security-engineering

Comprehensive security engineering skill covering application security, infrastructure security, compliance, and incident response.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "security-engineering" with this command: npx skills add 89jobrien/steve/89jobrien-steve-security-engineering

Security Engineering

Comprehensive security engineering skill covering application security, infrastructure security, compliance, and incident response.

When to Use This Skill

  • Designing security architecture

  • Implementing authentication and authorization

  • Conducting threat modeling

  • Security code review

  • Implementing compliance controls (SOC2, HIPAA, PCI-DSS)

  • Incident response planning

  • Security monitoring and alerting

Security Architecture

Defense in Depth

Layer security controls at multiple levels:

Layer Controls

Perimeter Firewall, WAF, DDoS protection

Network Segmentation, IDS/IPS, VPN

Host Hardening, EDR, patch management

Application Input validation, secure coding, SAST/DAST

Data Encryption, access control, DLP

Identity MFA, SSO, privileged access management

Zero Trust Architecture

Core Principles:

  • Never trust, always verify

  • Assume breach mentality

  • Least privilege access

  • Micro-segmentation

  • Continuous verification

Implementation:

  • Identity-based access (not network-based)

  • Device health verification

  • Continuous authentication

  • Encrypted communications everywhere

  • Detailed logging and monitoring

Authentication Patterns

OAuth 2.0 / OIDC

Grant Types:

Grant Use Case

Authorization Code + PKCE Web/mobile apps

Client Credentials Service-to-service

Device Code CLI tools, IoT

Token Best Practices:

  • Short-lived access tokens (15 min - 1 hour)

  • Secure refresh token storage

  • Token rotation on use

  • Revocation capabilities

Session Management

  • Secure, HttpOnly, SameSite cookies

  • Session timeout (idle and absolute)

  • Session invalidation on logout

  • Concurrent session limits

  • Session binding to device/IP

Multi-Factor Authentication

  • TOTP (authenticator apps)

  • WebAuthn/FIDO2 (hardware keys)

  • Push notifications

  • SMS (last resort, vulnerable to SIM swap)

Authorization Patterns

RBAC (Role-Based Access Control)

Users → Roles → Permissions

Best for: Well-defined organizational hierarchies

ABAC (Attribute-Based Access Control)

If user.department == "engineering" AND resource.classification == "internal" AND time.hour BETWEEN 9 AND 17 THEN allow

Best for: Complex, dynamic access requirements

Policy as Code

Use OPA/Rego or Cedar for externalized policy:

  • Version controlled policies

  • Testable access rules

  • Audit trail

  • Separation of concerns

Secure Development

OWASP Top 10 Mitigations

Risk Mitigation

Injection Parameterized queries, input validation

Broken Auth Strong password policy, MFA, rate limiting

Sensitive Data Encryption, minimal data collection

XXE Disable external entities

Broken Access Authorization checks, default deny

Misconfig Secure defaults, hardening guides

XSS Output encoding, CSP

Deserialization Integrity checks, avoid untrusted data

Components Dependency scanning, updates

Logging Centralized logging, alerting

Security Testing

SAST (Static Analysis):

  • Run on every commit

  • Block high-severity findings

  • Tools: Semgrep, CodeQL, SonarQube

DAST (Dynamic Analysis):

  • Run against staging/dev

  • Tools: OWASP ZAP, Burp Suite

Dependency Scanning:

  • Check for known vulnerabilities

  • Tools: Snyk, Dependabot, npm audit

Secrets Management

Never:

  • Commit secrets to git

  • Log secrets

  • Pass secrets in URLs

  • Hardcode secrets

Do:

  • Use secret managers (Vault, AWS Secrets Manager)

  • Rotate secrets regularly

  • Audit secret access

  • Use short-lived credentials

Compliance Frameworks

Common Requirements

Framework Focus Area

SOC 2 Trust services (security, availability, etc.)

HIPAA Healthcare data protection

PCI-DSS Payment card data

GDPR EU personal data protection

ISO 27001 Information security management

Key Controls

  • Access control and authentication

  • Encryption (at rest and in transit)

  • Logging and monitoring

  • Incident response procedures

  • Business continuity planning

  • Vendor management

  • Employee security training

Incident Response

Response Phases

  • Preparation: Runbooks, tools, training

  • Detection: Monitoring, alerting, triage

  • Containment: Isolate, preserve evidence

  • Eradication: Remove threat, patch vulnerabilities

  • Recovery: Restore services, verify clean

  • Lessons Learned: Post-mortem, improvements

Severity Levels

Level Description Response Time

P1 Active breach, data exfiltration Immediate

P2 Vulnerability being exploited < 4 hours

P3 High-risk vulnerability discovered < 24 hours

P4 Security improvement needed Next sprint

Reference Files

  • references/threat_modeling.md

  • STRIDE methodology and examples

  • references/compliance_controls.md

  • Framework-specific control mappings

Integration with Other Skills

  • cloud-infrastructure - For cloud security

  • debugging - For security incident investigation

  • testing - For security testing patterns

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

security-audit

No summary provided by upstream source.

Repository SourceNeeds Review
27-89jobrien
Coding

dead-code-removal

No summary provided by upstream source.

Repository SourceNeeds Review
112-89jobrien
General

meta-cognitive-reasoning

No summary provided by upstream source.

Repository SourceNeeds Review
82-89jobrien
Coding

ai-code-cleanup

No summary provided by upstream source.

Repository SourceNeeds Review
44-89jobrien