Senior Security

# Senior Security Engineer

Security engineering tools for threat modeling, vulnerability analysis, secure architecture design, and penetration testing.

---

Table of Contents

• Threat Modeling Workflow
• Security Architecture Workflow
• Vulnerability Assessment Workflow
• Secure Code Review Workflow
• Incident Response Workflow
• Security Tools Reference
• Tools and References

---

Threat Modeling Workflow

Identify and analyze security threats using STRIDE methodology.

Workflow: Conduct Threat Model

1. Define system scope and boundaries:
2. - Identify assets to protect
3. - Map trust boundaries
4. - Document data flows
5. Create data flow diagram:
6. - External entities (users, services)
7. - Processes (application components)
8. - Data stores (databases, caches)
9. - Data flows (APIs, network connections)
10. Apply STRIDE to each DFD element (see STRIDE per Element Matrix below)
11. Score risks using DREAD:
12. - Damage potential (1-10)
13. - Reproducibility (1-10)
14. - Exploitability (1-10)
15. - Affected users (1-10)
16. - Discoverability (1-10)
17. Prioritize threats by risk score
18. Define mitigations for each threat
19. Document in threat model report
20. Validation: All DFD elements analyzed; STRIDE applied; threats scored; mitigations mapped

STRIDE Threat Categories

| Category | Security Property | Mitigation Focus | |----------|-------------------|------------------| | Spoofing | Authentication | MFA, certificates, strong auth | | Tampering | Integrity | Signing, checksums, validation | | Repudiation | Non-repudiation | Audit logs, digital signatures | | Information Disclosure | Confidentiality | Encryption, access controls | | Denial of Service | Availability | Rate limiting, redundancy | | Elevation of Privilege | Authorization | RBAC, least privilege |

STRIDE per Element Matrix

| DFD Element | S | T | R | I | D | E | |-------------|---|---|---|---|---|---| | External Entity | X | | X | | | | | Process | X | X | X | X | X | X | | Data Store | | X | X | X | X | | | Data Flow | | X | | X | X | |

See: references/threat-modeling-guide.md

---

Security Architecture Workflow

Design secure systems using defense-in-depth principles.

Workflow: Design Secure Architecture

1. Define security requirements:
2. - Compliance requirements (GDPR, HIPAA, PCI-DSS)
3. - Data classification (public, internal, confidential, restricted)
4. - Threat model inputs
5. Apply defense-in-depth layers:
6. - Perimeter: WAF, DDoS protection, rate limiting
7. - Network: Segmentation, IDS/IPS, mTLS
8. - Host: Patching, EDR, hardening
9. - Application: Input validation, authentication, secure coding
10. - Data: Encryption at rest and in transit
11. Implement Zero Trust principles:
12. - Verify explicitly (every request)
13. - Least privilege access (JIT/JEA)
14. - Assume breach (segment, monitor)
15. Configure authentication and authorization:
16. - Identity provider selection
17. - MFA requirements
18. - RBAC/ABAC model
19. Design encryption strategy:
20. - Key management approach
21. - Algorithm selection
22. - Certificate lifecycle
23. Plan security monitoring:
24. - Log aggregation
25. - SIEM integration
26. - Alerting rules
27. Document architecture decisions
28. Validation: Defense-in-depth layers defined; Zero Trust applied; encryption strategy documented; monitoring planned

