Security Engineering

Comprehensive security engineering skill covering application security, infrastructure security, compliance, and incident response.

When to Use This Skill

• Designing security architecture
• Implementing authentication and authorization
• Conducting threat modeling
• Security code review
• Implementing compliance controls (SOC2, HIPAA, PCI-DSS)
• Incident response planning
• Security monitoring and alerting

Security Architecture

Defense in Depth

Layer security controls at multiple levels:

Zero Trust Architecture

Core Principles:

1. Never trust, always verify
2. Assume breach mentality
3. Least privilege access
4. Micro-segmentation
5. Continuous verification

Implementation:

• Identity-based access (not network-based)
• Device health verification
• Continuous authentication
• Encrypted communications everywhere
• Detailed logging and monitoring

Authentication Patterns

OAuth 2.0 / OIDC

Grant Types:

Token Best Practices:

• Short-lived access tokens (15 min - 1 hour)
• Secure refresh token storage
• Token rotation on use
• Revocation capabilities

Session Management

• Secure, HttpOnly, SameSite cookies
• Session timeout (idle and absolute)
• Session invalidation on logout
• Concurrent session limits
• Session binding to device/IP

Multi-Factor Authentication

• TOTP (authenticator apps)
• WebAuthn/FIDO2 (hardware keys)
• Push notifications
• SMS (last resort, vulnerable to SIM swap)

Authorization Patterns

RBAC (Role-Based Access Control)

Users → Roles → Permissions

Best for: Well-defined organizational hierarchies

ABAC (Attribute-Based Access Control)

If user.department == "engineering" AND
   resource.classification == "internal" AND
   time.hour BETWEEN 9 AND 17
THEN allow

Best for: Complex, dynamic access requirements

Policy as Code

Use OPA/Rego or Cedar for externalized policy:

• Version controlled policies
• Testable access rules
• Audit trail
• Separation of concerns

Secure Development

OWASP Top 10 Mitigations

Security Testing

SAST (Static Analysis):

• Run on every commit
• Block high-severity findings
• Tools: Semgrep, CodeQL, SonarQube

DAST (Dynamic Analysis):

• Run against staging/dev
• Tools: OWASP ZAP, Burp Suite

Dependency Scanning:

• Check for known vulnerabilities
• Tools: Snyk, Dependabot, npm audit

Secrets Management

Never:

• Commit secrets to git
• Log secrets
• Pass secrets in URLs
• Hardcode secrets

Do:

• Use secret managers (Vault, AWS Secrets Manager)
• Rotate secrets regularly
• Audit secret access
• Use short-lived credentials

Compliance Frameworks

Common Requirements

Key Controls

• Access control and authentication
• Encryption (at rest and in transit)
• Logging and monitoring
• Incident response procedures
• Business continuity planning
• Vendor management
• Employee security training

Incident Response

Response Phases

1. Preparation: Runbooks, tools, training
2. Detection: Monitoring, alerting, triage
3. Containment: Isolate, preserve evidence
4. Eradication: Remove threat, patch vulnerabilities
5. Recovery: Restore services, verify clean
6. Lessons Learned: Post-mortem, improvements

Severity Levels

Reference Files

• references/threat_modeling.md - STRIDE methodology and examples
• references/compliance_controls.md - Framework-specific control mappings

Integration with Other Skills

• cloud-infrastructure - For cloud security
• debugging - For security incident investigation
• testing - For security testing patterns