Senior SecOps

# Senior SecOps Engineer Complete toolkit for Security Operations including vulnerability management, compliance verification, secure coding practices, and security automation. --- ## Table of Contents - [Core Capabilities](#core-capabilities) - [Workflows](#workflows) - [Tool Reference](#tool-reference) - [Security Standards](#security-standards) - [Compliance Frameworks](#compliance-frameworks) - [Best Practices](#best-practices) --- ## Core Capabilities ### 1. Security Scanner Scan source code for security vulnerabilities including hardcoded secrets, SQL injection, XSS, command injection, and path traversal. ```bash # Scan project for security issues python scripts/security_scanner.py /path/to/project # Filter by severity python scripts/security_scanner.py /path/to/project --severity high # JSON output for CI/CD python scripts/security_scanner.py /path/to/project --json --output report.json ``` **Detects:** - Hardcoded secrets (API keys, passwords, AWS credentials, GitHub tokens, private keys) - SQL injection patterns (string concatenation, f-strings, template literals) - XSS vulnerabilities (innerHTML assignment, unsafe DOM manipulation, React unsafe patterns) - Command injection (shell=True, exec, eval with user input) - Path traversal (file operations with user input) ### 2. Vulnerability Assessor Scan dependencies for known CVEs across npm, Python, and Go ecosystems. ```bash # Assess project dependencies python scripts/vulnerability_assessor.py /path/to/project # Critical/high only python scripts/vulnerability_assessor.py /path/to/project --severity high # Export vulnerability report python scripts/vulnerability_assessor.py /path/to/project --json --output vulns.json ``` **Scans:** - `package.json` and `package-lock.json` (npm) - `requirements.txt` and `pyproject.toml` (Python) - `go.mod` (Go) **Output:** - CVE IDs with CVSS scores - Affected package versions - Fixed versions for remediation - Overall risk score (0-100) ### 3. Compliance Checker Verify security compliance against SOC 2, PCI-DSS, HIPAA, and GDPR frameworks. ```bash # Check all frameworks python scripts/compliance_checker.py /path/to/project # Specific framework python scripts/compliance_checker.py /path/to/project --framework soc2 python scripts/compliance_checker.py /path/to/project --framework pci-dss python scripts/compliance_checker.py /path/to/project --framework hipaa python scripts/compliance_checker.py /path/to/project --framework gdpr # Export compliance report python scripts/compliance_checker.py /path/to/project --json --output compliance.json ``` **Verifies:** - Access control implementation - Encryption at rest and in transit - Audit logging - Authentication strength (MFA, password hashing) - Security documentation - CI/CD security controls --- ## Workflows ### Workflow 1: Security Audit Complete security assessment of a codebase. ```bash # Step 1: Scan for code vulnerabilities python scripts/security_scanner.py . --severity medium # STOP if exit code 2 — resolve critical findings before continuing ``` ```bash # Step 2: Check dependency vulnerabilities python scripts/vulnerability_assessor.py . --severity high # STOP if exit code 2 — patch critical CVEs before continuing ``` ```bash # Step 3: Verify compliance controls python scripts/compliance_checker.py . --framework all # STOP if exit code 2 — address critical gaps before proceeding ``` ```bash # Step 4: Generate combined reports python scripts/security_scanner.py . --json --output security.json python scripts/vulnerability_assessor.py . --json --output vulns.json python scripts/compliance_checker.py . --json --output compliance.json ``` ### Workflow 2: CI/CD Security Gate Integrate security checks into deployment pipeline. ```yaml # .github/workflows/security.yml name: "security-scan" on: pull_request: branches: [main, develop] jobs: security-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: "set-up-python" uses: actions/setup-python@v5 with: python-version: '3.11' - name: "security-scanner" run: python scripts/security_scanner.py . --severity high - name: "vulnerability-assessment" run: python scripts/vulnerability_assessor.py . --severity critical - name: "compliance-check" run: python scripts/compliance_checker.py . --framework soc2 ``` Each step fails the pipeline on its respective exit code — no deployment proceeds past a critical finding. ### Workflow 3: CVE Triage Respond to a new CVE affecting your application. ``` 1. ASSESS (0-2 hours) - Identify affected systems using vulnerability_assessor.py - Check if CVE is being actively exploited - Determine CVSS environmental score for your context - STOP if CVSS 9.0+ on internet-facing system — escalate immediately 2. PRIORITIZE - Critical (CVSS 9.0+, internet-facing): 24 hours - High (CVSS 7.0-8.9): 7 days - Medium (CVSS 4.0-6.9): 30 days - Low (CVSS < 4.0): 90 days 3. REMEDIATE - Update affected dependency to fixed version - Run security_scanner.py to verify fix (must return exit code 0) - STOP if