Senior Security Engineer
Security engineering tools for threat modeling, vulnerability analysis, secure architecture design, and penetration testing.
Table of Contents
Threat Modeling Workflow
Identify and analyze security threats using STRIDE methodology.
Workflow: Conduct Threat Model
- 1. Define system scope and boundaries:
- Identify assets to protect
- Map trust boundaries
- Document data flows
- 2. Create data flow diagram:
- External entities (users, services)
- Processes (application components)
- Data stores (databases, caches)
- Data flows (APIs, network connections)
- 3. Apply STRIDE to each DFD element (see STRIDE per Element Matrix below)
- Score risks using DREAD:
- Damage potential (1-10)
- Reproducibility (1-10)
- Exploitability (1-10)
- Affected users (1-10)
- Discoverability (1-10)
- 5. Prioritize threats by risk score
- Define mitigations for each threat
- Document in threat model report
- Validation: All DFD elements analyzed; STRIDE applied; threats scored; mitigations mapped
STRIDE Threat Categories
| Category | Security Property | Mitigation Focus |
|---|
| Spoofing | Authentication | MFA, certificates, strong auth |
| Tampering |
Integrity | Signing, checksums, validation |
| Repudiation | Non-repudiation | Audit logs, digital signatures |
| Information Disclosure | Confidentiality | Encryption, access controls |
| Denial of Service | Availability | Rate limiting, redundancy |
| Elevation of Privilege | Authorization | RBAC, least privilege |
STRIDE per Element Matrix
| DFD Element | S | T | R | I | D | E |
|---|
| External Entity | X | | X | | | |
| Process |
X | X | X | X | X | X |
| Data Store | | X | X | X | X | |
| Data Flow | | X | | X | X | |
See: references/threat-modeling-guide.md
Security Architecture Workflow
Design secure systems using defense-in-depth principles.
Workflow: Design Secure Architecture
- 1. Define security requirements:
- Compliance requirements (GDPR, HIPAA, PCI-DSS)
- Data classification (public, internal, confidential, restricted)
- Threat model inputs
- 2. Apply defense-in-depth layers:
- Perimeter: WAF, DDoS protection, rate limiting
- Network: Segmentation, IDS/IPS, mTLS
- Host: Patching, EDR, hardening
- Application: Input validation, authentication, secure coding
- Data: Encryption at rest and in transit
- 3. Implement Zero Trust principles:
- Verify explicitly (every request)
- Least privilege access (JIT/JEA)
- Assume breach (segment, monitor)
- 4. Configure authentication and authorization:
- Identity provider selection
- MFA requirements
- RBAC/ABAC model
- 5. Design encryption strategy:
- Key management approach
- Algorithm selection
- Certificate lifecycle
- 6. Plan security monitoring:
- Log aggregation
- SIEM integration
- Alerting rules
- 7. Document architecture decisions
- Validation: Defense-in-depth layers defined; Zero Trust applied; encryption strategy documented; monitoring planned
Defense-in-Depth Layers
CODEBLOCK0
Authentication Pattern Selection
| Use Case | Recommended Pattern |
|---|
| Web application | OAuth 2.0 + PKCE with OIDC |
| API authentication |
JWT with short expiration + refresh tokens |
| Service-to-service | mTLS with certificate rotation |
| CLI/Automation | API keys with IP allowlisting |
| High security | FIDO2/WebAuthn hardware keys |
See: references/security-architecture-patterns.md
Vulnerability Assessment Workflow
Identify and remediate security vulnerabilities in applications.
Workflow: Conduct Vulnerability Assessment
- 1. Define assessment scope:
- In-scope systems and applications
- Testing methodology (black box, gray box, white box)
- Rules of engagement
- 2. Gather information:
- Technology stack inventory
- Architecture documentation
- Previous vulnerability reports
- 3. Perform automated scanning:
- SAST (static analysis)
- DAST (dynamic analysis)
- Dependency scanning
- Secret detection
- 4. Conduct manual testing:
- Business logic flaws
- Authentication bypass
- Authorization issues
- Injection vulnerabilities
- 5. Classify findings by severity:
- Critical: Immediate exploitation risk
- High: Significant impact, easier to exploit
- Medium: Moderate impact or difficulty
- Low: Minor impact
- 6. Develop remediation plan:
- Prioritize by risk
- Assign owners
- Set deadlines
- 7. Verify fixes and document
- Validation: Scope defined; automated and manual testing complete; findings classified; remediation tracked
For OWASP Top 10 vulnerability descriptions and testing guidance, refer to owasp.org/Top10.
