Agent Skills: Senior SecOps Engineer

Senior SecOps Engineer

Complete toolkit for Security Operations including vulnerability management, compliance verification, secure coding practices, and security automation.

Table of Contents

• Trigger Terms
• Core Capabilities
• Workflows
• Tool Reference
• Security Standards
• Compliance Frameworks
• Best Practices

Trigger Terms

Use this skill when you encounter:

| Category | Terms | |----------|-------| | Vulnerability Management | CVE, CVSS, vulnerability scan, security patch, dependency audit, npm audit, pip-audit | | OWASP Top 10 | injection, XSS, CSRF, broken authentication, security misconfiguration, sensitive data exposure | | Compliance | SOC 2, PCI-DSS, HIPAA, GDPR, compliance audit, security controls, access control | | Secure Coding | input validation, output encoding, parameterized queries, prepared statements, sanitization | | Secrets Management | API key, secrets vault, environment variables, HashiCorp Vault, AWS Secrets Manager | | Authentication | JWT, OAuth, MFA, 2FA, TOTP, password hashing, bcrypt, argon2, session management | | Security Testing | SAST, DAST, penetration test, security scan, Snyk, Semgrep, CodeQL, Trivy | | Incident Response | security incident, breach notification, incident response, forensics, containment | | Network Security | TLS, HTTPS, HSTS, CSP, CORS, security headers, firewall rules, WAF | | Infrastructure Security | container security, Kubernetes security, IAM, least privilege, zero trust | | Cryptography | encryption at rest, encryption in transit, AES-256, RSA, key management, KMS | | Monitoring | security monitoring, SIEM, audit logging, intrusion detection, anomaly detection |

Core Capabilities

1. Security Scanner

Scan source code for security vulnerabilities including hardcoded secrets, SQL injection, XSS, command injection, and path traversal.

# Scan project for security issues
python scripts/security_scanner.py /path/to/project

# Filter by severity
python scripts/security_scanner.py /path/to/project --severity high

# JSON output for CI/CD
python scripts/security_scanner.py /path/to/project --json --output report.json

Detects:

• Hardcoded secrets (API keys, passwords, AWS credentials, GitHub tokens, private keys)
• SQL injection patterns (string concatenation, f-strings, template literals)
• XSS vulnerabilities (innerHTML assignment, unsafe DOM manipulation, React unsafe patterns)
• Command injection (shell=True, exec, eval with user input)
• Path traversal (file operations with user input)

2. Vulnerability Assessor

Scan dependencies for known CVEs across npm, Python, and Go ecosystems.

# Assess project dependencies
python scripts/vulnerability_assessor.py /path/to/project

# Critical/high only
python scripts/vulnerability_assessor.py /path/to/project --severity high

# Export vulnerability report
python scripts/vulnerability_assessor.py /path/to/project --json --output vulns.json

Scans:

• package.json and package-lock.json (npm)
• requirements.txt and pyproject.toml (Python)
• go.mod (Go)

Output:

• CVE IDs with CVSS scores
• Affected package versions
• Fixed versions for remediation
• Overall risk score (0-100)

3. Compliance Checker

Verify security compliance against SOC 2, PCI-DSS, HIPAA, and GDPR frameworks.

# Check all frameworks
python scripts/compliance_checker.py /path/to/project

# Specific framework
python scripts/compliance_checker.py /path/to/project --framework soc2
python scripts/compliance_checker.py /path/to/project --framework pci-dss
python scripts/compliance_checker.py /path/to/project --framework hipaa
python scripts/compliance_checker.py /path/to/project --framework gdpr

# Export compliance report
python scripts/compliance_checker.py /path/to/project --json --output compliance.json

Verifies:

• Access control implementation
• Encryption at rest and in transit
• Audit logging
• Authentication strength (MFA, password hashing)
• Security documentation
• CI/CD security controls

Workflows

Workflow 1: Security Audit

Complete security assessment of a codebase.

# Step 1: Scan for code vulnerabilities
python scripts/security_scanner.py . --severity medium

# Step 2: Check dependency vulnerabilities
python scripts/vulnerability_assessor.py . --severity high

# Step 3: Verify compliance controls
python scripts/compliance_checker.py . --framework all

# Step 4: Generate combined report
python scripts/security_scanner.py . --json --output security.json
python scripts/vulnerability_assessor.py . --json --output vulns.json
python scripts/compliance_checker.py . --json --output compliance.json

Workflow 2: CI/CD Security Gate

Integrate security checks into deployment pipeline.

