Senior SecOps Engineer
Complete toolkit for Security Operations including vulnerability management, compliance verification, secure coding practices, and security automation.
Table of Contents
- •Trigger Terms
- •Core Capabilities
- •Workflows
- •Tool Reference
- •Security Standards
- •Compliance Frameworks
- •Best Practices
Trigger Terms
Use this skill when you encounter:
| Category | Terms |
|---|---|
| Vulnerability Management | CVE, CVSS, vulnerability scan, security patch, dependency audit, npm audit, pip-audit |
| OWASP Top 10 | injection, XSS, CSRF, broken authentication, security misconfiguration, sensitive data exposure |
| Compliance | SOC 2, PCI-DSS, HIPAA, GDPR, compliance audit, security controls, access control |
| Secure Coding | input validation, output encoding, parameterized queries, prepared statements, sanitization |
| Secrets Management | API key, secrets vault, environment variables, HashiCorp Vault, AWS Secrets Manager |
| Authentication | JWT, OAuth, MFA, 2FA, TOTP, password hashing, bcrypt, argon2, session management |
| Security Testing | SAST, DAST, penetration test, security scan, Snyk, Semgrep, CodeQL, Trivy |
| Incident Response | security incident, breach notification, incident response, forensics, containment |
| Network Security | TLS, HTTPS, HSTS, CSP, CORS, security headers, firewall rules, WAF |
| Infrastructure Security | container security, Kubernetes security, IAM, least privilege, zero trust |
| Cryptography | encryption at rest, encryption in transit, AES-256, RSA, key management, KMS |
| Monitoring | security monitoring, SIEM, audit logging, intrusion detection, anomaly detection |
Core Capabilities
1. Security Scanner
Scan source code for security vulnerabilities including hardcoded secrets, SQL injection, XSS, command injection, and path traversal.
# Scan project for security issues python scripts/security_scanner.py /path/to/project # Filter by severity python scripts/security_scanner.py /path/to/project --severity high # JSON output for CI/CD python scripts/security_scanner.py /path/to/project --json --output report.json
Detects:
- •Hardcoded secrets (API keys, passwords, AWS credentials, GitHub tokens, private keys)
- •SQL injection patterns (string concatenation, f-strings, template literals)
- •XSS vulnerabilities (innerHTML assignment, unsafe DOM manipulation, React unsafe patterns)
- •Command injection (shell=True, exec, eval with user input)
- •Path traversal (file operations with user input)
2. Vulnerability Assessor
Scan dependencies for known CVEs across npm, Python, and Go ecosystems.
# Assess project dependencies python scripts/vulnerability_assessor.py /path/to/project # Critical/high only python scripts/vulnerability_assessor.py /path/to/project --severity high # Export vulnerability report python scripts/vulnerability_assessor.py /path/to/project --json --output vulns.json
Scans:
- •
package.jsonandpackage-lock.json(npm) - •
requirements.txtandpyproject.toml(Python) - •
go.mod(Go)
Output:
- •CVE IDs with CVSS scores
- •Affected package versions
- •Fixed versions for remediation
- •Overall risk score (0-100)
3. Compliance Checker
Verify security compliance against SOC 2, PCI-DSS, HIPAA, and GDPR frameworks.
# Check all frameworks python scripts/compliance_checker.py /path/to/project # Specific framework python scripts/compliance_checker.py /path/to/project --framework soc2 python scripts/compliance_checker.py /path/to/project --framework pci-dss python scripts/compliance_checker.py /path/to/project --framework hipaa python scripts/compliance_checker.py /path/to/project --framework gdpr # Export compliance report python scripts/compliance_checker.py /path/to/project --json --output compliance.json
Verifies:
- •Access control implementation
- •Encryption at rest and in transit
- •Audit logging
- •Authentication strength (MFA, password hashing)
- •Security documentation
- •CI/CD security controls
Workflows
Workflow 1: Security Audit
Complete security assessment of a codebase.
# Step 1: Scan for code vulnerabilities python scripts/security_scanner.py . --severity medium # Step 2: Check dependency vulnerabilities python scripts/vulnerability_assessor.py . --severity high # Step 3: Verify compliance controls python scripts/compliance_checker.py . --framework all # Step 4: Generate combined report python scripts/security_scanner.py . --json --output security.json python scripts/vulnerability_assessor.py . --json --output vulns.json python scripts/compliance_checker.py . --json --output compliance.json
Workflow 2: CI/CD Security Gate
Integrate security checks into deployment pipeline.