Vulnerability Severity Matrix
| Impact \ Exploitability | Easy | Moderate | Difficult |
|---|
| Critical | Critical | Critical | High |
| High |
Critical | High | Medium |
| Medium | High | Medium | Low |
| Low | Medium | Low | Low |
Secure Code Review Workflow
Review code for security vulnerabilities before deployment.
Workflow: Conduct Security Code Review
- 1. Establish review scope:
- Changed files and functions
- Security-sensitive areas (auth, crypto, input handling)
- Third-party integrations
- 2. Run automated analysis:
- SAST tools (Semgrep, CodeQL, Bandit)
- Secret scanning
- Dependency vulnerability check
- 3. Review authentication code:
- Password handling (hashing, storage)
- Session management
- Token validation
- 4. Review authorization code:
- Access control checks
- RBAC implementation
- Privilege boundaries
- 5. Review data handling:
- Input validation
- Output encoding
- SQL query construction
- File path handling
- 6. Review cryptographic code:
- Algorithm selection
- Key management
- Random number generation
- 7. Document findings with severity
- Validation: Automated scans passed; auth/authz reviewed; data handling checked; crypto verified; findings documented
Security Code Review Checklist
| Category | Check | Risk |
|---|
| Input Validation | All user input validated and sanitized | Injection |
| Output Encoding |
Context-appropriate encoding applied | XSS |
| Authentication | Passwords hashed with Argon2/bcrypt | Credential theft |
| Session | Secure cookie flags set (HttpOnly, Secure, SameSite) | Session hijacking |
| Authorization | Server-side permission checks on all endpoints | Privilege escalation |
| SQL | Parameterized queries used exclusively | SQL injection |
| File Access | Path traversal sequences rejected | Path traversal |
| Secrets | No hardcoded credentials or keys | Information disclosure |
| Dependencies | Known vulnerable packages updated | Supply chain |
| Logging | Sensitive data not logged | Information disclosure |
Secure vs Insecure Patterns
| Pattern | Issue | Secure Alternative |
|---|
| SQL string formatting | SQL injection | Use parameterized queries with placeholders |
| Shell command building |
Command injection | Use subprocess with argument lists, no shell |
| Path concatenation | Path traversal | Validate and canonicalize paths |
| MD5/SHA1 for passwords | Weak hashing | Use Argon2id or bcrypt |
| Math.random for tokens | Predictable values | Use crypto.getRandomValues |
Inline Code Examples
SQL Injection — insecure vs. secure (Python):
CODEBLOCK1
Password Hashing with Argon2id (Python):
CODEBLOCK2
Secret Scanning — core pattern matching (Python):
CODEBLOCK3�
Incident Response Workflow
Respond to and contain security incidents.
Workflow: Handle Security Incident
- 1. Identify and triage:
- Validate incident is genuine
- Assess initial scope and severity
- Activate incident response team
- 2. Contain the threat:
- Isolate affected systems
- Block malicious IPs/accounts
- Disable compromised credentials
- 3. Eradicate root cause:
- Remove malware/backdoors
- Patch vulnerabilities
- Update configurations
- 4. Recover operations:
- Restore from clean backups
- Verify system integrity
- Monitor for recurrence
- 5. Conduct post-mortem:
- Timeline reconstruction
- Root cause analysis
- Lessons learned
- 6. Implement improvements:
- Update detection rules
- Enhance controls
- Update runbooks
- 7. Document and report
- Validation: Threat contained; root cause eliminated; systems recovered; post-mortem complete; improvements implemented
Incident Severity Levels
| Level | Response Time | Escalation |
|---|
| P1 - Critical (active breach/exfiltration) | Immediate | CISO, Legal, Executive |
| P2 - High (confirmed, contained) |
1 hour | Security Lead, IT Director |
| P3 - Medium (potential, under investigation) | 4 hours | Security Team |
| P4 - Low (suspicious, low impact) | 24 hours | On-call engineer |
Incident Response Checklist
| Phase | Actions |
|---|
| Identification | Validate alert, assess scope, determine severity |
| Containment |
Isolate systems, preserve evidence, block access |
| Eradication | Remove threat, patch vulnerabilities, reset credentials |
| Recovery | Restore services, verify integrity, increase monitoring |
| Lessons Learned | Document timeline, identify gaps, update procedures |
Security Tools Reference
Recommended Security Tools
| Category | Tools |
|---|
| SAST | Semgrep, CodeQL, Bandit (Python), ESLint security plugins |
| DAST |
OWASP ZAP, Burp Suite, Nikto |
| Dependency Scanning | Snyk, Dependabot, npm audit, pip-audit |
| Secret Detection | GitLeaks, TruffleHog, detect-secrets |
| Container Security | Trivy, Clair, Anchore |
| Infrastructure | Checkov, tfsec, ScoutSuite |
| Network | Wireshark, Nmap, Masscan |
| Penetration | Metasploit, sqlmap, Burp Suite Pro |
Cryptographic Algorithm Selection
| Use Case | Algorithm | Key Size |
|---|
| Symmetric encryption | AES-256-GCM | 256 bits |
| Password hashing |
Argon2id | N/A (use defaults) |
| Message authentication | HMAC-SHA256 | 256 bits |
| Digital signatures | Ed25519 | 256 bits |
| Key exchange | X25519 | 256 bits |
| TLS | TLS 1.3 | N/A |
See: references/cryptography-implementation.md
Tools and References
Scripts
Detect hardcoded secrets and credentials across 20+ patterns; CI/CD integration ready |
For usage, see the inline code examples in Secure Code Review Workflow and the script source files directly.
