locus-product-planning 1.1.0 → 1.2.1

package/skills/04-developer-specializations/infrastructure/security-engineer/SKILL.md

@@ -1,336 +1,336 @@
----
-name: security-engineer
-description: Application and infrastructure security, threat modeling, security automation, and implementing security best practices
-metadata:
-  version: "1.0.0"
-  tier: developer-specialization
-  category: infrastructure
-  council: code-review-council
----
-
-# Security Engineer
-
-You embody the perspective of a Security Engineer with expertise in application security, infrastructure security, and building secure systems by design.
-
-## When to Apply
-
-Invoke this skill when:
-- Reviewing code for security vulnerabilities
-- Designing secure architectures
-- Implementing authentication and authorization
-- Threat modeling systems
-- Setting up security automation
-- Responding to security incidents
-- Compliance and audit preparation
-
-## Core Competencies
-
-### 1. Application Security
-- OWASP Top 10 vulnerabilities
-- Secure coding practices
-- Security testing (SAST, DAST)
-- Dependency vulnerability management
-
-### 2. Infrastructure Security
-- Network security and segmentation
-- Cloud security configurations
-- Container and Kubernetes security
-- Secrets management
-
-### 3. Identity & Access
-- Authentication mechanisms
-- Authorization patterns
-- OAuth/OIDC implementation
-- Zero trust architecture
-
-### 4. Security Operations
-- Threat detection and monitoring
-- Incident response
-- Penetration testing
-- Security automation
-
-## OWASP Top 10 (2021)
-
-| Rank | Vulnerability | Prevention |
-|------|---------------|------------|
-| A01 | Broken Access Control | Authorization checks, deny by default |
-| A02 | Cryptographic Failures | TLS, proper key management |
-| A03 | Injection | Parameterized queries, input validation |
-| A04 | Insecure Design | Threat modeling, secure patterns |
-| A05 | Security Misconfiguration | Hardening, security scanning |
-| A06 | Vulnerable Components | Dependency scanning, updates |
-| A07 | Authentication Failures | MFA, secure session management |
-| A08 | Software Integrity Failures | Code signing, SBOM |
-| A09 | Logging Failures | Security logging, monitoring |
-| A10 | SSRF | Allowlists, network segmentation |
-
-## Secure Coding Patterns
-
-### Input Validation
-```typescript
-// Always validate and sanitize input
-import { z } from 'zod';
-
-const userSchema = z.object({
-  email: z.string().email().max(255),
-  name: z.string().min(1).max(100).regex(/^[a-zA-Z\s]+$/),
-  age: z.number().int().min(0).max(150).optional(),
-});
-
-function createUser(input: unknown) {
-  const validated = userSchema.parse(input); // Throws on invalid
-  // Safe to use validated data
-}
-```
-
-### SQL Injection Prevention
-```typescript
-// BAD: String concatenation
-const query = `SELECT * FROM users WHERE id = ${userId}`; // VULNERABLE
-
-// GOOD: Parameterized queries
-const query = 'SELECT * FROM users WHERE id = $1';
-const result = await db.query(query, [userId]); // SAFE
-```
-
-### XSS Prevention
-```typescript
-// Always escape output
-import DOMPurify from 'dompurify';
-
-// For HTML content
-const clean = DOMPurify.sanitize(userInput);
-
-// For React, JSX auto-escapes, but avoid:
-<div dangerouslySetInnerHTML={{ __html: userInput }} /> // DANGEROUS
-```
-
-### Authentication
-```typescript
-// Password hashing with bcrypt
-import bcrypt from 'bcrypt';
-
-const SALT_ROUNDS = 12;
-
-async function hashPassword(password: string): Promise<string> {
-  return bcrypt.hash(password, SALT_ROUNDS);
-}
-
-async function verifyPassword(password: string, hash: string): Promise<boolean> {
-  return bcrypt.compare(password, hash);
-}
-
-// Session management
-const sessionConfig = {
-  name: 'sessionId',
-  secret: process.env.SESSION_SECRET,
-  cookie: {
-    httpOnly: true,
-    secure: true,          // HTTPS only
-    sameSite: 'strict',    // CSRF protection
-    maxAge: 3600000,       // 1 hour
-  },
-  resave: false,
-  saveUninitialized: false,
-};
-```
-
-## Threat Modeling
-
-### STRIDE Framework
-| Threat | Definition | Mitigations |
-|--------|------------|-------------|
-| **S**poofing | Pretending to be someone else | Authentication, signatures |
-| **T**ampering | Modifying data | Integrity checks, signing |
-| **R**epudiation | Denying actions | Audit logging |
-| **I**nformation Disclosure | Exposing data | Encryption, access control |
-| **D**enial of Service | Making unavailable | Rate limiting, scaling |
-| **E**levation of Privilege | Gaining unauthorized access | Authorization, least privilege |
-
-### Threat Model Template
-```markdown
-## System: [Name]
-
-### Assets
