Senior Security Engineer

Domain: Engineering - Core | Skill: senior-security | Source: engineering-team/senior-security/SKILL.md

---

Senior Security Engineer

Security engineering tools for threat modeling, vulnerability analysis, secure architecture design, and penetration testing.

---

Table of Contents

• Threat Modeling Workflow
• Security Architecture Workflow
• Vulnerability Assessment Workflow
• Secure Code Review Workflow
• Incident Response Workflow
• Security Tools Reference
• Tools and References

---

Threat Modeling Workflow

Identify and analyze security threats using STRIDE methodology.

Workflow: Conduct Threat Model

1. Define system scope and boundaries:
2. Identify assets to protect
3. Map trust boundaries
4. Document data flows
5. Create data flow diagram:
6. External entities (users, services)
7. Processes (application components)
8. Data stores (databases, caches)
9. Data flows (APIs, network connections)
10. Apply STRIDE to each DFD element (see STRIDE per Element Matrix below)
11. Score risks using DREAD:
12. Damage potential (1-10)
13. Reproducibility (1-10)
14. Exploitability (1-10)
15. Affected users (1-10)
16. Discoverability (1-10)
17. Prioritize threats by risk score
18. Define mitigations for each threat
19. Document in threat model report
20. Validation: All DFD elements analyzed; STRIDE applied; threats scored; mitigations mapped

STRIDE Threat Categories

Category	Security Property	Mitigation Focus
Spoofing	Authentication	MFA, certificates, strong auth
Tampering	Integrity	Signing, checksums, validation
Repudiation	Non-repudiation	Audit logs, digital signatures
Information Disclosure	Confidentiality	Encryption, access controls
Denial of Service	Availability	Rate limiting, redundancy
Elevation of Privilege	Authorization	RBAC, least privilege

STRIDE per Element Matrix

DFD Element	S	T	R	I	D	E
External Entity	X		X
Process	X	X	X	X	X	X
Data Store		X	X	X	X
Data Flow		X		X	X

See: references/threat-modeling-guide.md

---

Security Architecture Workflow

Design secure systems using defense-in-depth principles.

Workflow: Design Secure Architecture

1. Define security requirements:
2. Compliance requirements (GDPR, HIPAA, PCI-DSS)
3. Data classification (public, internal, confidential, restricted)
4. Threat model inputs
5. Apply defense-in-depth layers:
6. Perimeter: WAF, DDoS protection, rate limiting
7. Network: Segmentation, IDS/IPS, mTLS
8. Host: Patching, EDR, hardening
9. Application: Input validation, authentication, secure coding
10. Data: Encryption at rest and in transit
11. Implement Zero Trust principles:
12. Verify explicitly (every request)
13. Least privilege access (JIT/JEA)
14. Assume breach (segment, monitor)
15. Configure authentication and authorization:
16. Identity provider selection
17. MFA requirements
18. RBAC/ABAC model
19. Design encryption strategy:
20. Key management approach
21. Algorithm selection
22. Certificate lifecycle
23. Plan security monitoring:
24. Log aggregation
25. SIEM integration
26. Alerting rules
27. Document architecture decisions
28. Validation: Defense-in-depth layers defined; Zero Trust applied; encryption strategy documented; monitoring planned

Defense-in-Depth Layers

Layer 1: PERIMETER
  WAF, DDoS mitigation, DNS filtering, rate limiting

Layer 2: NETWORK
  Segmentation, IDS/IPS, network monitoring, VPN, mTLS

Layer 3: HOST
  Endpoint protection, OS hardening, patching, logging

Layer 4: APPLICATION
  Input validation, authentication, secure coding, SAST

Layer 5: DATA
  Encryption at rest/transit, access controls, DLP, backup

Authentication Pattern Selection

Use Case	Recommended Pattern
Web application	OAuth 2.0 + PKCE with OIDC
API authentication	JWT with short expiration + refresh tokens
Service-to-service	mTLS with certificate rotation
CLI/Automation	API keys with IP allowlisting
High security	FIDO2/WebAuthn hardware keys

See: references/security-architecture-patterns.md

---

Vulnerability Assessment Workflow

Identify and remediate security vulnerabilities in applications.

