Security Engineering

Comprehensive security engineering skill covering application security, infrastructure security, compliance, and incident response.

When to Use This Skill

• Designing security architecture
• Implementing authentication and authorization
• Conducting threat modeling
• Security code review
• Implementing compliance controls (SOC2, HIPAA, PCI-DSS)
• Incident response planning
• Security monitoring and alerting

Security Architecture

Defense in Depth

Layer security controls at multiple levels:

Layer	Controls
Perimeter	Firewall, WAF, DDoS protection
Network	Segmentation, IDS/IPS, VPN
Host	Hardening, EDR, patch management
Application	Input validation, secure coding, SAST/DAST
Data	Encryption, access control, DLP
Identity	MFA, SSO, privileged access management

Zero Trust Architecture

Core Principles:

1. Never trust, always verify
2. Assume breach mentality
3. Least privilege access
4. Micro-segmentation
5. Continuous verification

Implementation:

• Identity-based access (not network-based)
• Device health verification
• Continuous authentication
• Encrypted communications everywhere
• Detailed logging and monitoring

Authentication Patterns

OAuth 2.0 / OIDC

Grant Types:

Grant	Use Case
Authorization Code + PKCE	Web/mobile apps
Client Credentials	Service-to-service
Device Code	CLI tools, IoT

Token Best Practices:

• Short-lived access tokens (15 min - 1 hour)
• Secure refresh token storage
• Token rotation on use
• Revocation capabilities

Session Management

• Secure, HttpOnly, SameSite cookies
• Session timeout (idle and absolute)
• Session invalidation on logout
• Concurrent session limits
• Session binding to device/IP

Multi-Factor Authentication

• TOTP (authenticator apps)
• WebAuthn/FIDO2 (hardware keys)
• Push notifications
• SMS (last resort, vulnerable to SIM swap)

Authorization Patterns

RBAC (Role-Based Access Control)

Users → Roles → Permissions

Best for: Well-defined organizational hierarchies

ABAC (Attribute-Based Access Control)

If user.department == "engineering" AND
   resource.classification == "internal" AND
   time.hour BETWEEN 9 AND 17
THEN allow

Best for: Complex, dynamic access requirements

Policy as Code

Use OPA/Rego or Cedar for externalized policy:

• Version controlled policies
• Testable access rules
• Audit trail
• Separation of concerns

Secure Development

OWASP Top 10 Mitigations

Risk	Mitigation
Injection	Parameterized queries, input validation
Broken Auth	Strong password policy, MFA, rate limiting
Sensitive Data	Encryption, minimal data collection
XXE	Disable external entities
Broken Access	Authorization checks, default deny
Misconfig	Secure defaults, hardening guides
XSS	Output encoding, CSP
Deserialization	Integrity checks, avoid untrusted data
Components	Dependency scanning, updates
Logging	Centralized logging, alerting

Security Testing

SAST (Static Analysis):

• Run on every commit
• Block high-severity findings
• Tools: Semgrep, CodeQL, SonarQube

DAST (Dynamic Analysis):

• Run against staging/dev
• Tools: OWASP ZAP, Burp Suite

Dependency Scanning:

• Check for known vulnerabilities
• Tools: Snyk, Dependabot, npm audit

Secrets Management

Never:

• Commit secrets to git
• Log secrets
• Pass secrets in URLs
• Hardcode secrets

Do:

• Use secret managers (Vault, AWS Secrets Manager)
• Rotate secrets regularly
• Audit secret access
• Use short-lived credentials

Compliance Frameworks

Common Requirements

Framework	Focus Area
SOC 2	Trust services (security, availability, etc.)
HIPAA	Healthcare data protection
PCI-DSS	Payment card data
GDPR	EU personal data protection
ISO 27001	Information security management

Key Controls

• Access control and authentication
• Encryption (at rest and in transit)
• Logging and monitoring
• Incident response procedures
• Business continuity planning
• Vendor management
• Employee security training

Incident Response

Response Phases

1. Preparation: Runbooks, tools, training
2. Detection: Monitoring, alerting, triage
3. Containment: Isolate, preserve evidence
4. Eradication: Remove threat, patch vulnerabilities
5. Recovery: Restore services, verify clean
6. Lessons Learned: Post-mortem, improvements

Severity Levels

Level	Description	Response Time
P1	Active breach, data exfiltration	Immediate
P2	Vulnerability being exploited	< 4 hours
P3	High-risk vulnerability discovered	< 24 hours
P4	Security improvement needed	Next sprint

Reference Files

• references/threat_modeling.md - STRIDE methodology and examples
• references/compliance_controls.md - Framework-specific control mappings

Integration with Other Skills

• cloud-infrastructure - For cloud security
• debugging - For security incident investigation
• testing - For security testing patterns