vulnerability-scanner

Vulnerability Scanning Expert Skills

Skill Overview

Advanced intelligent vulnerability analysis capabilities based on the 2025 threat landscape, covering the latest OWASP Top 10 standards, supply-chain security detection, attack surface mapping, and risk prioritization assessment.

Use Cases

Code Security Audits

Automatically identify high-risk security patterns during code review, including common vulnerabilities such as SQL injection, path traversal, and unsafe deserialization. Detect hard-coded keys and sensitive information leakage.

Pre-Deployment Security Checks

Perform comprehensive security verification before application deployment, including configuration checks, dependency audits, and attack surface analysis to ensure compliance with OWASP 2025 security standards and industry best practices.

Security Risk Assessment

Use intelligent risk ranking by combining CVSS scores, EPSS indicators, and asset value to help teams prioritize the most critical security issues and avoid being distracted by low-risk vulnerabilities.

Core Features

1. Full Coverage of OWASP Top 10:2025

Supports detection based on the latest OWASP risk classifications for 2025, with emphasis on two newly added categories: supply-chain security (A03) and handling of abnormal conditions (A10). Detects the ten major risk categories, including access control vulnerabilities, security misconfigurations, encryption failures, injection attacks, authentication failures, and more.

2. Supply-Chain Security Detection

Analyzes project dependencies, lock files, build processes, and registry sources to detect risks such as malicious package threats, integrity attacks, and typosquatting attacks. Supports supply-chain defense checks including package verification, version pinning, and signature verification.

3. Intelligent Risk Prioritization

Compute an integrated risk score by combining CVSS base scores, EPSS exploitation probability, asset value, and exposure. Provides a decision tree to help determine actions: vulnerabilities actively being exploited should be handled immediately; those with CVSS ≥ 9.0 should be prioritized for fixes; low-risk vulnerabilities can be scheduled for later remediation.

Frequently Asked Questions

What’s new in OWASP 2025 compared with 2021?

The most notable change in OWASP 2025 is the addition of two categories: A03 Supply-Chain Security and A10 Abnormal/Exceptional Condition Handling. At the same time, SSRF has been merged from an independent category into A01 Access Control, shifting the focus from symptom-based analysis to root-cause analysis. These changes reflect the impact of recent supply-chain attack incidents such as SolarWinds and Log4j.

How should a vulnerability’s priority be assessed?

It is recommended to use a multi-dimensional assessment: first check the EPSS score—if it is > 0.5 (actively being exploited), mark it as urgent; then review the CVSS base score—≥ 9.0 indicates high risk; finally, make the final decision by factoring in asset value and exposure (whether it is internet-facing). Do not blindly fix every CVE.

What is the difference between fail-open and fail-closed?

Fail-open means that when an error occurs, access is allowed or input is accepted—this is an unsafe practice. Fail-closed means that when an error occurs, access is denied or input is rejected, which is the recommended secure practice. For example, if an authentication service fails, all access should be denied (Fail-Closed) rather than allowing authentication bypasses (Fail-Open).