What is the difference between RBAC and ABAC?

RBAC grants access based on user roles, while ABAC uses attributes (department, time, resource class) to make dynamic decisions.

What is Policy as Code and why use it?

Policy as Code externalizes access rules (e.g., OPA/Rego) for versioning, testing, auditability, and separation of concerns.

Where do I start with Zero Trust?

Begin with identity-based access, device health checks, continuous verification, encrypted communications, and comprehensive logging.

security-engineering

Scanned

npx machina-cli add skill aiskillstore/marketplace/security-engineering --openclaw

Files (1)

SKILL.md

5.5 KB

Security Engineering

Comprehensive security engineering skill covering application security, infrastructure security, compliance, and incident response.

When to Use This Skill

Designing security architecture
Implementing authentication and authorization
Conducting threat modeling
Security code review
Implementing compliance controls (SOC2, HIPAA, PCI-DSS)
Incident response planning
Security monitoring and alerting

Security Architecture

Defense in Depth

Layer security controls at multiple levels:

Layer	Controls
Perimeter	Firewall, WAF, DDoS protection
Network	Segmentation, IDS/IPS, VPN
Host	Hardening, EDR, patch management
Application	Input validation, secure coding, SAST/DAST
Data	Encryption, access control, DLP
Identity	MFA, SSO, privileged access management

Zero Trust Architecture

Core Principles:

Never trust, always verify
Assume breach mentality
Least privilege access
Micro-segmentation
Continuous verification

Implementation:

Identity-based access (not network-based)
Device health verification
Continuous authentication
Encrypted communications everywhere
Detailed logging and monitoring

Authentication Patterns

OAuth 2.0 / OIDC

Grant Types:

Grant	Use Case
Authorization Code + PKCE	Web/mobile apps
Client Credentials	Service-to-service
Device Code	CLI tools, IoT

Token Best Practices:

Short-lived access tokens (15 min - 1 hour)
Secure refresh token storage
Token rotation on use
Revocation capabilities

Session Management

Secure, HttpOnly, SameSite cookies
Session timeout (idle and absolute)
Session invalidation on logout
Concurrent session limits
Session binding to device/IP

Multi-Factor Authentication

TOTP (authenticator apps)
WebAuthn/FIDO2 (hardware keys)
Push notifications
SMS (last resort, vulnerable to SIM swap)

Authorization Patterns

RBAC (Role-Based Access Control)

Users → Roles → Permissions

Best for: Well-defined organizational hierarchies

ABAC (Attribute-Based Access Control)

If user.department == "engineering" AND
   resource.classification == "internal" AND
   time.hour BETWEEN 9 AND 17
THEN allow

Best for: Complex, dynamic access requirements

Policy as Code

Use OPA/Rego or Cedar for externalized policy:

Version controlled policies
Testable access rules
Audit trail
Separation of concerns

Secure Development

OWASP Top 10 Mitigations

Risk	Mitigation
Injection	Parameterized queries, input validation
Broken Auth	Strong password policy, MFA, rate limiting
Sensitive Data	Encryption, minimal data collection
XXE	Disable external entities
Broken Access	Authorization checks, default deny
Misconfig	Secure defaults, hardening guides
XSS	Output encoding, CSP
Deserialization	Integrity checks, avoid untrusted data
Components	Dependency scanning, updates
Logging	Centralized logging, alerting

Security Testing

SAST (Static Analysis):

Run on every commit
Block high-severity findings
Tools: Semgrep, CodeQL, SonarQube

DAST (Dynamic Analysis):

Run against staging/dev
Tools: OWASP ZAP, Burp Suite

Dependency Scanning:

Check for known vulnerabilities
Tools: Snyk, Dependabot, npm audit

Secrets Management

Never:

Commit secrets to git
Log secrets
Pass secrets in URLs
Hardcode secrets

Do:

Use secret managers (Vault, AWS Secrets Manager)
Rotate secrets regularly
Audit secret access
Use short-lived credentials

Compliance Frameworks

Common Requirements

Framework	Focus Area
SOC 2	Trust services (security, availability, etc.)
HIPAA	Healthcare data protection
PCI-DSS	Payment card data
GDPR	EU personal data protection
ISO 27001	Information security management

Key Controls

Access control and authentication
Encryption (at rest and in transit)
Logging and monitoring
Incident response procedures
Business continuity planning
Vendor management
Employee security training

Incident Response

Response Phases

Preparation: Runbooks, tools, training
Detection: Monitoring, alerting, triage
Containment: Isolate, preserve evidence
Eradication: Remove threat, patch vulnerabilities
Recovery: Restore services, verify clean
Lessons Learned: Post-mortem, improvements

Severity Levels

Level	Description	Response Time
P1	Active breach, data exfiltration	Immediate
P2	Vulnerability being exploited	< 4 hours
P3	High-risk vulnerability discovered	< 24 hours
P4	Security improvement needed	Next sprint

Reference Files

references/threat_modeling.md - STRIDE methodology and examples
references/compliance_controls.md - Framework-specific control mappings

Integration with Other Skills

cloud-infrastructure - For cloud security
debugging - For security incident investigation
testing - For security testing patterns

Source

git clone https://github.com/aiskillstore/marketplace/blob/main/skills/89jobrien/security-engineering/SKILL.mdView on GitHub

Overview

Security Engineering covers application and infrastructure security, compliance, and incident response. It guides designing security architecture, implementing authentication/authorization, threat modeling, and monitoring controls to protect data and operations.

How This Skill Works

This skill combines defense-in-depth with Zero Trust, OAuth2/OIDC, RBAC/ABAC and Policy as Code to enforce access and data protection. It also prescribes secure development practices, regular security testing (SAST/DAST), and secrets management to reduce risk.

When to Use It

Designing security architecture and controls across perimeter, network, host, app, and data layers
Implementing authentication and authorization (OAuth2.0/OIDC, MFA, SSO)
Conducting threat modeling to identify and mitigate risks
Implementing compliance controls (SOC 2, HIPAA, PCI-DSS) and audit readiness
Setting up security monitoring, alerting, and incident response planning

Quick Start

Step 1: Map data flows and trust boundaries to identify where controls are needed
Step 2: Implement authentication/authorization patterns (OAuth2/OIDC, MFA) and RBAC/ABAC
Step 3: Set up CI/CD security checks (SAST/DAST), secret management, and incident response runbooks

Best Practices

Apply defense-in-depth across all layers (perimeter, network, host, application, data)
Adopt Zero Trust with identity-based access, continuous verification, and detailed logging
Use RBAC or ABAC complemented by Policy as Code (OPA/Rego) for scalable access control
Follow OWASP Top 10 mitigations and integrate SAST/DAST in CI/CD
Manage secrets with dedicated secret managers and avoid hardcoding or leaking credentials

Example Use Cases

Architecting a web app with MFA, SSO, and encrypted data at rest
Implementing OAuth 2.0 / OIDC for microservices and service-to-service communication
Running threat modeling sessions during design to surface attack surfaces
Enforcing PCI-DSS compliance through access controls, logging, and encryption
Establishing a security incident response plan with monitoring and playbooks

Frequently Asked Questions

Add this skill to your agents