# .github/workflows/security.yml
name: Security Scan

on:
  pull_request:
    branches: [main, develop]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.11'

      - name: Security Scanner
        run: python scripts/security_scanner.py . --severity high

      - name: Vulnerability Assessment
        run: python scripts/vulnerability_assessor.py . --severity critical

      - name: Compliance Check
        run: python scripts/compliance_checker.py . --framework soc2

Workflow 3: CVE Triage

Respond to a new CVE affecting your application.

1. ASSESS (0-2 hours)
   - Identify affected systems using vulnerability_assessor.py
   - Check if CVE is being actively exploited
   - Determine CVSS environmental score for your context

2. PRIORITIZE
   - Critical (CVSS 9.0+, internet-facing): 24 hours
   - High (CVSS 7.0-8.9): 7 days
   - Medium (CVSS 4.0-6.9): 30 days
   - Low (CVSS < 4.0): 90 days

3. REMEDIATE
   - Update affected dependency to fixed version
   - Run security_scanner.py to verify fix
   - Test for regressions
   - Deploy with enhanced monitoring

4. VERIFY
   - Re-run vulnerability_assessor.py
   - Confirm CVE no longer reported
   - Document remediation actions

Workflow 4: Incident Response

Security incident handling procedure.

PHASE 1: DETECT & IDENTIFY (0-15 min)
- Alert received and acknowledged
- Initial severity assessment (SEV-1 to SEV-4)
- Incident commander assigned
- Communication channel established

PHASE 2: CONTAIN (15-60 min)
- Affected systems identified
- Network isolation if needed
- Credentials rotated if compromised
- Preserve evidence (logs, memory dumps)

PHASE 3: ERADICATE (1-4 hours)
- Root cause identified
- Malware/backdoors removed
- Vulnerabilities patched (run security_scanner.py)
- Systems hardened

PHASE 4: RECOVER (4-24 hours)
- Systems restored from clean backup
- Services brought back online
- Enhanced monitoring enabled
- User access restored

PHASE 5: POST-INCIDENT (24-72 hours)
- Incident timeline documented
- Root cause analysis complete
- Lessons learned documented
- Preventive measures implemented
- Stakeholder report delivered

Tool Reference

security_scanner.py

| Option | Description | |--------|-------------| | target | Directory or file to scan | | --severity, -s | Minimum severity: critical, high, medium, low | | --verbose, -v | Show files as they're scanned | | --json | Output results as JSON | | --output, -o | Write results to file |

Exit Codes:

• 0: No critical/high findings
• 1: High severity findings
• 2: Critical severity findings

vulnerability_assessor.py

| Option | Description | |--------|-------------| | target | Directory containing dependency files | | --severity, -s | Minimum severity: critical, high, medium, low | | --verbose, -v | Show files as they're scanned | | --json | Output results as JSON | | --output, -o | Write results to file |

Exit Codes:

• 0: No critical/high vulnerabilities
• 1: High severity vulnerabilities
• 2: Critical severity vulnerabilities

compliance_checker.py

| Option | Description | |--------|-------------| | target | Directory to check | | --framework, -f | Framework: soc2, pci-dss, hipaa, gdpr, all | | --verbose, -v | Show checks as they run | | --json | Output results as JSON | | --output, -o | Write results to file |

Exit Codes:

• 0: Compliant (90%+ score)
• 1: Non-compliant (50-69% score)
• 2: Critical gaps (<50% score)

Security Standards

OWASP Top 10 Prevention

| Vulnerability | Prevention | |--------------|------------| | A01: Broken Access Control | Implement RBAC, deny by default, validate permissions server-side | | A02: Cryptographic Failures | Use TLS 1.2+, AES-256 encryption, secure key management | | A03: Injection | Parameterized queries, input validation, escape output | | A04: Insecure Design | Threat modeling, secure design patterns, defense in depth | | A05: Security Misconfiguration | Hardening guides, remove defaults, disable unused features | | A06: Vulnerable Components | Dependency scanning, automated updates, SBOM | | A07: Authentication Failures | MFA, rate limiting, secure password storage | | A08: Data Integrity Failures | Code signing, integrity checks, secure CI/CD | | A09: Security Logging Failures | Comprehensive audit logs, SIEM integration, alerting | | A10: SSRF | URL validation, allowlist destinations, network segmentation |

Secure Coding Checklist

## Input Validation
- [ ] Validate all input on server side
- [ ] Use allowlists over denylists
- [ ] Sanitize for specific context (HTML, SQL, shell)

## Output Encoding
- [ ] HTML encode for browser output
- [ ] URL encode for URLs
- [ ] JavaScript encode for script contexts

## Authentication
- [ ] Use bcrypt/argon2 for passwords
- [ ] Implement MFA for sensitive operations
- [ ] Enforce strong password policy

