AI 提示詞： 資訊安全

Conduct a comprehensive security audit of my application.

Application type: [web app / mobile app / API / SaaS platform / internal tool]
Stack: [languages, frameworks, databases, cloud provider, CDN]
Authentication: [JWT / sessions / OAuth 2.0 / SAML / API keys / multi-factor]
Sensitive data: [PII, payment data, health records, credentials, API keys]
Current security measures: [what you already have: WAF, encryption, rate limiting, etc.]
Compliance requirements: [GDPR / HIPAA / SOC2 / PCI-DSS / ISO 27001 / none yet]
Last security review: [when, or 'never']
Known vulnerabilities: [any issues you're already aware of]

Audit and provide:
1. **OWASP Top 10 assessment:** for each of the 10 categories, assess whether your stack is vulnerable, what the specific risk is, and the remediation priority (critical/high/medium/low)
2. **Authentication & authorization review:** password hashing algorithm, session management, token lifecycle, privilege escalation risks, broken access control patterns
3. **Data protection audit:** encryption at rest and in transit, key management, data classification, PII exposure in logs/errors/analytics
4. **Infrastructure security:** cloud configuration, secrets management, network segmentation, container security (if applicable)
5. **Dependency scan guidance:** how to identify vulnerable dependencies, which tools to use for your stack, and the triage process
6. **Top 5 immediate actions:** ranked by risk reduction per hour of effort. Specific fixes, not general advice
7. **30-day security roadmap:** week-by-week plan to reach baseline security posture, prioritized by business impact of a breach

Help me build a threat model for my application.

Application: [describe what it does and how users interact with it]
Architecture: [describe system components, services, databases, and how they connect]
Data flow: [how data moves through the system — user input → API → database → response]
Assets to protect: [most valuable data and functionality — what would hurt most if compromised]
User types: [roles and their access levels: admin, user, anonymous, API consumer]
External integrations: [third-party services, payment processors, analytics, CDN]
Previous incidents: [any known security issues, near-misses, or breach attempts]
Threat actors: [who might attack you: opportunistic hackers, competitors, insiders, nation-states]

Build a complete threat model:
1. **Asset inventory:** what's worth protecting, ranked by business impact if compromised (confidentiality, integrity, availability)
2. **Trust boundary map:** where data crosses security boundaries. Each boundary is a potential attack surface
3. **STRIDE analysis:** for each major component, assess Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege risks
4. **Attack tree:** for your top 3 assets, map the attack paths an adversary could take. Include both technical and social engineering vectors
5. **Risk matrix:** likelihood × impact scoring for each identified threat. Color-coded: red/yellow/green
6. **Mitigation plan:** for the top 10 highest-risk threats, specific countermeasures with implementation effort estimates
7. **Residual risk acceptance:** for threats you can't fully mitigate, document the accepted risk and monitoring strategy

Help me create a security incident response plan.

Organization: [size, industry, and IT/security team capacity]
Infrastructure: [cloud / on-premise / hybrid — and which providers]
Data sensitivity: [types of regulated or sensitive data you handle]
Current incident process: [what you do now — or 'we wing it']
Regulatory requirements: [breach notification laws: GDPR 72-hour rule, state laws, HIPAA, etc.]
Communication tools: [Slack, PagerDuty, phone tree, email — how the team communicates in emergencies]
Insurance: [do you have cyber insurance? What does it require?]

Build an incident response playbook:
1. **Incident classification:** severity levels (SEV1-4) with concrete examples for each level. Include the escalation criteria for each
2. **First responder checklist:** the exact steps for the first 30 minutes after detection. Who to notify, what to preserve, what NOT to do
3. **Scenario playbooks:** step-by-step response for 4 common scenarios:
   - Ransomware attack
   - Data breach / unauthorized access
   - DDoS attack
   - Compromised credentials / insider threat
4. **Communication templates:** internal notification (team/leadership), customer notification, regulatory filing, and public statement. Pre-written, fill-in-the-blanks
5. **Evidence preservation protocol:** what to capture, how to maintain chain of custody, and what NOT to modify (for forensics and legal)
6. **Post-incident review:** a structured retrospective template covering timeline reconstruction, root cause analysis, what worked, what didn't, and specific improvements
7. **Contact list template:** who to call (internal team, legal counsel, cyber insurance, forensics firm, law enforcement) with when to involve each

Help me secure my API against common and advanced attack vectors.