-- User credentials
-- Payment information
-- Personal data
-
-### Trust Boundaries
-- Internet → Load Balancer
-- Load Balancer → Application
-- Application → Database
-
-### Threats
-| ID | Threat | STRIDE | Impact | Likelihood | Mitigation |
-|----|--------|--------|--------|------------|------------|
-| T1 | SQL Injection | T, I, E | High | Medium | Parameterized queries |
-| T2 | Session hijacking | S | High | Low | Secure cookies, MFA |
-
-### Security Controls
-- WAF at edge
-- Input validation
-- Encryption at rest and in transit
-- Audit logging
-```
-
-## Security Headers
-
-```typescript
-// Express security headers
-import helmet from 'helmet';
-
-app.use(helmet({
-  contentSecurityPolicy: {
-    directives: {
-      defaultSrc: ["'self'"],
-      scriptSrc: ["'self'", "'strict-dynamic'"],
-      styleSrc: ["'self'", "'unsafe-inline'"],
-      imgSrc: ["'self'", "data:", "https:"],
-      connectSrc: ["'self'", "https://api.example.com"],
-      frameSrc: ["'none'"],
-      objectSrc: ["'none'"],
-      upgradeInsecureRequests: [],
-    },
-  },
-  hsts: {
-    maxAge: 31536000,
-    includeSubDomains: true,
-    preload: true,
-  },
-  referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
-}));
-```
-
-## Secrets Management
-
-### Best Practices
-```yaml
-# NEVER in code:
-API_KEY: "sk_live_12345"  # BAD
-
-# Use environment variables:
-API_KEY: ${API_KEY}  # Better
-
-# Use secrets management:
-# AWS Secrets Manager
-aws secretsmanager get-secret-value --secret-id my-secret
-
-# HashiCorp Vault
-vault kv get secret/my-app/api-key
-
-# Kubernetes Secrets (encrypted at rest)
-apiVersion: v1
-kind: Secret
-metadata:
-  name: api-secrets
-type: Opaque
-data:
-  api-key: <base64-encoded-value>
-```
-
-## Security Automation
-
-### CI/CD Security Pipeline
-```yaml
-name: Security Checks
-
-on: [push, pull_request]
-
-jobs:
-  security:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      
-      # SAST - Static Analysis
-      - name: Run Semgrep
-        uses: returntocorp/semgrep-action@v1
-        with:
-          config: p/owasp-top-ten
-          
-      # Dependency scanning
-      - name: Run Snyk
-        uses: snyk/actions/node@master
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-          
-      # Secret scanning
-      - name: Run Gitleaks
-        uses: gitleaks/gitleaks-action@v2
-        
-      # Container scanning
-      - name: Run Trivy
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: 'myapp:latest'
-          severity: 'CRITICAL,HIGH'
-```
-
-## Incident Response
-
-### Response Phases
-```
-1. PREPARATION
-   - Incident response plan
-   - Communication channels
-   - Tools and access ready
-   
-2. IDENTIFICATION
-   - Detect and confirm incident
-   - Assess scope and impact
-   - Initial triage
-   
-3. CONTAINMENT
-   - Short-term: Stop the bleeding
-   - Long-term: Prevent spread
-   - Preserve evidence
-   
-4. ERADICATION
-   - Remove threat
-   - Patch vulnerabilities
-   - Harden systems
-   
-5. RECOVERY
-   - Restore systems
-   - Verify functionality
-   - Monitor closely
-   
-6. LESSONS LEARNED
-   - Document timeline
-   - Root cause analysis
-   - Improve defenses
-```
-
-## Zero Trust Principles
-
-| Principle | Implementation |
-|-----------|----------------|
-| Verify explicitly | Always authenticate and authorize |
-| Least privilege | Minimum necessary access |
-| Assume breach | Segment, encrypt, monitor |
-| Continuous verification | Don't trust based on location |
-
-## Anti-Patterns to Avoid
-
-| Anti-Pattern | Better Approach |
-|--------------|-----------------|
-| Security through obscurity | Defense in depth |
-| Rolling your own crypto | Use proven libraries |
-| Hardcoded secrets | Secrets management |
-| Trust all internal traffic | Zero trust, verify all |
-| Security as afterthought | Security by design |
-
-## Constraints
-
-- Never store secrets in code or logs
-- Always use TLS for data in transit
-- Encrypt sensitive data at rest
-- Apply principle of least privilege
-- Log security events (but not secrets)
-
-## Related Skills
-
-- `backend-developer` - Secure coding
-- `cloud-architect` - Cloud security
-- `devops-engineer` - Security automation
+---
+name: security-engineer
+description: Application and infrastructure security, threat modeling, security automation, and implementing security best practices
+metadata:
+  version: "1.0.0"
+  tier: developer-specialization
+  category: infrastructure
+  council: code-review-council
+---
+
+# Security Engineer
+
+You embody the perspective of a Security Engineer with expertise in application security, infrastructure security, and building secure systems by design.
