Comprehensive Senior Security

A deep skill for senior security engineers covering threat modeling, secure architecture design, cryptographic implementations, zero-trust networking, and security program management for software organizations.

When to Use This Skill

Choose this skill when:

• Conducting threat modeling sessions for new features or systems
• Designing secure architecture with defense-in-depth principles
• Implementing cryptographic protocols and key management
• Building zero-trust network architectures
• Establishing a security program with policies and training

Consider alternatives when:

• Need operational security monitoring → use a SecOps skill
• Writing secure application code → use a security compliance skill
• Setting up authentication flows → use an auth/identity skill
• Running penetration tests → use a security testing skill

Quick Start

Copy
# Threat Model Template (STRIDE)

## System: Payment Processing Service

### Assets
- Customer payment card data (PCI DSS scope)
- Authentication tokens
- Transaction logs

### Trust Boundaries
1. Internet → Load Balancer (TLS termination)
2. Load Balancer → Application (internal network)
3. Application → Database (encrypted connection)
4. Application → Payment Gateway (mTLS)

### Threats (STRIDE Analysis)
| Threat | Category | Risk | Mitigation |
|--------|----------|------|------------|
| Stolen session tokens | Spoofing | High | Short-lived JWTs, token binding |
| Modified transaction amounts | Tampering | Critical | Server-side validation, HMAC signatures |
| Denied payment processing | Repudiation | Medium | Immutable audit log, digital signatures |
| Leaked card numbers | Info Disclosure | Critical | Tokenization, encryption at rest |
| Service overwhelm | DoS | High | Rate limiting, WAF, auto-scaling |
| Bypassed authorization | Elevation | Critical | RBAC, principle of least privilege |

Core Concepts

Security Architecture Layers

Layer	Controls	Technologies
Network	Segmentation, firewalls, mTLS	VPC, security groups, service mesh
Identity	AuthN, AuthZ, MFA	OAuth 2.0, SAML, FIDO2
Application	Input validation, output encoding	WAF, CSP, CORS
Data	Encryption, tokenization, masking	AES-256-GCM, KMS, HSM
Monitoring	Detection, alerting, forensics	SIEM, IDS/IPS, audit logs
Governance	Policies, training, compliance	SOC 2, ISO 27001, GDPR

Zero-Trust Architecture Pattern

Copy
// Zero-trust request validation middleware
async function zeroTrustMiddleware(req: Request, res: Response, next: NextFunction) {
  // 1. Verify identity (not just network location)
  const token = req.headers.authorization?.replace('Bearer ', '');
  if (!token) return res.status(401).json({ error: 'No credentials' });

  const identity = await verifyToken(token);
  if (!identity) return res.status(401).json({ error: 'Invalid token' });

  // 2. Check device posture
  const deviceId = req.headers['x-device-id'];
  const deviceTrust = await checkDevicePosture(deviceId);
  if (deviceTrust.score < 0.7) {
    return res.status(403).json({ error: 'Device trust insufficient' });
  }

  // 3. Enforce least privilege (ABAC)
  const allowed = await policyEngine.evaluate({
    subject: identity,
    action: req.method,
    resource: req.path,
    context: {
      ip: req.ip,
      time: new Date(),
      deviceTrust: deviceTrust.score,
    },
  });
  if (!allowed) return res.status(403).json({ error: 'Access denied' });

  // 4. Log access decision
  auditLog.record({
    subject: identity.id,
    action: req.method,
    resource: req.path,
    decision: 'allow',
    context: { ip: req.ip, device: deviceId },
  });

  req.identity = identity;
  next();
}

Key Management Pattern

Copy
// Envelope encryption with key rotation
class KeyManager {
  private kms: KMSClient;

  async encrypt(plaintext: Buffer): Promise<EncryptedPayload> {
    // Generate data encryption key (DEK)
    const { Plaintext: dekPlain, CiphertextBlob: dekEncrypted } =
      await this.kms.generateDataKey({
        KeyId: process.env.KMS_MASTER_KEY_ID,
        KeySpec: 'AES_256',
      });

    // Encrypt data with DEK
    const iv = crypto.randomBytes(12);
    const cipher = crypto.createCipheriv('aes-256-gcm', dekPlain!, iv);
    const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
    const authTag = cipher.getAuthTag();

    // Zero out plaintext DEK from memory
    dekPlain!.fill(0);

    return {
      ciphertext: encrypted,
      iv,
      authTag,
      encryptedDEK: dekEncrypted!,
      algorithm: 'AES-256-GCM',
    };
  }

  async decrypt(payload: EncryptedPayload): Promise<Buffer> {
    const { Plaintext: dekPlain } = await this.kms.decrypt({
      CiphertextBlob: payload.encryptedDEK,
    });

    const decipher = crypto.createDecipheriv('aes-256-gcm', dekPlain!, payload.iv);
    decipher.setAuthTag(payload.authTag);
    const decrypted = Buffer.concat([decipher.update(payload.ciphertext), decipher.final()]);

    dekPlain!.fill(0);
    return decrypted;
  }
}

Configuration

Parameter	Type	Default	Description
threatModelFramework	string	'STRIDE'	Framework: STRIDE, PASTA, or LINDDUN
encryptionAlgorithm	string	'AES-256-GCM'	Symmetric encryption algorithm
keyRotationDays	number	90	Master key rotation period
mfaRequired	boolean	true	Require MFA for all users
zeroTrustLevel	string	'device+identity'	Trust verification: identity, device+identity
complianceFrameworks	string[]	['SOC2']	Active compliance frameworks

Best Practices

1. Threat model during design, not after implementation — Security issues found in design cost 10x less to fix than those found in production. Use STRIDE analysis for every new feature, focusing on trust boundaries and data flows.

2. Implement envelope encryption with managed key services — Never store encryption keys alongside encrypted data. Use KMS/HSM for master keys, generate data encryption keys per record, and rotate master keys on a schedule.

3. Apply zero-trust principles: verify everything, trust nothing — Network location is not identity. Authenticate every request, authorize every action, encrypt all data in transit, and log all access decisions. Internal services need the same rigor as external-facing ones.

4. Maintain a threat intelligence feedback loop — Subscribe to CVE feeds, monitor dark web mentions of your organization, and update detection rules based on emerging attack patterns. Security is a continuous process, not a one-time setup.

5. Build security champions in every development team — Dedicated security teams can't review every line of code. Train 1-2 developers per team as security champions who review security-sensitive changes and propagate security awareness.

Common Issues

Encryption key rotation breaks existing data — Implement key versioning: tag encrypted data with the key version used. During rotation, new data uses the new key while old data remains readable with the old key. Migrate old data in the background.

Threat models become stale as systems evolve — Tie threat model reviews to architectural changes. Any PR that adds a new external integration, data store, or API endpoint should trigger a threat model update.

Zero-trust implementation breaks developer experience — Overly strict access controls slow development. Implement tiered trust levels: high-trust for production (full verification), medium for staging (identity only), developer-friendly for local (relaxed policies).