security-engineering

Security architecture and implementation patterns. Use when designing security controls, implementing authentication/authorization, conducting threat modeling, or ensuring compliance with security frameworks.

25 stars

byComeOnOliver

View on GitHub Installation ↓

Best use case

security-engineering is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Teams using security-engineering should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/security-engineering/SKILL.md --create-dirs "https://raw.githubusercontent.com/ComeOnOliver/skillshub/main/skills/aiskillstore/marketplace/89jobrien/security-engineering/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/security-engineering/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How security-engineering Compares

Feature / Agent	security-engineering	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Security Engineering

Comprehensive security engineering skill covering application security, infrastructure security, compliance, and incident response.

## When to Use This Skill

- Designing security architecture
- Implementing authentication and authorization
- Conducting threat modeling
- Security code review
- Implementing compliance controls (SOC2, HIPAA, PCI-DSS)
- Incident response planning
- Security monitoring and alerting

## Security Architecture

### Defense in Depth

Layer security controls at multiple levels:

| Layer | Controls |
|-------|----------|
| Perimeter | Firewall, WAF, DDoS protection |
| Network | Segmentation, IDS/IPS, VPN |
| Host | Hardening, EDR, patch management |
| Application | Input validation, secure coding, SAST/DAST |
| Data | Encryption, access control, DLP |
| Identity | MFA, SSO, privileged access management |

### Zero Trust Architecture

**Core Principles:**

1. Never trust, always verify
2. Assume breach mentality
3. Least privilege access
4. Micro-segmentation
5. Continuous verification

**Implementation:**

- Identity-based access (not network-based)
- Device health verification
- Continuous authentication
- Encrypted communications everywhere
- Detailed logging and monitoring

## Authentication Patterns

### OAuth 2.0 / OIDC

**Grant Types:**

| Grant | Use Case |
|-------|----------|
| Authorization Code + PKCE | Web/mobile apps |
| Client Credentials | Service-to-service |
| Device Code | CLI tools, IoT |

**Token Best Practices:**

- Short-lived access tokens (15 min - 1 hour)
- Secure refresh token storage
- Token rotation on use
- Revocation capabilities

### Session Management

- Secure, HttpOnly, SameSite cookies
- Session timeout (idle and absolute)
- Session invalidation on logout
- Concurrent session limits
- Session binding to device/IP

### Multi-Factor Authentication

- TOTP (authenticator apps)
- WebAuthn/FIDO2 (hardware keys)
- Push notifications
- SMS (last resort, vulnerable to SIM swap)

## Authorization Patterns

### RBAC (Role-Based Access Control)

```
Users → Roles → Permissions
```

Best for: Well-defined organizational hierarchies

### ABAC (Attribute-Based Access Control)

```
If user.department == "engineering" AND
   resource.classification == "internal" AND
   time.hour BETWEEN 9 AND 17
THEN allow
```

Best for: Complex, dynamic access requirements

### Policy as Code

Use OPA/Rego or Cedar for externalized policy:

- Version controlled policies
- Testable access rules
- Audit trail
- Separation of concerns

## Secure Development

### OWASP Top 10 Mitigations

| Risk | Mitigation |
|------|------------|
| Injection | Parameterized queries, input validation |
| Broken Auth | Strong password policy, MFA, rate limiting |
| Sensitive Data | Encryption, minimal data collection |
| XXE | Disable external entities |
| Broken Access | Authorization checks, default deny |
| Misconfig | Secure defaults, hardening guides |
| XSS | Output encoding, CSP |
| Deserialization | Integrity checks, avoid untrusted data |
| Components | Dependency scanning, updates |
| Logging | Centralized logging, alerting |

### Security Testing

**SAST (Static Analysis):**

- Run on every commit
- Block high-severity findings
- Tools: Semgrep, CodeQL, SonarQube

**DAST (Dynamic Analysis):**

- Run against staging/dev
- Tools: OWASP ZAP, Burp Suite

**Dependency Scanning:**

- Check for known vulnerabilities
- Tools: Snyk, Dependabot, npm audit

### Secrets Management

**Never:**

- Commit secrets to git
- Log secrets
- Pass secrets in URLs
- Hardcode secrets

**Do:**

- Use secret managers (Vault, AWS Secrets Manager)
- Rotate secrets regularly
- Audit secret access
- Use short-lived credentials

## Compliance Frameworks

### Common Requirements

| Framework | Focus Area |
|-----------|------------|
| SOC 2 | Trust services (security, availability, etc.) |
| HIPAA | Healthcare data protection |
| PCI-DSS | Payment card data |
| GDPR | EU personal data protection |
| ISO 27001 | Information security management |

### Key Controls

- Access control and authentication
- Encryption (at rest and in transit)
- Logging and monitoring
- Incident response procedures
- Business continuity planning
- Vendor management
- Employee security training

