Agent-Skills.md

Agent Skills: Security Engineering

Security architecture and implementation patterns. Use when designing

UncategorizedID: 89jobrien/steve/security-engineering

Repository

89jobrien/steve
89jobrien
1

Install this agent skill to your local

pnpm dlx add-skill https://github.com/89jobrien/steve/tree/HEAD/steve/skills/security-engineering

Skill Files

Browse the full folder contents for security-engineering.

Download Skill

Loading file tree…

steve/skills/security-engineering/SKILL.md

Skill Metadata

Name
security-engineering
Description
Security architecture and implementation patterns. Use when designing

Security Engineering

Comprehensive security engineering skill covering application security, infrastructure security, compliance, and incident response.

When to Use This Skill

  • Designing security architecture
  • Implementing authentication and authorization
  • Conducting threat modeling
  • Security code review
  • Implementing compliance controls (SOC2, HIPAA, PCI-DSS)
  • Incident response planning
  • Security monitoring and alerting

Security Architecture

Defense in Depth

Layer security controls at multiple levels:

| Layer | Controls | |-------|----------| | Perimeter | Firewall, WAF, DDoS protection | | Network | Segmentation, IDS/IPS, VPN | | Host | Hardening, EDR, patch management | | Application | Input validation, secure coding, SAST/DAST | | Data | Encryption, access control, DLP | | Identity | MFA, SSO, privileged access management |

Zero Trust Architecture

Core Principles:

  1. Never trust, always verify
  2. Assume breach mentality
  3. Least privilege access
  4. Micro-segmentation
  5. Continuous verification

Implementation:

  • Identity-based access (not network-based)
  • Device health verification
  • Continuous authentication
  • Encrypted communications everywhere
  • Detailed logging and monitoring

Authentication Patterns

OAuth 2.0 / OIDC

Grant Types:

| Grant | Use Case | |-------|----------| | Authorization Code + PKCE | Web/mobile apps | | Client Credentials | Service-to-service | | Device Code | CLI tools, IoT |

Token Best Practices:

  • Short-lived access tokens (15 min - 1 hour)
  • Secure refresh token storage
  • Token rotation on use
  • Revocation capabilities

Session Management

  • Secure, HttpOnly, SameSite cookies
  • Session timeout (idle and absolute)
  • Session invalidation on logout
  • Concurrent session limits
  • Session binding to device/IP

Multi-Factor Authentication

  • TOTP (authenticator apps)
  • WebAuthn/FIDO2 (hardware keys)
  • Push notifications
  • SMS (last resort, vulnerable to SIM swap)

Authorization Patterns

RBAC (Role-Based Access Control)

Users → Roles → Permissions

Best for: Well-defined organizational hierarchies

ABAC (Attribute-Based Access Control)

If user.department == "engineering" AND
   resource.classification == "internal" AND
   time.hour BETWEEN 9 AND 17
THEN allow

Best for: Complex, dynamic access requirements

Policy as Code

Use OPA/Rego or Cedar for externalized policy:

  • Version controlled policies
  • Testable access rules
  • Audit trail
  • Separation of concerns

Secure Development

OWASP Top 10 Mitigations

| Risk | Mitigation | |------|------------| | Injection | Parameterized queries, input validation | | Broken Auth | Strong password policy, MFA, rate limiting | | Sensitive Data | Encryption, minimal data collection | | XXE | Disable external entities | | Broken Access | Authorization checks, default deny | | Misconfig | Secure defaults, hardening guides | | XSS | Output encoding, CSP | | Deserialization | Integrity checks, avoid untrusted data | | Components | Dependency scanning, updates | | Logging | Centralized logging, alerting |

Security Testing

SAST (Static Analysis):

  • Run on every commit
  • Block high-severity findings
  • Tools: Semgrep, CodeQL, SonarQube

DAST (Dynamic Analysis):

  • Run against staging/dev
  • Tools: OWASP ZAP, Burp Suite

Dependency Scanning:

  • Check for known vulnerabilities
  • Tools: Snyk, Dependabot, npm audit

Secrets Management

Never:

  • Commit secrets to git
  • Log secrets
  • Pass secrets in URLs
  • Hardcode secrets

Do:

  • Use secret managers (Vault, AWS Secrets Manager)
  • Rotate secrets regularly
  • Audit secret access
  • Use short-lived credentials

Compliance Frameworks

Common Requirements

| Framework | Focus Area | |-----------|------------| | SOC 2 | Trust services (security, availability, etc.) | | HIPAA | Healthcare data protection | | PCI-DSS | Payment card data | | GDPR | EU personal data protection | | ISO 27001 | Information security management |

Key Controls

  • Access control and authentication
  • Encryption (at rest and in transit)
  • Logging and monitoring
  • Incident response procedures
  • Business continuity planning
  • Vendor management
  • Employee security training

Incident Response

Response Phases

  1. Preparation: Runbooks, tools, training
  2. Detection: Monitoring, alerting, triage
  3. Containment: Isolate, preserve evidence
  4. Eradication: Remove threat, patch vulnerabilities
  5. Recovery: Restore services, verify clean
  6. Lessons Learned: Post-mortem, improvements

Severity Levels

| Level | Description | Response Time | |-------|-------------|---------------| | P1 | Active breach, data exfiltration | Immediate | | P2 | Vulnerability being exploited | < 4 hours | | P3 | High-risk vulnerability discovered | < 24 hours | | P4 | Security improvement needed | Next sprint |

Reference Files

  • references/threat_modeling.md - STRIDE methodology and examples
  • references/compliance_controls.md - Framework-specific control mappings

Integration with Other Skills

  • cloud-infrastructure - For cloud security
  • debugging - For security incident investigation
  • testing - For security testing patterns