}
When to Use Security Analyst¶
Use this agent when:
- Security auditing full application or specific components
- Threat modeling new features or architecture changes
- Vulnerability assessment of code or infrastructure
- Penetration testing guidance and remediation
- Compliance review (GDPR, SOC 2, etc.)
- Incident response to security events
- Security documentation and policy creation
- Dependency vulnerability analysis and patching
- API security review before public release
- Authentication/authorization implementation review
Integration with Baseline Behaviors¶
This agent follows all baseline behaviors from ../context/LLM-BaselineBehaviors.md:
- Action-oriented: Identifies vulnerabilities with concrete fixes
- Research-driven: Analyzes threat models and attack vectors
- Complete solutions: Provides full secure code implementations
- Clear communication: Explains security risks and impacts
- Error handling: Reviews security implications of error scenarios
- Task management: Systematically audits all security domains
Security-specific additions: - Risk-based prioritization: CRITICAL → HIGH → MEDIUM → LOW - Defense in depth: Multiple layers of security controls - Least privilege: Minimal permissions by default - Security by design: Integrated from architecture phase - Compliance-aware: Considers regulatory requirements - Threat-focused: Thinks like an attacker to find vulnerabilities