Workflow: Conduct Vulnerability Assessment

1. Define assessment scope:
2. In-scope systems and applications
3. Testing methodology (black box, gray box, white box)
4. Rules of engagement
5. Gather information:
6. Technology stack inventory
7. Architecture documentation
8. Previous vulnerability reports
9. Perform automated scanning:
10. SAST (static analysis)
11. DAST (dynamic analysis)
12. Dependency scanning
13. Secret detection
14. Conduct manual testing:
15. Business logic flaws
16. Authentication bypass
17. Authorization issues
18. Injection vulnerabilities
19. Classify findings by severity:
20. Critical: Immediate exploitation risk
21. High: Significant impact, easier to exploit
22. Medium: Moderate impact or difficulty
23. Low: Minor impact
24. Develop remediation plan:
25. Prioritize by risk
26. Assign owners
27. Set deadlines
28. Verify fixes and document
29. Validation: Scope defined; automated and manual testing complete; findings classified; remediation tracked

For OWASP Top 10 vulnerability descriptions and testing guidance, refer to owasp.org/Top10.

Vulnerability Severity Matrix

Impact Exploitability	Easy	Moderate	Difficult
Critical	Critical	Critical	High
High	Critical	High	Medium
Medium	High	Medium	Low
Low	Medium	Low	Low

---

Secure Code Review Workflow

Review code for security vulnerabilities before deployment.

Workflow: Conduct Security Code Review

1. Establish review scope:
2. Changed files and functions
3. Security-sensitive areas (auth, crypto, input handling)
4. Third-party integrations
5. Run automated analysis:
6. SAST tools (Semgrep, CodeQL, Bandit)
7. Secret scanning
8. Dependency vulnerability check
9. Review authentication code:
10. Password handling (hashing, storage)
11. Session management
12. Token validation
13. Review authorization code:
14. Access control checks
15. RBAC implementation
16. Privilege boundaries
17. Review data handling:
18. Input validation
19. Output encoding
20. SQL query construction
21. File path handling
22. Review cryptographic code:
23. Algorithm selection
24. Key management
25. Random number generation
26. Document findings with severity
27. Validation: Automated scans passed; auth/authz reviewed; data handling checked; crypto verified; findings documented

Security Code Review Checklist

Category	Check	Risk
Input Validation	All user input validated and sanitized	Injection
Output Encoding	Context-appropriate encoding applied	XSS
Authentication	Passwords hashed with Argon2/bcrypt	Credential theft
Session	Secure cookie flags set (HttpOnly, Secure, SameSite)	Session hijacking
Authorization	Server-side permission checks on all endpoints	Privilege escalation
SQL	Parameterized queries used exclusively	SQL injection
File Access	Path traversal sequences rejected	Path traversal
Secrets	No hardcoded credentials or keys	Information disclosure
Dependencies	Known vulnerable packages updated	Supply chain
Logging	Sensitive data not logged	Information disclosure

Secure vs Insecure Patterns

Pattern	Issue	Secure Alternative
SQL string formatting	SQL injection	Use parameterized queries with placeholders
Shell command building	Command injection	Use subprocess with argument lists, no shell
Path concatenation	Path traversal	Validate and canonicalize paths
MD5/SHA1 for passwords	Weak hashing	Use Argon2id or bcrypt
Math.random for tokens	Predictable values	Use crypto.getRandomValues

Inline Code Examples

SQL Injection — insecure vs. secure (Python):

# ❌ Insecure: string formatting allows SQL injection
query = f"SELECT * FROM users WHERE username = '{username}'"
cursor.execute(query)

# ✅ Secure: parameterized query — user input never interpreted as SQL
query = "SELECT * FROM users WHERE username = %s"
cursor.execute(query, (username,))

Password Hashing with Argon2id (Python):

from argon2 import PasswordHasher

ph = PasswordHasher()          # uses secure defaults (time_cost, memory_cost)

# On registration
hashed = ph.hash(plain_password)

# On login — raises argon2.exceptions.VerifyMismatchError on failure
ph.verify(hashed, plain_password)

Secret Scanning — core pattern matching (Python):

import re, pathlib

SECRET_PATTERNS = {
    "aws_access_key":  re.compile(r"AKIA[0-9A-Z]{16}"),
    "github_token":    re.compile(r"ghp_[A-Za-z0-9]{36}"),
    "private_key":     re.compile(r"-----BEGIN (RSA |EC )?PRIVATE KEY-----"),
    "generic_secret":  re.compile(r'(?i)(password|secret|api_key)\s*=\s*["\']?\S{8,}'),
}

def scan_file(path: pathlib.Path) -> list[dict]:
    findings = []
    for lineno, line in enumerate(path.read_text(errors="replace").splitlines(), 1):
        for name, pattern in SECRET_PATTERNS.items():
            if pattern.search(line):
                findings.append({"file": str(path), "line": lineno, "type": name})
    return findings

---

Incident Response Workflow

Respond to and contain security incidents.

