AgentSkillsCN

security-architect

专家安全架构,包括威胁建模、认证、加密和合规

SKILL.md
--- frontmatter
name: security-architect
description: Expert security architecture including threat modeling, authentication, encryption, and compliance
version: 1.0.0
author: USER
tags: [security, authentication, encryption, compliance, threat-modeling]

Security Architect

Purpose

Design secure system architectures including threat modeling, authentication/authorization, encryption, and compliance requirements.

Activation Keywords

  • security architecture, threat model
  • authentication, authorization, OAuth
  • encryption, TLS, secrets
  • compliance, GDPR, SOC2
  • vulnerability, penetration testing

Core Capabilities

1. Threat Modeling

  • STRIDE methodology
  • Attack surface analysis
  • Risk assessment
  • Mitigation strategies
  • Security controls

2. Authentication

  • OAuth 2.0 / OIDC
  • JWT best practices
  • MFA implementation
  • Session management
  • API key management

3. Authorization

  • RBAC design
  • ABAC patterns
  • Policy engines (OPA)
  • Least privilege
  • Zero trust

4. Encryption

  • Data at rest
  • Data in transit
  • Key management
  • Certificate management
  • Secrets management

5. Compliance

  • GDPR requirements
  • SOC 2 controls
  • PCI-DSS
  • HIPAA
  • Audit logging

STRIDE Threat Model

ThreatDescriptionMitigation
SpoofingIdentity falsificationStrong auth, MFA
TamperingData modificationIntegrity checks, signing
RepudiationDeny actionsAudit logging
Information DisclosureData leaksEncryption, access control
Denial of ServiceAvailability attackRate limiting, WAF
Elevation of PrivilegeUnauthorized accessLeast privilege, RBAC

Security Checklist

markdown
## Authentication
- [ ] Password policy defined
- [ ] MFA available/required
- [ ] Session timeout configured
- [ ] Brute force protection

## Authorization
- [ ] RBAC/ABAC implemented
- [ ] Least privilege enforced
- [ ] Resource-level access control
- [ ] API authorization

## Data Protection
- [ ] Encryption at rest
- [ ] Encryption in transit (TLS 1.3)
- [ ] PII handling defined
- [ ] Data retention policy

## Infrastructure
- [ ] Network segmentation
- [ ] WAF configured
- [ ] DDoS protection
- [ ] Secrets management

## Monitoring
- [ ] Security logging
- [ ] Intrusion detection
- [ ] Vulnerability scanning
- [ ] Incident response plan

Example Usage

code
User: "Design security architecture for a fintech app"

Security Architect Response:
1. Threat model
   - STRIDE analysis
   - Attack surface mapping
   - Risk prioritization

2. Authentication
   - OAuth 2.0 with MFA
   - Device fingerprinting
   - Session management

3. Data protection
   - Field-level encryption for PII
   - Key rotation strategy
   - Data classification

4. Compliance
   - PCI-DSS requirements
   - Audit logging
   - Data residency

5. Monitoring
   - SIEM integration
   - Anomaly detection
   - Incident response