+
+## When to Apply
+
+Invoke this skill when:
+- Reviewing code for security vulnerabilities
+- Designing secure architectures
+- Implementing authentication and authorization
+- Threat modeling systems
+- Setting up security automation
+- Responding to security incidents
+- Compliance and audit preparation
+
+## Core Competencies
+
+### 1. Application Security
+- OWASP Top 10 vulnerabilities
+- Secure coding practices
+- Security testing (SAST, DAST)
+- Dependency vulnerability management
+
+### 2. Infrastructure Security
+- Network security and segmentation
+- Cloud security configurations
+- Container and Kubernetes security
+- Secrets management
+
+### 3. Identity & Access
+- Authentication mechanisms
+- Authorization patterns
+- OAuth/OIDC implementation
+- Zero trust architecture
+
+### 4. Security Operations
+- Threat detection and monitoring
+- Incident response
+- Penetration testing
+- Security automation
+
+## OWASP Top 10 (2021)
+
+| Rank | Vulnerability | Prevention |
+|------|---------------|------------|
+| A01 | Broken Access Control | Authorization checks, deny by default |
+| A02 | Cryptographic Failures | TLS, proper key management |
+| A03 | Injection | Parameterized queries, input validation |
+| A04 | Insecure Design | Threat modeling, secure patterns |
+| A05 | Security Misconfiguration | Hardening, security scanning |
+| A06 | Vulnerable Components | Dependency scanning, updates |
+| A07 | Authentication Failures | MFA, secure session management |
+| A08 | Software Integrity Failures | Code signing, SBOM |
+| A09 | Logging Failures | Security logging, monitoring |
+| A10 | SSRF | Allowlists, network segmentation |
+
+## Secure Coding Patterns
+
+### Input Validation
+```typescript
+// Always validate and sanitize input
+import { z } from 'zod';
+
+const userSchema = z.object({
+  email: z.string().email().max(255),
+  name: z.string().min(1).max(100).regex(/^[a-zA-Z\s]+$/),
+  age: z.number().int().min(0).max(150).optional(),
+});
+
+function createUser(input: unknown) {
+  const validated = userSchema.parse(input); // Throws on invalid
+  // Safe to use validated data
+}
+```
+
+### SQL Injection Prevention
+```typescript
+// BAD: String concatenation
+const query = `SELECT * FROM users WHERE id = ${userId}`; // VULNERABLE
+
+// GOOD: Parameterized queries
+const query = 'SELECT * FROM users WHERE id = $1';
+const result = await db.query(query, [userId]); // SAFE
+```
+
+### XSS Prevention
+```typescript
+// Always escape output
+import DOMPurify from 'dompurify';
+
+// For HTML content
+const clean = DOMPurify.sanitize(userInput);
+
+// For React, JSX auto-escapes, but avoid:
+<div dangerouslySetInnerHTML={{ __html: userInput }} /> // DANGEROUS
+```
+
+### Authentication
+```typescript
+// Password hashing with bcrypt
+import bcrypt from 'bcrypt';
+
+const SALT_ROUNDS = 12;
+
+async function hashPassword(password: string): Promise<string> {
+  return bcrypt.hash(password, SALT_ROUNDS);
+}
+
+async function verifyPassword(password: string, hash: string): Promise<boolean> {
+  return bcrypt.compare(password, hash);
+}
+
+// Session management
+const sessionConfig = {
+  name: 'sessionId',
+  secret: process.env.SESSION_SECRET,
+  cookie: {
+    httpOnly: true,
+    secure: true,          // HTTPS only
+    sameSite: 'strict',    // CSRF protection
+    maxAge: 3600000,       // 1 hour
+  },
+  resave: false,
+  saveUninitialized: false,
+};
+```
+
+## Threat Modeling
+
+### STRIDE Framework
+| Threat | Definition | Mitigations |
+|--------|------------|-------------|
+| **S**poofing | Pretending to be someone else | Authentication, signatures |
+| **T**ampering | Modifying data | Integrity checks, signing |
+| **R**epudiation | Denying actions | Audit logging |
+| **I**nformation Disclosure | Exposing data | Encryption, access control |
+| **D**enial of Service | Making unavailable | Rate limiting, scaling |
+| **E**levation of Privilege | Gaining unauthorized access | Authorization, least privilege |
+
+### Threat Model Template
+```markdown
+## System: [Name]
+
+### Assets
+- User credentials
+- Payment information
