aiskillstore/security-engineering

Security Engineering

Comprehensive security engineering skill covering application security, infrastructure security, compliance, and incident response.

When to Use This Skill

• Designing security architecture
• Implementing authentication and authorization
• Conducting threat modeling
• Security code review
• Implementing compliance controls (SOC2, HIPAA, PCI-DSS)
• Incident response planning
• Security monitoring and alerting

Security Architecture

Defense in Depth

Layer security controls at multiple levels:

| Layer | Controls | |-------|----------| | Perimeter | Firewall, WAF, DDoS protection | | Network | Segmentation, IDS/IPS, VPN | | Host | Hardening, EDR, patch management | | Application | Input validation, secure coding, SAST/DAST | | Data | Encryption, access control, DLP | | Identity | MFA, SSO, privileged access management |

Zero Trust Architecture

Core Principles:

1. Never trust, always verify
2. Assume breach mentality
3. Least privilege access
4. Micro-segmentation
5. Continuous verification

Implementation:

• Identity-based access (not network-based)
• Device health verification
• Continuous authentication
• Encrypted communications everywhere
• Detailed logging and monitoring

Authentication Patterns

OAuth 2.0 / OIDC

Grant Types:

| Grant | Use Case | |-------|----------| | Authorization Code + PKCE | Web/mobile apps | | Client Credentials | Service-to-service | | Device Code | CLI tools, IoT |

Token Best Practices:

• Short-lived access tokens (15 min - 1 hour)
• Secure refresh token storage
• Token rotation on use
• Revocation capabilities

Session Management

• Secure, HttpOnly, SameSite cookies
• Session timeout (idle and absolute)
• Session invalidation on logout
• Concurrent session limits
• Session binding to device/IP

Multi-Factor Authentication

• TOTP (authenticator apps)
• WebAuthn/FIDO2 (hardware keys)
• Push notifications
• SMS (last resort, vulnerable to SIM swap)

Authorization Patterns

RBAC (Role-Based Access Control)

Users → Roles → Permissions

Best for: Well-defined organizational hierarchies

ABAC (Attribute-Based Access Control)

If user.department == "engineering" AND
   resource.classification == "internal" AND
   time.hour BETWEEN 9 AND 17
THEN allow

Best for: Complex, dynamic access requirements

Policy as Code

Use OPA/Rego or Cedar for externalized policy:

• Version controlled policies
• Testable access rules
• Audit trail
• Separation of concerns

Secure Development

OWASP Top 10 Mitigations

| Risk | Mitigation | |------|------------| | Injection | Parameterized queries, input validation | | Broken Auth | Strong password policy, MFA, rate limiting | | Sensitive Data | Encryption, minimal data collection | | XXE | Disable external entities | | Broken Access | Authorization checks, default deny | | Misconfig | Secure defaults, hardening guides | | XSS | Output encoding, CSP | | Deserialization | Integrity checks, avoid untrusted data | | Components | Dependency scanning, updates | | Logging | Centralized logging, alerting |

Security Testing

SAST (Static Analysis):

• Run on every commit
• Block high-severity findings
• Tools: Semgrep, CodeQL, SonarQube

DAST (Dynamic Analysis):

• Run against staging/dev
• Tools: OWASP ZAP, Burp Suite

Dependency Scanning:

• Check for known vulnerabilities
• Tools: Snyk, Dependabot, npm audit

Secrets Management

Never:

• Commit secrets to git
• Log secrets
• Pass secrets in URLs
• Hardcode secrets

Do:

• Use secret managers (Vault, AWS Secrets Manager)
• Rotate secrets regularly
• Audit secret access
• Use short-lived credentials

Compliance Frameworks

Common Requirements

| Framework | Focus Area | |-----------|------------| | SOC 2 | Trust services (security, availability, etc.) | | HIPAA | Healthcare data protection | | PCI-DSS | Payment card data | | GDPR | EU personal data protection | | ISO 27001 | Information security management |

Key Controls

• Access control and authentication
• Encryption (at rest and in transit)
• Logging and monitoring
• Incident response procedures
• Business continuity planning
• Vendor management
• Employee security training

Incident Response

Response Phases

1. Preparation: Runbooks, tools, training
2. Detection: Monitoring, alerting, triage
3. Containment: Isolate, preserve evidence
4. Eradication: Remove threat, patch vulnerabilities
5. Recovery: Restore services, verify clean
6. Lessons Learned: Post-mortem, improvements

Severity Levels

| Level | Description | Response Time | |-------|-------------|---------------| | P1 | Active breach, data exfiltration | Immediate | | P2 | Vulnerability being exploited | < 4 hours | | P3 | High-risk vulnerability discovered | < 24 hours | | P4 | Security improvement needed | Next sprint |

Reference Files

• references/threat_modeling.md - STRIDE methodology and examples
• references/compliance_controls.md - Framework-specific control mappings

Integration with Other Skills

• cloud-infrastructure - For cloud security
• debugging - For security incident investigation
• testing - For security testing patterns