scanner still flags the CVE — do not deploy - Test for regressions - Deploy with enhanced monitoring 4. VERIFY - Re-run vulnerability_assessor.py - Confirm CVE no longer reported - Document remediation actions ``` ### Workflow 4: Incident Response Security incident handling procedure. ``` PHASE 1: DETECT & IDENTIFY (0-15 min) - Alert received and acknowledged - Initial severity assessment (SEV-1 to SEV-4) - Incident commander assigned - Communication channel established PHASE 2: CONTAIN (15-60 min) - Affected systems identified - Network isolation if needed - Credentials rotated if compromised - Preserve evidence (logs, memory dumps) PHASE 3: ERADICATE (1-4 hours) - Root cause identified - Malware/backdoors removed - Vulnerabilities patched (run security_scanner.py; must return exit code 0) - Systems hardened PHASE 4: RECOVER (4-24 hours) - Systems restored from clean backup - Services brought back online - Enhanced monitoring enabled - User access restored PHASE 5: POST-INCIDENT (24-72 hours) - Incident timeline documented - Root cause analysis complete - Lessons learned documented - Preventive measures implemented - Stakeholder report delivered ``` --- ## Tool Reference ### security_scanner.py | Option | Description | |--------|-------------| | `target` | Directory or file to scan | | `--severity, -s` | Minimum severity: critical, high, medium, low | | `--verbose, -v` | Show files as they're scanned | | `--json` | Output results as JSON | | `--output, -o` | Write results to file | **Exit Codes:** `0` = no critical/high findings · `1` = high severity findings · `2` = critical severity findings ### vulnerability_assessor.py | Option | Description | |--------|-------------| | `target` | Directory containing dependency files | | `--severity, -s` | Minimum severity: critical, high, medium, low | | `--verbose, -v` | Show files as they're scanned | | `--json` | Output results as JSON | | `--output, -o` | Write results to file | **Exit Codes:** `0` = no critical/high vulnerabilities · `1` = high severity vulnerabilities · `2` = critical severity vulnerabilities ### compliance_checker.py | Option | Description | |--------|-------------| | `target` | Directory to check | | `--framework, -f` | Framework: soc2, pci-dss, hipaa, gdpr, all | | `--verbose, -v` | Show checks as they run | | `--json` | Output results as JSON | | `--output, -o` | Write results to file | **Exit Codes:** `0` = compliant (90%+ score) · `1` = non-compliant (50-69% score) · `2` = critical gaps (<50% score) --- ## Security Standards See `references/security_standards.md` for OWASP Top 10 full guidance, secure coding standards, authentication requirements, and API security controls. ### Secure Coding Checklist ```markdown ## Input Validation - [ ] Validate all input on server side - [ ] Use allowlists over denylists - [ ] Sanitize for specific context (HTML, SQL, shell) ## Output Encoding - [ ] HTML encode for browser output - [ ] URL encode for URLs - [ ] JavaScript encode for script contexts ## Authentication - [ ] Use bcrypt/argon2 for passwords - [ ] Implement MFA for sensitive operations - [ ] Enforce strong password policy ## Session Management - [ ] Generate secure random session IDs - [ ] Set HttpOnly, Secure, SameSite flags - [ ] Implement session timeout (15 min idle) ## Error Handling - [ ] Log errors with context (no secrets) - [ ] Return generic messages to users - [ ] Never expose stack traces in production ## Secrets Management - [ ] Use environment variables or secrets manager - [ ] Never commit secrets to version control - [ ] Rotate credentials regularly ``` --- ## Compliance Frameworks See `references/compliance_requirements.md` for full control mappings. Run `compliance_checker.py` to verify the controls below: ### SOC 2 Type II - **CC6** Logical Access: authentication, authorization, MFA - **CC7** System Operations: monitoring, logging, incident response - **CC8** Change Management: CI/CD, code review, deployment controls ### PCI-DSS v4.0 - **Req 3/4**: Encryption at rest and in transit (TLS 1.2+) - **Req 6**: Secure development (input validation, secure coding) - **Req 8**: Strong authentication (MFA, password policy) - **Req 10/11**: Audit logging, SAST/DAST/penetration testing ### HIPAA Security Rule - Unique user IDs and audit trails for PHI access (164.312(a)(1), 164.312(b)) - MFA for person/entity authentication (164.312(d)) - Transmission encryption via TLS (164.312(e)(1)) ### GDPR - **Art 25/32**: Privacy by design, encryption, pseudonymization - **Art 33**: Breach notification within 72 hours - **Art 17/20**: Right to erasure and data portability --- ## Best Practices ### Secrets Management ```python # BAD: Hardcoded secret API_KEY = "sk-1234567890abcdef" # GOOD: Environment variable import os API_KEY = os.environ.get("API_KEY") # BETTER: Secrets manager from your_vault_client import get_secret API_KEY = get_secret("api/key") ``` ### SQL Injection Prevention ```python # BAD: String concatenation query = f"SELECT * FROM