## Session Management
- [ ] Generate secure random session IDs
- [ ] Set HttpOnly, Secure, SameSite flags
- [ ] Implement session timeout (15 min idle)

## Error Handling
- [ ] Log errors with context (no secrets)
- [ ] Return generic messages to users
- [ ] Never expose stack traces in production

## Secrets Management
- [ ] Use environment variables or secrets manager
- [ ] Never commit secrets to version control
- [ ] Rotate credentials regularly

Compliance Frameworks

SOC 2 Type II Controls

| Control | Category | Description | |---------|----------|-------------| | CC1 | Control Environment | Security policies, org structure | | CC2 | Communication | Security awareness, documentation | | CC3 | Risk Assessment | Vulnerability scanning, threat modeling | | CC6 | Logical Access | Authentication, authorization, MFA | | CC7 | System Operations | Monitoring, logging, incident response | | CC8 | Change Management | CI/CD, code review, deployment controls |

PCI-DSS v4.0 Requirements

| Requirement | Description | |-------------|-------------| | Req 3 | Protect stored cardholder data (encryption at rest) | | Req 4 | Encrypt transmission (TLS 1.2+) | | Req 6 | Secure development (input validation, secure coding) | | Req 8 | Strong authentication (MFA, password policy) | | Req 10 | Audit logging (all access to cardholder data) | | Req 11 | Security testing (SAST, DAST, penetration testing) |

HIPAA Security Rule

| Safeguard | Requirement | |-----------|-------------| | 164.312(a)(1) | Unique user identification for PHI access | | 164.312(b) | Audit trails for PHI access | | 164.312(c)(1) | Data integrity controls | | 164.312(d) | Person/entity authentication (MFA) | | 164.312(e)(1) | Transmission encryption (TLS) |

GDPR Requirements

| Article | Requirement | |---------|-------------| | Art 25 | Privacy by design, data minimization | | Art 32 | Security measures, encryption, pseudonymization | | Art 33 | Breach notification (72 hours) | | Art 17 | Right to erasure (data deletion) | | Art 20 | Data portability (export capability) |

Best Practices

Secrets Management

# BAD: Hardcoded secret
API_KEY = "sk-1234567890abcdef"

# GOOD: Environment variable
import os
API_KEY = os.environ.get("API_KEY")

# BETTER: Secrets manager
from your_vault_client import get_secret
API_KEY = get_secret("api/key")

SQL Injection Prevention

# BAD: String concatenation
query = f"SELECT * FROM users WHERE id = {user_id}"

# GOOD: Parameterized query
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))

XSS Prevention

// BAD: Direct innerHTML assignment is vulnerable
// GOOD: Use textContent (auto-escaped)
element.textContent = userInput;

// GOOD: Use sanitization library for HTML
import DOMPurify from 'dompurify';
const safeHTML = DOMPurify.sanitize(userInput);

Authentication

// Password hashing
const bcrypt = require('bcrypt');
const SALT_ROUNDS = 12;

// Hash password
const hash = await bcrypt.hash(password, SALT_ROUNDS);

// Verify password
const match = await bcrypt.compare(password, hash);

Security Headers

// Express.js security headers
const helmet = require('helmet');
app.use(helmet());

// Or manually set headers:
app.use((req, res, next) => {
  res.setHeader('X-Content-Type-Options', 'nosniff');
  res.setHeader('X-Frame-Options', 'DENY');
  res.setHeader('X-XSS-Protection', '1; mode=block');
  res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
  res.setHeader('Content-Security-Policy', "default-src 'self'");
  next();
});

Reference Documentation

| Document | Description | |----------|-------------| | references/security_standards.md | OWASP Top 10, secure coding, authentication, API security | | references/vulnerability_management_guide.md | CVE triage, CVSS scoring, remediation workflows | | references/compliance_requirements.md | SOC 2, PCI-DSS, HIPAA, GDPR requirements |

Tech Stack

Security Scanning:

• Snyk (dependency scanning)
• Semgrep (SAST)
• CodeQL (code analysis)
• Trivy (container scanning)
• OWASP ZAP (DAST)

Secrets Management:

• HashiCorp Vault
• AWS Secrets Manager
• Azure Key Vault
• 1Password Secrets Automation

Authentication:

• bcrypt, argon2 (password hashing)
• jsonwebtoken (JWT)
• passport.js (authentication middleware)
• speakeasy (TOTP/MFA)

Logging & Monitoring:

• Winston, Pino (Node.js logging)
• Datadog, Splunk (SIEM)
• PagerDuty (alerting)

Compliance:

• Vanta (SOC 2 automation)
• Drata (compliance management)
• AWS Config (configuration compliance)