API type: [REST / GraphQL / gRPC / WebSocket]
Authentication: [current auth mechanism and token lifecycle]
Authorization: [how you control who can access what]
Rate limiting: [current setup or none]
Public endpoints: [which endpoints are accessible without auth]
Sensitive operations: [endpoints that modify data, access PII, handle payments, manage permissions]
Framework: [what you're building with]
API consumers: [internal frontend / mobile app / third-party developers / all]

Provide:
1. **OWASP API Security Top 10 assessment:** for each risk category, whether your API is vulnerable and the specific fix
2. **Input validation strategy:** what to validate on each endpoint type (path params, query params, request body, headers). Include validation library recommendations for your framework
3. **Authentication hardening:** token lifecycle, refresh token rotation, session fixation prevention, credential stuffing protection
4. **Authorization deep dive:** broken object-level authorization (BOLA/IDOR) prevention, function-level access control, field-level permissions
5. **Rate limiting configuration:** different limits by endpoint sensitivity (auth endpoints stricter than read endpoints). Include specific numbers and the response to return when limited
6. **API abuse detection:** behavioral patterns that indicate malicious usage (credential stuffing, data scraping, enumeration attacks). What to log and what to alert on
7. **Security headers & response hardening:** CORS config, content-type enforcement, error message sanitization (never leak stack traces or internal details to API consumers)

Help me design a modern, secure authentication system.

Application type: [consumer app / enterprise SaaS / internal tool / API platform]
User base: [tech-savvy / general public / enterprise employees / developers]
Current auth: [password only / social login / 2FA / SSO / passwordless / none yet]
Framework: [your web framework and any auth libraries]
Regulatory needs: [compliance requirements affecting auth]
User friction tolerance: [security-first / balanced / convenience-first]
Scale: [number of users and concurrent sessions]

Design:
1. **Password policy (NIST-aligned):** minimum length, no arbitrary complexity rules, check against breached password databases, rate limit attempts. Include the specific implementation for your framework
2. **Hashing strategy:** recommended algorithm (Argon2id > bcrypt > scrypt), configuration parameters (memory, iterations, parallelism), and migration path from weaker hashing
3. **Multi-factor authentication:** which MFA methods to support (TOTP, WebAuthn/passkeys, SMS as fallback), enrollment flow, and recovery when MFA device is lost
4. **Session management:** token type (JWT vs. opaque), storage, lifecycle, refresh strategy, concurrent session handling, and forced logout capability
5. **Account recovery:** password reset flow that's secure AND user-friendly. Prevent account enumeration. Include the email template and token lifecycle
6. **Brute force protection:** progressive lockout (not permanent), CAPTCHA integration point, IP-based and account-based rate limiting. Specific thresholds
7. **Passwordless path:** if appropriate for your users, a migration strategy from passwords to passkeys/WebAuthn with fallback mechanisms

Help me implement data privacy best practices and comply with regulations.

Data collected: [list ALL personal data you collect — including what third-party scripts collect]
Storage locations: [where data lives: database, object storage, logs, analytics, CDN, third-party services]
Third-party data sharing: [which services receive user data and what data they get]
User geography: [where your users are located — determines which laws apply]
Current privacy measures: [what's already implemented]
Compliance target: [GDPR / CCPA / both / LGPD / PIPEDA / other]
Data processing activities: [what you do with the data: analytics, personalization, marketing, ML training]

Provide:
1. **Data inventory and classification:** categorize every data point by sensitivity level (public, internal, confidential, restricted). Flag anything you collect but don't actually need
2. **Legal basis mapping:** for each data processing activity, which legal basis applies (consent, legitimate interest, contract, legal obligation) and the documentation required
3. **Consent management:** implementation plan for cookie consent, marketing opt-in, and data processing consent. Include the UI flow and technical storage
4. **Data subject rights:** technical implementation for each right (access, deletion, portability, rectification, restriction). Include API endpoints or admin tools needed
5. **Data retention schedule:** for each data type, how long to keep it, when to anonymize vs. delete, and the automated cleanup process
6. **Privacy by design checklist:** for new features, the questions to ask before collecting any data. Integrate into your sprint planning process
7. **Vendor assessment template:** questions to ask third-party services about their data handling, DPA requirements, and sub-processor management

Help me navigate security compliance for my organization.

Company stage: [startup / growth / enterprise]
Industry: [SaaS / fintech / healthcare / e-commerce / other]
Compliance target: [SOC2 / ISO 27001 / HIPAA / PCI-DSS / multiple]
Why now: [customer requirement / investor due diligence / regulatory / proactive]
Current security posture: [describe what's in place: policies, tools, practices]
Team: [who will own compliance — dedicated security team / engineering lead / external consultant]
Timeline: [when you need to be compliant]
Budget: [approximate budget for tools and consulting]

Provide:
1. **Framework overview:** what the compliance framework actually requires, in plain English. Cut through the jargon — what do you actually need to DO?
2. **Gap assessment template:** a checklist of requirements mapped to your current state. For each: have it / partially have it / don't have it / not applicable
3. **Quick wins:** controls you probably already have but haven't documented. Help me find and document them (version control = change management, code review = peer review control, etc.)
4. **Policy templates:** the 5 most important policies to write first (Information Security, Acceptable Use, Incident Response, Access Control, Data Classification). Outline for each
5. **Tool recommendations:** specific tools for your budget and company size (vulnerability scanning, endpoint protection, log management, access reviews). Not enterprise-grade for a startup
6. **Evidence collection plan:** what auditors will ask for and how to automatically generate evidence throughout the year instead of scrambling before the audit
7. **Timeline and budget:** realistic month-by-month plan from current state to audit-ready, with estimated costs for tools, consulting, and internal time