名称: 安全编码培训技能 描述: 为开发人员提供安全编码实践和漏洞预防的培训与评估 允许使用的工具:
- Bash
- Read
- Write
- Glob
- Grep
- WebFetch
安全编码培训技能
目的
提供和管理开发人员安全培训计划,以改进安全编码实践,评估开发人员安全知识,并跟踪培训在减少漏洞方面的有效性。
功能
培训模块交付
- 提供特定语言的安全编码模块
- 提供特定框架的安全培训
- 提供以漏洞为中心的课程(OWASP Top 10)
- 呈现动手编码挑战
- 分配交互式安全实验
- 按角色安排培训路径
知识评估
- 生成技能评估测验
- 创建基于编码的安全挑战
- 通过实践测试衡量理解程度
- 跟踪知识保留情况
- 与行业基准进行比较
- 认证能力水平
差距识别
- 分析评估结果以识别知识差距
- 与实际漏洞发现相关联
- 识别团队层面的弱点
- 将差距映射到培训模块
- 优先安排培训需求
- 跟踪改进情况
培训路径推荐
- 推荐个性化学习路径
- 建议适合角色的模块
- 根据项目需求确定优先级
- 适应技术栈
- 考虑合规要求
- 根据威胁态势更新
认证管理
- 颁发培训完成证书
- 跟踪认证过期时间
- 管理重新认证要求
- 生成合规报告
- 维护培训记录
- 支持审计请求
有效性衡量
- 将培训与漏洞减少相关联
- 跟踪安全代码审查指标
- 衡量修复时间改进
- 比较培训前后评估
- 生成投资回报率报告
- 监控长期行为变化
培训模块
按语言分类
- Java 安全最佳实践
- Python 安全编码
- JavaScript/Node.js 安全
- C/C++ 内存安全
- Go 安全模式
- .NET 安全指南
按漏洞类型分类
- 注入预防(SQL、XSS、LDAP)
- 认证/授权安全
- 加密最佳实践
- 输入验证技术
- 输出编码策略
- 安全会话管理
按框架分类
- Spring Security
- Django 安全
- Express.js 安全
- ASP.NET Core 安全
- React 安全模式
- Angular 安全最佳实践
集成
- Secure Code Warrior:交互式安全编码培训
- HackEDU:动手安全培训
- OWASP WebGoat:故意不安全的应用程序
- Kontra:应用程序安全培训
- Immersive Labs:网络技能开发
- Security Journey:安全开发培训
目标流程
- 安全意识培训计划
- 安全 SDLC 实施
- 开发人员入职
- 合规培训要求
输入模式
{
"type": "object",
"properties": {
"trainingType": {
"type": "string",
"enum": ["assessment", "module-delivery", "certification", "gap-analysis", "path-recommendation"],
"description": "培训活动类型"
},
"targetAudience": {
"type": "object",
"properties": {
"developers": { "type": "array", "items": { "type": "string" } },
"teams": { "type": "array", "items": { "type": "string" } },
"roles": { "type": "array", "items": { "type": "string" } }
}
},
"technologies": {
"type": "array",
"items": { "type": "string" },
"description": "编程语言和框架"
},
"vulnerabilityFocus": {
"type": "array",
"items": {
"type": "string",
"enum": ["injection", "broken-auth", "xss", "insecure-deserialization", "ssrf", "access-control", "crypto", "logging"]
}
},
"complianceRequirements": {
"type": "array",
"items": {
"type": "string",
"enum": ["PCI-DSS", "HIPAA", "SOC2", "GDPR", "FedRAMP"]
}
},
"assessmentDifficulty": {
"type": "string",
"enum": ["beginner", "intermediate", "advanced", "expert"]
}
},
"required": ["trainingType"]
}
输出模式
{
"type": "object",
"properties": {
"activityId": {
"type": "string"
},
"trainingType": {
"type": "string"
},
"timestamp": {
"type": "string",
"format": "date-time"
},
"participantSummary": {
"type": "object",
"properties": {
"totalParticipants": { "type": "integer" },
"completedTraining": { "type": "integer" },
"inProgress": { "type": "integer" },
"notStarted": { "type": "integer" }
}
},
"assessmentResults": {
"type": "object",
"properties": {
"averageScore": { "type": "number" },
"passingRate": { "type": "number" },
"topPerformers": { "type": "array" },
"needsImprovement": { "type": "array" }
}
},
"knowledgeGaps": {
"type": "array",
"items": {
"type": "object",
"properties": {
"topic": { "type": "string" },
"gapSeverity": { "type": "string" },
"affectedDevelopers": { "type": "integer" },
"recommendedModules": { "type": "array" }
}
}
},
"trainingPaths": {
"type": "array",
"items": {
"type": "object",
"properties": {
"developerId": { "type": "string" },
"recommendedModules": { "type": "array" },
"estimatedDuration": { "type": "string" },
"priority": { "type": "string" }
}
}
},
"certifications": {
"type": "array",
"items": {
"type": "object",
"properties": {
"developerId": { "type": "string" },
"certificationName": { "type": "string" },
"issueDate": { "type": "string" },
"expirationDate": { "type": "string" }
}
}
},
"effectivenessMetrics": {
"type": "object",
"properties": {
"vulnerabilityReduction": { "type": "number" },
"avgRemediationTimeImprovement": { "type": "string" },
"secureCodeReviewPassRate": { "type": "number" }
}
}
}
}
使用示例
skill: {
name: 'secure-coding-training-skill',
context: {
trainingType: 'assessment',
targetAudience: {
teams: ['backend-team', 'frontend-team']
},
technologies: ['Java', 'JavaScript', 'Python'],
vulnerabilityFocus: ['injection', 'xss', 'broken-auth'],
assessmentDifficulty: 'intermediate'
}
}