Defense-in-Depth Layers

``` Layer 1: PERIMETER WAF, DDoS mitigation, DNS filtering, rate limiting

Layer 2: NETWORK Segmentation, IDS/IPS, network monitoring, VPN, mTLS

Layer 3: HOST Endpoint protection, OS hardening, patching, logging

Layer 4: APPLICATION Input validation, authentication, secure coding, SAST

Layer 5: DATA Encryption at rest/transit, access controls, DLP, backup ```

Authentication Pattern Selection

| Use Case | Recommended Pattern | |----------|---------------------| | Web application | OAuth 2.0 + PKCE with OIDC | | API authentication | JWT with short expiration + refresh tokens | | Service-to-service | mTLS with certificate rotation | | CLI/Automation | API keys with IP allowlisting | | High security | FIDO2/WebAuthn hardware keys |

See: references/security-architecture-patterns.md

---

Vulnerability Assessment Workflow

Identify and remediate security vulnerabilities in applications.

Workflow: Conduct Vulnerability Assessment

1. Define assessment scope:
2. - In-scope systems and applications
3. - Testing methodology (black box, gray box, white box)
4. - Rules of engagement
5. Gather information:
6. - Technology stack inventory
7. - Architecture documentation
8. - Previous vulnerability reports
9. Perform automated scanning:
10. - SAST (static analysis)
11. - DAST (dynamic analysis)
12. - Dependency scanning
13. - Secret detection
14. Conduct manual testing:
15. - Business logic flaws
16. - Authentication bypass
17. - Authorization issues
18. - Injection vulnerabilities
19. Classify findings by severity:
20. - Critical: Immediate exploitation risk
21. - High: Significant impact, easier to exploit
22. - Medium: Moderate impact or difficulty
23. - Low: Minor impact
24. Develop remediation plan:
25. - Prioritize by risk
26. - Assign owners
27. - Set deadlines
28. Verify fixes and document
29. Validation: Scope defined; automated and manual testing complete; findings classified; remediation tracked

For OWASP Top 10 vulnerability descriptions and testing guidance, refer to owasp.org/Top10.

Vulnerability Severity Matrix

| Impact \ Exploitability | Easy | Moderate | Difficult | |-------------------------|------|----------|-----------| | Critical | Critical | Critical | High | | High | Critical | High | Medium | | Medium | High | Medium | Low | | Low | Medium | Low | Low |

---

Secure Code Review Workflow

Review code for security vulnerabilities before deployment.

Workflow: Conduct Security Code Review

1. Establish review scope:
2. - Changed files and functions
3. - Security-sensitive areas (auth, crypto, input handling)
4. - Third-party integrations
5. Run automated analysis:
6. - SAST tools (Semgrep, CodeQL, Bandit)
7. - Secret scanning
8. - Dependency vulnerability check
9. Review authentication code:
10. - Password handling (hashing, storage)
11. - Session management
12. - Token validation
13. Review authorization code:
14. - Access control checks
15. - RBAC implementation
16. - Privilege boundaries
17. Review data handling:
18. - Input validation
19. - Output encoding
20. - SQL query construction
21. - File path handling
22. Review cryptographic code:
23. - Algorithm selection
24. - Key management
25. - Random number generation
26. Document findings with severity
27. Validation: Automated scans passed; auth/authz reviewed; data handling checked; crypto verified; findings documented

Security Code Review Checklist

| Category | Check | Risk | |----------|-------|------| | Input Validation | All user input validated and sanitized | Injection | | Output Encoding | Context-appropriate encoding applied | XSS | | Authentication | Passwords hashed with Argon2/bcrypt | Credential theft | | Session | Secure cookie flags set (HttpOnly, Secure, SameSite) | Session hijacking | | Authorization | Server-side permission checks on all endpoints | Privilege escalation | | SQL | Parameterized queries used exclusively | SQL injection | | File Access | Path traversal sequences rejected | Path traversal | | Secrets | No hardcoded credentials or keys | Information disclosure | | Dependencies | Known vulnerable packages updated | Supply chain | | Logging | Sensitive data not logged | Information disclosure |

Secure vs Insecure Patterns

| Pattern | Issue | Secure Alternative | |---------|-------|-------------------| | SQL string formatting | SQL injection | Use parameterized queries with placeholders | | Shell command building | Command injection | Use subprocess with argument lists, no shell | | Path concatenation | Path traversal | Validate and canonicalize paths | | MD5/SHA1 for passwords | Weak hashing | Use Argon2id or bcrypt | | Math.random for tokens | Predictable values | Use crypto.getRandomValues |

Inline Code Examples

SQL Injection — insecure vs. secure (Python):

```python # ❌ Insecure: string formatting allows SQL injection query = f"SELECT * FROM users WHERE username = '{username}'" cursor.execute(query)

# ✅ Secure: parameterized query — user input never interpreted as SQL query = "SELECT * FROM users WHERE username = %s" cursor.execute(query, (username,)) ```

Password Hashing with Argon2id (Python):

```python from argon2 import PasswordHasher

ph = PasswordHasher() # uses secure defaults (time_cost, memory_cost)

# On registration hashed = ph.hash(plain_password)

# On login — raises argon2.exceptions.VerifyMismatchError on failure ph.verify(hashed, plain_password) ```

Secret Scanning — core pattern matching (Python):

```python import re, pathlib

SECRET_PATTERNS = { "aws_access_key": re.compile(r"AKIA[0-9A-Z]{16}"), "github_token": re.compile(r"ghp_[A-Za-z0-9]{36}"), "private_key": re.compile(r"-----BEGIN (RSA |EC )?PRIVATE KEY-----"), "generic_secret": re.compile(r'(?i)(password|secret|api_key)\s*=\s*["\']?\S{8,}'), }

def scan_file(path: pathlib.Path) -> list[dict]: findings = [] for lineno, line in enumerate(path.read_text(errors="replace").splitlines(), 1): for name, pattern in SECRET_PATTERNS.items(): if pattern.search(line): findings.append({"file": str(path), "line": lineno, "type": name}) return findings ```

---

Incident Response Workflow

Respond to and contain security incidents.