## Incident Response

### Response Phases

1. **Preparation**: Runbooks, tools, training
2. **Detection**: Monitoring, alerting, triage
3. **Containment**: Isolate, preserve evidence
4. **Eradication**: Remove threat, patch vulnerabilities
5. **Recovery**: Restore services, verify clean
6. **Lessons Learned**: Post-mortem, improvements

### Severity Levels

| Level | Description | Response Time |
|-------|-------------|---------------|
| P1 | Active breach, data exfiltration | Immediate |
| P2 | Vulnerability being exploited | < 4 hours |
| P3 | High-risk vulnerability discovered | < 24 hours |
| P4 | Security improvement needed | Next sprint |

## Reference Files

- **`references/threat_modeling.md`** - STRIDE methodology and examples
- **`references/compliance_controls.md`** - Framework-specific control mappings

## Integration with Other Skills

- **cloud-infrastructure** - For cloud security
- **debugging** - For security incident investigation
- **testing** - For security testing patterns

Related Skills

scanning-database-security

from ComeOnOliver/skillshub

This skill enables Claude to perform comprehensive database security scans using the database-security-scanner plugin. It is triggered when the user requests a security assessment of a database, including identifying vulnerabilities like weak passwords, SQL injection risks, and insecure configurations. The skill leverages OWASP guidelines to ensure thorough coverage and provides remediation suggestions. Use this skill when the user asks to "scan database security", "check database for vulnerabilities", "perform OWASP compliance check on database", or "assess database security posture". The plugin supports PostgreSQL and MySQL.

customerio-security-basics

from ComeOnOliver/skillshub

Apply Customer.io security best practices. Use when implementing secure credential storage, PII handling, webhook signature verification, or GDPR/CCPA compliance. Trigger: "customer.io security", "customer.io pii", "secure customer.io", "customer.io gdpr", "customer.io webhook verify".

coreweave-security-basics

from ComeOnOliver/skillshub

Secure CoreWeave deployments with RBAC, network policies, and secrets management. Use when hardening GPU workloads, managing model access, or configuring namespace isolation. Trigger with phrases like "coreweave security", "coreweave rbac", "secure coreweave", "coreweave secrets".

cookie-security-analyzer

from ComeOnOliver/skillshub

Cookie Security Analyzer - Auto-activating skill for Security Fundamentals. Triggers on: cookie security analyzer, cookie security analyzer Part of the Security Fundamentals skill category.

content-security-policy-generator

from ComeOnOliver/skillshub

Content Security Policy Generator - Auto-activating skill for Security Fundamentals. Triggers on: content security policy generator, content security policy generator Part of the Security Fundamentals skill category.

scanning-container-security

from ComeOnOliver/skillshub

This skill enables Claude to scan container images and running containers for vulnerabilities using tools like Trivy and Snyk. It identifies potential security risks in container environments. Use this skill when the user requests a security assessment of a container image, asks to identify vulnerabilities in a container, or wants to improve the security posture of their containerized applications. Trigger terms include "scan container," "container security," "vulnerability assessment," "Trivy scan," or "Snyk scan."

container-security-auditor

from ComeOnOliver/skillshub

Container Security Auditor - Auto-activating skill for Security Advanced. Triggers on: container security auditor, container security auditor Part of the Security Advanced skill category.

cohere-security-basics

from ComeOnOliver/skillshub

Apply Cohere security best practices for API key management and access control. Use when securing API keys, implementing key rotation, or auditing Cohere security configuration. Trigger with phrases like "cohere security", "cohere secrets", "secure cohere", "cohere API key security", "cohere key rotation".

coderabbit-security-basics

from ComeOnOliver/skillshub

Configure CodeRabbit for security-focused code review with secret detection and vulnerability scanning. Use when setting up security review rules, configuring secret detection in PRs, or hardening CodeRabbit configuration for compliance requirements. Trigger with phrases like "coderabbit security", "coderabbit secrets", "secure coderabbit", "coderabbit vulnerability detection", "coderabbit security review".

cloud-security-posture

from ComeOnOliver/skillshub

Cloud Security Posture - Auto-activating skill for Security Advanced. Triggers on: cloud security posture, cloud security posture Part of the Security Advanced skill category.

clickup-security-basics

from ComeOnOliver/skillshub

Secure ClickUp API tokens, implement least-privilege access, and audit usage. Use when securing API keys, rotating tokens, configuring per-environment credentials, or auditing ClickUp API access patterns. Trigger: "clickup security", "clickup secrets", "secure clickup token", "clickup API key rotation", "clickup access audit".

clickhouse-security-basics

from ComeOnOliver/skillshub

Secure ClickHouse with user management, network restrictions, TLS, and audit logging. Use when hardening a ClickHouse deployment, creating restricted users, or configuring network-level access controls. Trigger: "clickhouse security", "clickhouse user management", "secure clickhouse", "clickhouse TLS", "clickhouse access control", "clickhouse firewall".