users WHERE id = {user_id}" # GOOD: Parameterized query cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,)) ``` ### XSS Prevention ```javascript // BAD: Direct innerHTML assignment is vulnerable // GOOD: Use textContent (auto-escaped) element.textContent = userInput; // GOOD: Use sanitization library for HTML import DOMPurify from 'dompurify'; const safeHTML = DOMPurify.sanitize(userInput); ``` ### Authentication ```javascript // Password hashing const bcrypt = require('bcrypt'); const SALT_ROUNDS = 12; // Hash password const hash = await bcrypt.hash(password, SALT_ROUNDS); // Verify password const match = await bcrypt.compare(password, hash); ``` ### Security Headers ```javascript // Express.js security headers const helmet = require('helmet'); app.use(helmet()); // Or manually set headers: app.use((req, res, next) => { res.setHeader('X-Content-Type-Options', 'nosniff'); res.setHeader('X-Frame-Options', 'DENY'); res.setHeader('X-XSS-Protection', '1; mode=block'); res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains'); res.setHeader('Content-Security-Policy', "default-src 'self'"); next(); }); ``` --- ## OWASP Top 10 Quick-Check Rapid 15-minute assessment — run through each category and note pass/fail. For deep-dive testing, hand off to the **security-pen-testing** skill. | # | Category | One-Line Check | |---|----------|----------------| | A01 | Broken Access Control | Verify role checks on every endpoint; test horizontal privilege escalation | | A02 | Cryptographic Failures | Confirm TLS 1.2+ everywhere; no secrets in logs or source | | A03 | Injection | Run parameterized query audit; check ORM raw-query usage | | A04 | Insecure Design | Review threat model exists for critical flows | | A05 | Security Misconfiguration | Check default credentials removed; error pages generic | | A06 | Vulnerable Components | Run `vulnerability_assessor.py`; zero critical/high CVEs | | A07 | Auth Failures | Verify MFA on admin; brute-force protection active | | A08 | Software & Data Integrity | Confirm CI/CD pipeline signs artifacts; no unsigned deps | | A09 | Logging & Monitoring | Validate audit logs capture auth events; alerts configured | | A10 | SSRF | Test internal URL filters; block metadata endpoints (169.254.169.254) | > **Deep dive needed?** Hand off to `security-pen-testing` for full OWASP Testing Guide coverage. --- ## Secret Scanning Tools Choose the right scanner for each stage of your workflow: | Tool | Best For | Language | Pre-commit | CI/CD | Custom Rules | |------|----------|----------|:----------:|:-----:|:------------:| | **gitleaks** | CI pipelines, full-repo scans | Go | Yes | Yes | TOML regexes | | **detect-secrets** | Pre-commit hooks, incremental | Python | Yes | Partial | Plugin-based | | **truffleHog** | Deep history scans, entropy | Go | No | Yes | Regex + entropy | **Recommended setup:** Use `detect-secrets` as a pre-commit hook (catches secrets before they enter history) and `gitleaks` in CI (catches anything that slips through). ```bash # detect-secrets pre-commit hook (.pre-commit-config.yaml) - repo: https://github.com/Yelp/detect-secrets rev: v1.4.0 hooks: - id: detect-secrets args: ['--baseline', '.secrets.baseline'] # gitleaks in GitHub Actions - name: gitleaks uses: gitleaks/gitleaks-action@v2 env: GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} ``` --- ## Supply Chain Security Protect against dependency and artifact tampering with SBOM generation, artifact signing, and SLSA compliance. **SBOM Generation:** - **syft** — generates SBOMs from container images or source dirs (SPDX, CycloneDX formats) - **cyclonedx-cli** — CycloneDX-native tooling; merge multiple SBOMs for mono-repos ```bash # Generate SBOM from container image syft packages ghcr.io/org/app:latest -o cyclonedx-json > sbom.json ``` **Artifact Signing (Sigstore/cosign):** ```bash # Sign a container image (keyless via OIDC) cosign sign ghcr.io/org/app:latest # Verify signature cosign verify ghcr.io/org/app:latest [email protected] --certificate-oidc-issuer=https://token.actions.githubusercontent.com ``` **SLSA Levels Overview:** | Level | Requirement | What It Proves | |-------|-------------|----------------| | 1 | Build process documented | Provenance exists | | 2 | Hosted build service, signed provenance | Tamper-resistant provenance | | 3 | Hardened build platform, non-falsifiable provenance | Tamper-proof build | | 4 | Two-party review, hermetic builds | Maximum supply-chain assurance | > **Cross-references:** `security-pen-testing` (vulnerability exploitation testing), `dependency-auditor` (license and CVE audit for dependencies). --- ## Reference Documentation | Document | Description | |----------|-------------| | `references/security_standards.md` | OWASP Top 10, secure coding, authentication, API security | | `references/vulnerability_management_guide.md` | CVE triage, CVSS scoring, remediation workflows | | `references/compliance_requirements.md` | SOC 2, PCI-DSS, HIPAA, GDPR full control mappings |