# .github/workflows/security.yml
name: Security Scan
on:
pull_request:
branches: [main, develop]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Security Scanner
run: python scripts/security_scanner.py . --severity high
- name: Vulnerability Assessment
run: python scripts/vulnerability_assessor.py . --severity critical
- name: Compliance Check
run: python scripts/compliance_checker.py . --framework soc2
Workflow 3: CVE Triage
Respond to a new CVE affecting your application.
1. ASSESS (0-2 hours) - Identify affected systems using vulnerability_assessor.py - Check if CVE is being actively exploited - Determine CVSS environmental score for your context 2. PRIORITIZE - Critical (CVSS 9.0+, internet-facing): 24 hours - High (CVSS 7.0-8.9): 7 days - Medium (CVSS 4.0-6.9): 30 days - Low (CVSS < 4.0): 90 days 3. REMEDIATE - Update affected dependency to fixed version - Run security_scanner.py to verify fix - Test for regressions - Deploy with enhanced monitoring 4. VERIFY - Re-run vulnerability_assessor.py - Confirm CVE no longer reported - Document remediation actions
Workflow 4: Incident Response
Security incident handling procedure.
PHASE 1: DETECT & IDENTIFY (0-15 min) - Alert received and acknowledged - Initial severity assessment (SEV-1 to SEV-4) - Incident commander assigned - Communication channel established PHASE 2: CONTAIN (15-60 min) - Affected systems identified - Network isolation if needed - Credentials rotated if compromised - Preserve evidence (logs, memory dumps) PHASE 3: ERADICATE (1-4 hours) - Root cause identified - Malware/backdoors removed - Vulnerabilities patched (run security_scanner.py) - Systems hardened PHASE 4: RECOVER (4-24 hours) - Systems restored from clean backup - Services brought back online - Enhanced monitoring enabled - User access restored PHASE 5: POST-INCIDENT (24-72 hours) - Incident timeline documented - Root cause analysis complete - Lessons learned documented - Preventive measures implemented - Stakeholder report delivered
Tool Reference
security_scanner.py
| Option | Description |
|---|---|
target | Directory or file to scan |
--severity, -s | Minimum severity: critical, high, medium, low |
--verbose, -v | Show files as they're scanned |
--json | Output results as JSON |
--output, -o | Write results to file |
Exit Codes:
- •
0: No critical/high findings - •
1: High severity findings - •
2: Critical severity findings
vulnerability_assessor.py
| Option | Description |
|---|---|
target | Directory containing dependency files |
--severity, -s | Minimum severity: critical, high, medium, low |
--verbose, -v | Show files as they're scanned |
--json | Output results as JSON |
--output, -o | Write results to file |
Exit Codes:
- •
0: No critical/high vulnerabilities - •
1: High severity vulnerabilities - •
2: Critical severity vulnerabilities
compliance_checker.py
| Option | Description |
|---|---|
target | Directory to check |
--framework, -f | Framework: soc2, pci-dss, hipaa, gdpr, all |
--verbose, -v | Show checks as they run |
--json | Output results as JSON |
--output, -o | Write results to file |
Exit Codes:
- •
0: Compliant (90%+ score) - •
1: Non-compliant (50-69% score) - •
2: Critical gaps (<50% score)
Security Standards
OWASP Top 10 Prevention
| Vulnerability | Prevention |
|---|---|
| A01: Broken Access Control | Implement RBAC, deny by default, validate permissions server-side |
| A02: Cryptographic Failures | Use TLS 1.2+, AES-256 encryption, secure key management |
| A03: Injection | Parameterized queries, input validation, escape output |
| A04: Insecure Design | Threat modeling, secure design patterns, defense in depth |
| A05: Security Misconfiguration | Hardening guides, remove defaults, disable unused features |
| A06: Vulnerable Components | Dependency scanning, automated updates, SBOM |
| A07: Authentication Failures | MFA, rate limiting, secure password storage |
| A08: Data Integrity Failures | Code signing, integrity checks, secure CI/CD |
| A09: Security Logging Failures | Comprehensive audit logs, SIEM integration, alerting |
| A10: SSRF | URL validation, allowlist destinations, network segmentation |
Secure Coding Checklist