Workflow: Handle Security Incident

1. Identify and triage:
2. - Validate incident is genuine
3. - Assess initial scope and severity
4. - Activate incident response team
5. Contain the threat:
6. - Isolate affected systems
7. - Block malicious IPs/accounts
8. - Disable compromised credentials
9. Eradicate root cause:
10. - Remove malware/backdoors
11. - Patch vulnerabilities
12. - Update configurations
13. Recover operations:
14. - Restore from clean backups
15. - Verify system integrity
16. - Monitor for recurrence
17. Conduct post-mortem:
18. - Timeline reconstruction
19. - Root cause analysis
20. - Lessons learned
21. Implement improvements:
22. - Update detection rules
23. - Enhance controls
24. - Update runbooks
25. Document and report
26. Validation: Threat contained; root cause eliminated; systems recovered; post-mortem complete; improvements implemented

Incident Severity Levels

| Level | Response Time | Escalation | |-------|---------------|------------| | P1 - Critical (active breach/exfiltration) | Immediate | CISO, Legal, Executive | | P2 - High (confirmed, contained) | 1 hour | Security Lead, IT Director | | P3 - Medium (potential, under investigation) | 4 hours | Security Team | | P4 - Low (suspicious, low impact) | 24 hours | On-call engineer |

Incident Response Checklist

| Phase | Actions | |-------|---------| | Identification | Validate alert, assess scope, determine severity | | Containment | Isolate systems, preserve evidence, block access | | Eradication | Remove threat, patch vulnerabilities, reset credentials | | Recovery | Restore services, verify integrity, increase monitoring | | Lessons Learned | Document timeline, identify gaps, update procedures |

---

Security Tools Reference

Recommended Security Tools

| Category | Tools | |----------|-------| | SAST | Semgrep, CodeQL, Bandit (Python), ESLint security plugins | | DAST | OWASP ZAP, Burp Suite, Nikto | | Dependency Scanning | Snyk, Dependabot, npm audit, pip-audit | | Secret Detection | GitLeaks, TruffleHog, detect-secrets | | Container Security | Trivy, Clair, Anchore | | Infrastructure | Checkov, tfsec, ScoutSuite | | Network | Wireshark, Nmap, Masscan | | Penetration | Metasploit, sqlmap, Burp Suite Pro |

Cryptographic Algorithm Selection

| Use Case | Algorithm | Key Size | |----------|-----------|----------| | Symmetric encryption | AES-256-GCM | 256 bits | | Password hashing | Argon2id | N/A (use defaults) | | Message authentication | HMAC-SHA256 | 256 bits | | Digital signatures | Ed25519 | 256 bits | | Key exchange | X25519 | 256 bits | | TLS | TLS 1.3 | N/A |

See: references/cryptography-implementation.md

---

Tools and References

Scripts

| Script | Purpose | |--------|---------| | threat_modeler.py | STRIDE threat analysis with DREAD risk scoring; JSON and text output; interactive guided mode | | secret_scanner.py | Detect hardcoded secrets and credentials across 20+ patterns; CI/CD integration ready |

For usage, see the inline code examples in Secure Code Review Workflow and the script source files directly.

References

| Document | Content | |----------|---------| | security-architecture-patterns.md | Zero Trust, defense-in-depth, authentication patterns, API security | | threat-modeling-guide.md | STRIDE methodology, attack trees, DREAD scoring, DFD creation | | cryptography-implementation.md | AES-GCM, RSA, Ed25519, password hashing, key management |

---

Security Standards Reference

Security Headers Checklist

| Header | Recommended Value | |--------|-------------------| | Content-Security-Policy | default-src self; script-src self | | X-Frame-Options | DENY | | X-Content-Type-Options | nosniff | | Strict-Transport-Security | max-age=31536000; includeSubDomains | | Referrer-Policy | strict-origin-when-cross-origin | | Permissions-Policy | geolocation=(), microphone=(), camera=() |

For compliance framework requirements (OWASP ASVS, CIS Benchmarks, NIST CSF, PCI-DSS, HIPAA, SOC 2), refer to the respective official documentation.

---

Related Skills

| Skill | Integration Point | |-------|-------------------| | senior-devops | CI/CD security, infrastructure hardening | | senior-secops | Security monitoring, incident response | | senior-backend | Secure API development | | senior-architect | Security architecture decisions |