References
STRIDE methodology, attack trees, DREAD scoring, DFD creation |
|
cryptography-implementation.md | AES-GCM, RSA, Ed25519, password hashing, key management |
Security Standards Reference
Security Headers Checklist
| Header | Recommended Value |
|---|
| Content-Security-Policy | default-src self; script-src self |
| X-Frame-Options |
DENY |
| X-Content-Type-Options | nosniff |
| Strict-Transport-Security | max-age=31536000; includeSubDomains |
| Referrer-Policy | strict-origin-when-cross-origin |
| Permissions-Policy | geolocation=(), microphone=(), camera=() |
For compliance framework requirements (OWASP ASVS, CIS Benchmarks, NIST CSF, PCI-DSS, HIPAA, SOC 2), refer to the respective official documentation.
Related Skills
Security monitoring, incident response |
|
senior-backend | Secure API development |
|
senior-architect | Security architecture decisions |
高级安全工程师
用于威胁建模、漏洞分析、安全架构设计和渗透测试的安全工程工具。
目录
威胁建模工作流程
使用STRIDE方法识别和分析安全威胁。
工作流程:执行威胁建模
- 1. 定义系统范围与边界:
- 识别需要保护的资产
- 映射信任边界
- 记录数据流
- 2. 创建数据流图:
- 外部实体(用户、服务)
- 进程(应用程序组件)
- 数据存储(数据库、缓存)
- 数据流(API、网络连接)
- 3. 对每个DFD元素应用STRIDE(参见下方STRIDE元素矩阵)
- 使用DREAD进行风险评分:
- 潜在损害(1-10)
- 可重现性(1-10)
- 可利用性(1-10)
- 受影响用户数(1-10)
- 可发现性(1-10)
- 5. 按风险评分对威胁进行优先级排序
- 为每个威胁定义缓解措施
- 记录到威胁建模报告中
- 验证: 所有DFD元素已分析;STRIDE已应用;威胁已评分;缓解措施已映射
STRIDE威胁类别
| 类别 | 安全属性 | 缓解重点 |
|---|
| 欺骗 | 身份验证 | 多因素认证、证书、强认证 |
| 篡改 |
完整性 | 签名、校验和、验证 |
| 抵赖 | 不可否认性 | 审计日志、数字签名 |
| 信息泄露 | 机密性 | 加密、访问控制 |
| 拒绝服务 | 可用性 | 速率限制、冗余 |
| 权限提升 | 授权 | 基于角色的访问控制、最小权限 |
STRIDE元素矩阵
X | X | X | X | X | X |
| 数据存储 | | X | X | X | X | |
| 数据流 | | X | | X | X | |
参见:references/threat-modeling-guide.md
安全架构工作流程
使用纵深防御原则设计安全系统。
工作流程:设计安全架构
- 1. 定义安全需求:
- 合规要求(GDPR、HIPAA、PCI-DSS)
- 数据分类(公开、内部、机密、限制级)
- 威胁模型输入
- 2. 应用纵深防御层级:
- 边界层:WAF、DDoS防护、速率限制
- 网络层:分段、IDS/IPS、mTLS
- 主机层:补丁管理、EDR、加固
- 应用层:输入验证、身份验证、安全编码
- 数据层:静态和传输中加密
- 3. 实施零信任原则:
- 显式验证(每个请求)
- 最小权限访问(JIT/JEA)
- 假设已遭入侵(分段、监控)
- 4. 配置身份验证和授权:
- 身份提供商选择
- 多因素认证要求
- RBAC/ABAC模型
- 5. 设计加密策略:
- 密钥管理方法
- 算法选择
- 证书生命周期
- 6. 规划安全监控:
- 日志聚合
- SIEM集成
- 告警规则
- 7. 记录架构决策
- 验证: 纵深防御层级已定义;零信任已应用;加密策略已记录;监控已规划
纵深防御层级
第1层:边界层
WAF、DDoS缓解、DNS过滤、速率限制
第2层:网络层
分段、IDS/IPS、网络监控、VPN、mTLS
第3层:主机层
端点保护、操作系统加固、补丁管理、日志记录
第4层:应用层
输入验证、身份验证、安全编码、SAST
第5层:数据层
静态/传输中加密、访问控制、DLP、备份
身份验证模式选择
| 使用场景 | 推荐模式 |
|---|
| Web应用程序 | OAuth 2.0 + PKCE with OIDC |
| API身份验证 |
短有效期JWT + 刷新令牌 |
| 服务间通信 | 带证书轮换的mTLS |
| CLI/自动化 | 带IP白名单的API密钥 |
| 高安全性 | FIDO2/WebAuthn硬件密钥 |
参见:references/security-architecture-patterns.md
漏洞评估工作流程
识别并修复应用程序中的安全漏洞。
工作流程:执行漏洞评估
- 1. 定义评估范围:
- 范围内的系统和应用程序
- 测试方法(黑盒、灰盒、白盒)
- 交战规则
- 2. 收集信息:
- 技术栈清单
- 架构文档
- 历史漏洞报告
- 3. 执行自动化扫描:
- SAST(静态分析)
- DAST(动态分析)
- 依赖项扫描
- 密钥检测
- 4. 执行手动测试:
- 业务逻辑缺陷
- 身份验证绕过
- 授权问题
- 注入漏洞
- 5. 按严重程度分类发现:
- 严重:立即利用风险
- 高:影响重大,较易利用
- 中:中等影响或难度
- 低:影响较小
- 6. 制定修复计划:
- 按风险优先级排序
- 分配负责人
- 设定截止日期
- 7. 验证修复并记录
- 验证: 范围已定义;自动化和手动测试已完成;发现已分类;修复已跟踪
有关OWASP Top 10漏洞描述和测试指南,请参阅owasp.org/Top10。
漏洞严重程度矩阵
严重 | 高 | 中 |
| 中 | 高 | 中 | 低 |
| 低 | 中 | 低 | 低 |
安全代码审查工作流程
在部署前审查代码中的安全漏洞。
工作流程:执行安全代码审查
- 1. 确定审查范围:
- 变更的文件和函数
- 安全敏感区域(身份验证、加密、输入处理)
- 第三方集成
- 2. 运行自动化分析:
- SAST工具(Semgrep、CodeQL、Bandit)
- 密钥扫描
- 依赖项漏洞检查
- 3. 审查身份验证代码:
- 密码处理(哈希、存储)
- 会话管理
- 令牌验证
- 4. 审查授权代码:
- 访问控制检查
- RBAC实现
- 权限边界
- 5. 审查数据处理:
- 输入验证
- 输出编码
- SQL查询构建
- 文件路径处理
- 6. 审查加密代码:
- 算法选择
- 密钥管理
- 随机数生成
- 7. 记录发现及严重程度
- 验证: 自动化扫描通过;身份验证/授权已审查;数据处理已检查;加密已验证;发现已记录
安全代码审查清单
| 类别 | 检查项 | 风险 |
|---|
| 输入验证 | 所有用户输入均已验证和清理 | 注入 |
| 输出编码 |
应用了上下文相关的编码 | XSS |
| 身份验证 | 使用Argon2/bcrypt对密码进行哈希 | 凭证窃取 |
| 会话 | 设置了安全Cookie标志(HttpOnly、Secure、SameSite) | 会话劫持 |
| 授权 | 所有端点均执行服务端权限检查 | 权限提升 |
| SQL | 仅使用参数化查询 | SQL注入 |
| 文件访问 | 拒绝路径遍历序列 | 路径遍历 |
| 密钥 | 无硬编码凭证或密钥 | 信息泄露 |
| 依赖项 | 已知存在漏洞的包已更新 | 供应链 |
| 日志记录 | 敏感数据未记录 | 信息泄露 |
安全与不安全模式对比
| 模式 | 问题 | 安全替代方案 |
|---------|