## Input Validation - [ ] Validate all input on server side - [ ] Use allowlists over denylists - [ ] Sanitize for specific context (HTML, SQL, shell) ## Output Encoding - [ ] HTML encode for browser output - [ ] URL encode for URLs - [ ] JavaScript encode for script contexts ## Authentication - [ ] Use bcrypt/argon2 for passwords - [ ] Implement MFA for sensitive operations - [ ] Enforce strong password policy ## Session Management - [ ] Generate secure random session IDs - [ ] Set HttpOnly, Secure, SameSite flags - [ ] Implement session timeout (15 min idle) ## Error Handling - [ ] Log errors with context (no secrets) - [ ] Return generic messages to users - [ ] Never expose stack traces in production ## Secrets Management - [ ] Use environment variables or secrets manager - [ ] Never commit secrets to version control - [ ] Rotate credentials regularly
Compliance Frameworks
SOC 2 Type II Controls
| Control | Category | Description |
|---|---|---|
| CC1 | Control Environment | Security policies, org structure |
| CC2 | Communication | Security awareness, documentation |
| CC3 | Risk Assessment | Vulnerability scanning, threat modeling |
| CC6 | Logical Access | Authentication, authorization, MFA |
| CC7 | System Operations | Monitoring, logging, incident response |
| CC8 | Change Management | CI/CD, code review, deployment controls |
PCI-DSS v4.0 Requirements
| Requirement | Description |
|---|---|
| Req 3 | Protect stored cardholder data (encryption at rest) |
| Req 4 | Encrypt transmission (TLS 1.2+) |
| Req 6 | Secure development (input validation, secure coding) |
| Req 8 | Strong authentication (MFA, password policy) |
| Req 10 | Audit logging (all access to cardholder data) |
| Req 11 | Security testing (SAST, DAST, penetration testing) |
HIPAA Security Rule
| Safeguard | Requirement |
|---|---|
| 164.312(a)(1) | Unique user identification for PHI access |
| 164.312(b) | Audit trails for PHI access |
| 164.312(c)(1) | Data integrity controls |
| 164.312(d) | Person/entity authentication (MFA) |
| 164.312(e)(1) | Transmission encryption (TLS) |
GDPR Requirements
| Article | Requirement |
|---|---|
| Art 25 | Privacy by design, data minimization |
| Art 32 | Security measures, encryption, pseudonymization |
| Art 33 | Breach notification (72 hours) |
| Art 17 | Right to erasure (data deletion) |
| Art 20 | Data portability (export capability) |
Best Practices
Secrets Management
# BAD: Hardcoded secret
API_KEY = "sk-1234567890abcdef"
# GOOD: Environment variable
import os
API_KEY = os.environ.get("API_KEY")
# BETTER: Secrets manager
from your_vault_client import get_secret
API_KEY = get_secret("api/key")
SQL Injection Prevention
# BAD: String concatenation
query = f"SELECT * FROM users WHERE id = {user_id}"
# GOOD: Parameterized query
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
XSS Prevention
// BAD: Direct innerHTML assignment is vulnerable // GOOD: Use textContent (auto-escaped) element.textContent = userInput; // GOOD: Use sanitization library for HTML import DOMPurify from 'dompurify'; const safeHTML = DOMPurify.sanitize(userInput);
Authentication
// Password hashing
const bcrypt = require('bcrypt');
const SALT_ROUNDS = 12;
// Hash password
const hash = await bcrypt.hash(password, SALT_ROUNDS);
// Verify password
const match = await bcrypt.compare(password, hash);
Security Headers
// Express.js security headers
const helmet = require('helmet');
app.use(helmet());
// Or manually set headers:
app.use((req, res, next) => {
res.setHeader('X-Content-Type-Options', 'nosniff');
res.setHeader('X-Frame-Options', 'DENY');
res.setHeader('X-XSS-Protection', '1; mode=block');
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
res.setHeader('Content-Security-Policy', "default-src 'self'");
next();
});
Reference Documentation
| Document | Description |
|---|---|
references/security_standards.md | OWASP Top 10, secure coding, authentication, API security |
references/vulnerability_management_guide.md | CVE triage, CVSS scoring, remediation workflows |
references/compliance_requirements.md | SOC 2, PCI-DSS, HIPAA, GDPR requirements |
Tech Stack
Security Scanning:
- •Snyk (dependency scanning)
- •Semgrep (SAST)
- •CodeQL (code analysis)
- •Trivy (container scanning)
- •OWASP ZAP (DAST)
Secrets Management:
- •HashiCorp Vault
- •AWS Secrets Manager
- •Azure Key Vault
- •1Password Secrets Automation
Authentication:
- •bcrypt, argon2 (password hashing)
- •jsonwebtoken (JWT)
- •passport.js (authentication middleware)
- •speakeasy (TOTP/MFA)
Logging & Monitoring:
- •Winston, Pino (Node.js logging)
- •Datadog, Splunk (SIEM)
- •PagerDuty (alerting)
Compliance:
- •Vanta (SOC 2 automation)
- •Drata (compliance management)
- •AWS Config (configuration compliance)