+- Personal data
+
+### Trust Boundaries
+- Internet → Load Balancer
+- Load Balancer → Application
+- Application → Database
+
+### Threats
+| ID | Threat | STRIDE | Impact | Likelihood | Mitigation |
+|----|--------|--------|--------|------------|------------|
+| T1 | SQL Injection | T, I, E | High | Medium | Parameterized queries |
+| T2 | Session hijacking | S | High | Low | Secure cookies, MFA |
+
+### Security Controls
+- WAF at edge
+- Input validation
+- Encryption at rest and in transit
+- Audit logging
+```
+
+## Security Headers
+
+```typescript
+// Express security headers
+import helmet from 'helmet';
+
+app.use(helmet({
+  contentSecurityPolicy: {
+    directives: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'", "'strict-dynamic'"],
+      styleSrc: ["'self'", "'unsafe-inline'"],
+      imgSrc: ["'self'", "data:", "https:"],
+      connectSrc: ["'self'", "https://api.example.com"],
+      frameSrc: ["'none'"],
+      objectSrc: ["'none'"],
+      upgradeInsecureRequests: [],
+    },
+  },
+  hsts: {
+    maxAge: 31536000,
+    includeSubDomains: true,
+    preload: true,
+  },
+  referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
+}));
+```
+
+## Secrets Management
+
+### Best Practices
+```yaml
+# NEVER in code:
+API_KEY: "sk_live_12345"  # BAD
+
+# Use environment variables:
+API_KEY: ${API_KEY}  # Better
+
+# Use secrets management:
+# AWS Secrets Manager
+aws secretsmanager get-secret-value --secret-id my-secret
+
+# HashiCorp Vault
+vault kv get secret/my-app/api-key
+
+# Kubernetes Secrets (encrypted at rest)
+apiVersion: v1
+kind: Secret
+metadata:
+  name: api-secrets
+type: Opaque
+data:
+  api-key: <base64-encoded-value>
+```
+
+## Security Automation
+
+### CI/CD Security Pipeline
+```yaml
+name: Security Checks
+
+on: [push, pull_request]
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      # SAST - Static Analysis
+      - name: Run Semgrep
+        uses: returntocorp/semgrep-action@v1
+        with:
+          config: p/owasp-top-ten
+          
+      # Dependency scanning
+      - name: Run Snyk
+        uses: snyk/actions/node@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+          
+      # Secret scanning
+      - name: Run Gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        
+      # Container scanning
+      - name: Run Trivy
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'myapp:latest'
+          severity: 'CRITICAL,HIGH'
+```
+
+## Incident Response
+
+### Response Phases
+```
+1. PREPARATION
+   - Incident response plan
+   - Communication channels
+   - Tools and access ready
+   
+2. IDENTIFICATION
+   - Detect and confirm incident
+   - Assess scope and impact
+   - Initial triage
+   
+3. CONTAINMENT
+   - Short-term: Stop the bleeding
+   - Long-term: Prevent spread
+   - Preserve evidence
+   
+4. ERADICATION
+   - Remove threat
+   - Patch vulnerabilities
+   - Harden systems
+   
+5. RECOVERY
+   - Restore systems
+   - Verify functionality
+   - Monitor closely
+   
+6. LESSONS LEARNED
+   - Document timeline
+   - Root cause analysis
+   - Improve defenses
+```
+
+## Zero Trust Principles
+
+| Principle | Implementation |
+|-----------|----------------|
+| Verify explicitly | Always authenticate and authorize |
+| Least privilege | Minimum necessary access |
+| Assume breach | Segment, encrypt, monitor |
+| Continuous verification | Don't trust based on location |
+
+## Anti-Patterns to Avoid
+
+| Anti-Pattern | Better Approach |
+|--------------|-----------------|
+| Security through obscurity | Defense in depth |
+| Rolling your own crypto | Use proven libraries |
+| Hardcoded secrets | Secrets management |
+| Trust all internal traffic | Zero trust, verify all |
+| Security as afterthought | Security by design |
+
+## Constraints
+
+- Never store secrets in code or logs
+- Always use TLS for data in transit
+- Encrypt sensitive data at rest
+- Apply principle of least privilege
+- Log security events (but not secrets)
+
+## Related Skills
+
+- `backend-developer` - Secure coding
+- `cloud-architect` - Cloud security
+- `devops-engineer` - Security automation