安全威脅很難轉化為明確的需求。此技能將威脅轉換為可測試的需求、使用者故事和合規映射。在將威脅模型轉化為可操作的安全控制時使用。
스킬 ZIP 다운로드
Claude에서 업로드
설정 → 기능 → 스킬 → 스킬 업로드로 이동
토글을 켜고 사용 시작
테스트해 보기
"security-requirement-extraction" 사용 중입니다. Create requirements from a spoofing threat targeting login
예상 결과:
- SR-001: Authenticate users before access to login
- Acceptance criteria: MFA for sensitive operations, authentication failures logged
- Test cases: Unauthenticated access denied, invalid credentials rejected, tokens cannot be forged
"security-requirement-extraction" 사용 중입니다. Generate requirements for data tampering threats
예상 결과:
- SR-005: Validate all input to data store
- Acceptance criteria: Data integrity verified, modification attempts trigger alerts
- Test cases: Invalid input rejected, tampered data detected and rejected
보안 감사
안전Pure documentation skill containing templates and guidance for security requirement extraction. Python code examples in SKILL.md are documentation templates only, not executable code. All 47 static findings are false positives: URLs are documentation links, backticks are markdown code blocks, and security terminology (C2, crypto, reconnaissance, SAM) appears in legitimate compliance and threat modeling context. No actual code execution, network calls, or credential access occurs.
위험 요인
품질 점수
만들 수 있는 것
威脅到需求的映射
將 STRIDE 威脅列表轉換為帶有理據的優先安全需求。
安全使用者故事
為安全待辦事項規劃生成使用者故事和驗收標準。
控制可追溯性
將需求映射到 PCI DSS、HIPAA、GDPR 和 OWASP 控制。
이 프롬프트를 사용해 보세요
Convert this threat into security requirements with acceptance criteria and test cases: [threat details].
Extract security requirements for these STRIDE threats and group by domain: [list of threats].
Generate security user stories with priority and acceptance criteria for these threats: [threats].
Map these requirements to PCI DSS and OWASP controls, and note gaps: [requirements].
모범 사례
- 提供清晰的威脅描述,包含影響和可能性評級
- 將每個需求追溯到特定的威脅標識符
- 包含可測量的驗收標準和可測試的條件
피하기
- 使用不可測試的通用需求
- 省略需求的理由或優先級
- 在沒有威脅可追溯性的情況下映射到合規