Security Operations
Secure systems from design through deployment and incident response.
Quick Reference
Security Architecture Principles
Zero Trust Model:
- •Never trust, always verify
- •Assume breach
- •Verify explicitly
- •Least privilege access
- •Micro-segmentation
SLSA Framework (Supply Chain):
- •Level 1: Documentation
- •Level 2: Hosted build, signed provenance
- •Level 3: Hardened builds, 2-person review
- •Level 4: Hermetic, reproducible builds
Threat Modeling (STRIDE)
| Threat | Example | Mitigation |
|---|---|---|
| Spoofing | Fake identity | Strong auth, MFA |
| Tampering | Modified data | Integrity checks, signing |
| Repudiation | Deny actions | Audit logs, non-repudiation |
| Information Disclosure | Data leak | Encryption, access control |
| Denial of Service | Overload | Rate limiting, scaling |
| Elevation of Privilege | Unauthorized access | Least privilege, RBAC |
Code Security Review Checklist
markdown
## OWASP Top 10 (2021) - [ ] A01: Broken Access Control - [ ] A02: Cryptographic Failures - [ ] A03: Injection (SQL, NoSQL, OS, LDAP) - [ ] A04: Insecure Design - [ ] A05: Security Misconfiguration - [ ] A06: Vulnerable Components - [ ] A07: Auth Failures - [ ] A08: Software/Data Integrity Failures - [ ] A09: Logging/Monitoring Failures - [ ] A10: SSRF
Secrets Management
Never commit secrets. Use environment-based injection:
yaml
# Kubernetes External Secrets
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: api-keys
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-backend
kind: ClusterSecretStore
target:
name: api-keys
data:
- secretKey: OPENAI_API_KEY
remoteRef:
key: secret/data/api-keys
property: openai
SBOM Generation
bash
# Generate SBOM with Syft syft packages dir:. -o spdx-json > sbom.spdx.json # Scan for vulnerabilities with Grype grype sbom:sbom.spdx.json --fail-on high
Container Security
dockerfile
# Secure Dockerfile patterns FROM cgr.dev/chainguard/node:latest AS build WORKDIR /app COPY package*.json ./ RUN npm ci --only=production FROM cgr.dev/chainguard/node:latest WORKDIR /app COPY --from=build /app/node_modules ./node_modules COPY . . USER nonroot CMD ["node", "server.js"]
Scan images:
bash
trivy image myapp:latest --severity HIGH,CRITICAL
Runtime Security (eBPF)
Tetragon for kernel-level enforcement:
yaml
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: sensitive-file-access
spec:
kprobes:
- call: "fd_install"
selectors:
- matchArgs:
- index: 1
operator: "Prefix"
values: ["/etc/shadow", "/etc/passwd"]
action: NotifyEnforcer
Falco for threat detection:
yaml
- rule: Shell Spawned in Container
desc: Detect shell spawned in a container
condition: >
spawned_process and container and
proc.name in (shell_binaries)
output: >
Shell spawned in container
(user=%user.name container=%container.name shell=%proc.name)
priority: WARNING
Compliance Automation
Vanta/Drata Integration:
- •Continuous monitoring of 35+ frameworks
- •Automated evidence collection
- •Risk flagging and remediation tracking
Key Frameworks:
- •SOC 2 Type II
- •ISO 27001
- •HIPAA
- •GDPR
- •PCI DSS
Incident Response Playbook
markdown
## Phase 1: Detection & Analysis (MTTD < 5 min) 1. Alert triggered → Acknowledge in SOAR 2. Gather initial IOCs (IPs, hashes, usernames) 3. Determine scope and severity 4. Escalate if P1/P2 ## Phase 2: Containment (MTTR < 1 hour) 1. Isolate affected systems 2. Block malicious IPs/domains 3. Disable compromised accounts 4. Preserve evidence (disk images, logs) ## Phase 3: Eradication 1. Remove malware/backdoors 2. Patch vulnerabilities 3. Reset credentials 4. Verify clean state ## Phase 4: Recovery 1. Restore from clean backups 2. Monitor for re-infection 3. Gradual service restoration 4. Validate functionality ## Phase 5: Lessons Learned 1. Timeline reconstruction 2. Root cause analysis 3. Update playbooks 4. Security improvements
Penetration Testing Checklist
markdown
## Reconnaissance - [ ] DNS enumeration - [ ] Subdomain discovery - [ ] Port scanning - [ ] Service fingerprinting ## Web Application - [ ] Authentication bypass - [ ] Session management - [ ] Input validation - [ ] Access control - [ ] Business logic ## Infrastructure - [ ] Network segmentation - [ ] Privilege escalation - [ ] Lateral movement - [ ] Data exfiltration paths
Agents
- •security-architect - Threat modeling, secure design, compliance
- •incident-responder - Incident handling, forensics, recovery
Deep Dives
- •references/zero-trust.md
- •references/sbom-slsa.md
- •references/ebpf-security.md
- •references/incident-response.md