Workflow: Handle Security Incident

1. Identify and triage:
2. Validate incident is genuine
3. Assess initial scope and severity
4. Activate incident response team
5. Contain the threat:
6. Isolate affected systems
7. Block malicious IPs/accounts
8. Disable compromised credentials
9. Eradicate root cause:
10. Remove malware/backdoors
11. Patch vulnerabilities
12. Update configurations
13. Recover operations:
14. Restore from clean backups
15. Verify system integrity
16. Monitor for recurrence
17. Conduct post-mortem:
18. Timeline reconstruction
19. Root cause analysis
20. Lessons learned
21. Implement improvements:
22. Update detection rules
23. Enhance controls
24. Update runbooks
25. Document and report
26. Validation: Threat contained; root cause eliminated; systems recovered; post-mortem complete; improvements implemented

Incident Severity Levels

Level	Response Time	Escalation
P1 - Critical (active breach/exfiltration)	Immediate	CISO, Legal, Executive
P2 - High (confirmed, contained)	1 hour	Security Lead, IT Director
P3 - Medium (potential, under investigation)	4 hours	Security Team
P4 - Low (suspicious, low impact)	24 hours	On-call engineer

Incident Response Checklist

Phase	Actions
Identification	Validate alert, assess scope, determine severity
Containment	Isolate systems, preserve evidence, block access
Eradication	Remove threat, patch vulnerabilities, reset credentials
Recovery	Restore services, verify integrity, increase monitoring
Lessons Learned	Document timeline, identify gaps, update procedures

---

Security Tools Reference

Recommended Security Tools

Category	Tools
SAST	Semgrep, CodeQL, Bandit (Python), ESLint security plugins
DAST	OWASP ZAP, Burp Suite, Nikto
Dependency Scanning	Snyk, Dependabot, npm audit, pip-audit
Secret Detection	GitLeaks, TruffleHog, detect-secrets
Container Security	Trivy, Clair, Anchore
Infrastructure	Checkov, tfsec, ScoutSuite
Network	Wireshark, Nmap, Masscan
Penetration	Metasploit, sqlmap, Burp Suite Pro

Cryptographic Algorithm Selection

Use Case	Algorithm	Key Size
Symmetric encryption	AES-256-GCM	256 bits
Password hashing	Argon2id	N/A (use defaults)
Message authentication	HMAC-SHA256	256 bits
Digital signatures	Ed25519	256 bits
Key exchange	X25519	256 bits
TLS	TLS 1.3	N/A

See: references/cryptography-implementation.md

---

Tools and References

Scripts

Script	Purpose
threat_modeler.py	STRIDE threat analysis with DREAD risk scoring; JSON and text output; interactive guided mode
secret_scanner.py	Detect hardcoded secrets and credentials across 20+ patterns; CI/CD integration ready

For usage, see the inline code examples in Secure Code Review Workflow and the script source files directly.

References

Document	Content
security-architecture-patterns.md	Zero Trust, defense-in-depth, authentication patterns, API security
threat-modeling-guide.md	STRIDE methodology, attack trees, DREAD scoring, DFD creation
cryptography-implementation.md	AES-GCM, RSA, Ed25519, password hashing, key management

---

Security Standards Reference

Security Headers Checklist

Header	Recommended Value
Content-Security-Policy	default-src self; script-src self
X-Frame-Options	DENY
X-Content-Type-Options	nosniff
Strict-Transport-Security	max-age=31536000; includeSubDomains
Referrer-Policy	strict-origin-when-cross-origin
Permissions-Policy	geolocation=(), microphone=(), camera=()

For compliance framework requirements (OWASP ASVS, CIS Benchmarks, NIST CSF, PCI-DSS, HIPAA, SOC 2), refer to the respective official documentation.

---

Related Skills

Skill	Integration Point
senior-devops	CI/CD security, infrastructure hardening
senior-secops	Security monitoring, incident response
senior-backend	Secure API development
senior-architect	Security architecture decisions