Senior Security

Complete toolkit for senior security engineers with comprehensive security architecture, penetration testing, and threat modeling frameworks.

Overview

The Senior Security skill provides enterprise-grade security engineering frameworks, penetration testing methodologies, and threat modeling tools for building secure applications and infrastructure. This skill covers application security, API security, cryptography implementation, secure architecture patterns, and security auditing used by leading security teams.

Designed for senior security engineers and application security specialists, this skill includes proven patterns for OWASP Top 10 mitigation, threat modeling (STRIDE, PASTA), penetration testing automation, and secure coding practices. All content focuses on defense-in-depth security with practical implementation guidance.

Core Value: Build security-first applications that prevent 98%+ of common vulnerabilities while enabling rapid development and maintaining compliance with industry standards.

Quick Start

Main Capabilities

This skill provides three core capabilities through automated scripts:

Script 1: Threat Modeler

python scripts/threat_modeler.py [options]

Script 2: Security Auditor

python scripts/security_auditor.py [options]

Script 3: Pentest Automator

python scripts/pentest_automator.py [options]

Core Capabilities

1. Threat Modeler

Automated tool for threat modeler tasks.

Features:

• Automated scaffolding

• Best practices built-in

• Configurable templates

• Quality checks

Usage:

python scripts/threat_modeler.py <project-path> [options]

2. Security Auditor

Comprehensive analysis and optimization tool.

Features:

• Deep analysis

• Performance metrics

• Recommendations

• Automated fixes

Usage:

python scripts/security_auditor.py <target-path> [--verbose]

3. Pentest Automator

Advanced tooling for specialized tasks.

Features:

• Expert-level automation

• Custom configurations

• Integration ready

• Production-grade output

Usage:

python scripts/pentest_automator.py [arguments] [options]

Key Workflows

1. Conduct Threat Modeling

Time: 4-6 hours for comprehensive threat model

• Define System Scope - Identify boundaries, assets, and trust levels

• Create Architecture Diagram - Map data flows and components

• Run Threat Modeler - Execute threat_modeler.py to identify threats (STRIDE framework)

• Assess Risk - Evaluate likelihood and impact of each threat

• Define Mitigations - Design security controls for high-priority threats

Expected Output: Threat model with identified threats, risk scores, and mitigation strategies

2. Perform Security Audit

Time: 1-2 weeks

• Scope Security Audit - Define systems, applications, and infrastructure to audit

• Run Security Auditor - Execute security_auditor.py for automated checks

• Manual Review - Code review, configuration review, access control audit

• Document Findings - Create audit report with severity classifications

• Create Remediation Plan - Prioritize and schedule security improvements

Expected Output: Security audit report with findings, severity scores, and remediation roadmap

3. Execute Penetration Test

Time: 1-2 weeks

• Define Pentest Scope - Identify targets, testing boundaries, and rules of engagement

• Run Automated Scans - Execute pentest_automator.py for initial reconnaissance

• Manual Exploitation - Attempt to exploit identified vulnerabilities

• Document Exploits - Record successful attacks with proof-of-concept

• Provide Remediation Guidance - Recommend fixes for discovered vulnerabilities

Expected Output: Penetration test report with exploited vulnerabilities and remediation recommendations

Python Tools

threat_modeler.py

Performs systematic threat modeling using STRIDE framework with automated threat identification and mitigation recommendations.

Key Features:

• STRIDE threat analysis (Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege)

• Data flow diagram parsing

• Automated threat identification based on architecture patterns

• Risk scoring (likelihood × impact)

• Mitigation strategy recommendations

• Threat library with common attack patterns

• Export to security documentation formats

Common Usage:

Analyze architecture diagram

python scripts/threat_modeler.py architecture.json --framework stride

Generate threat report

python scripts/threat_modeler.py architecture.json --report detailed

Focus on high-risk threats

python scripts/threat_modeler.py architecture.json --min-risk high

Help

python scripts/threat_modeler.py --help

Use Cases:

• Security design reviews for new features

• Identifying security requirements before development

• Risk assessment for system changes

• Security training and threat awareness

security_auditor.py

Performs comprehensive security audits with OWASP coverage, secure coding analysis, and configuration review.

Key Features:

• OWASP Top 10 compliance checking

• Secure coding pattern analysis

• Authentication and authorization review

• Cryptography implementation audit

• API security assessment

• Configuration hardening checks

• Access control verification

• Audit trail and logging validation

Common Usage:

Run security audit

python scripts/security_auditor.py /path/to/project

Focus on specific areas

python scripts/security_auditor.py /path/to/project --checks auth,crypto,api

Generate compliance report

python scripts/security_auditor.py /path/to/project --report compliance

Help

python scripts/security_auditor.py --help

Use Cases:

• Pre-production security validation

• Compliance audits (SOC 2, ISO 27001)

• Security baseline assessment for acquisitions

• Periodic security health checks

pentest_automator.py

Automates penetration testing workflows with reconnaissance, vulnerability exploitation, and reporting capabilities.

Key Features:

• Automated reconnaissance (port scanning, service enumeration)

• Vulnerability exploitation (common CVEs, misconfigurations)

• Web application testing (SQLi, XSS, CSRF, authentication bypass)

• Network testing (man-in-the-middle, lateral movement)

• API security testing

• Report generation with proof-of-concept

• Integration with Metasploit, Burp Suite, and other pentest tools

Common Usage:

Run automated pentest

python scripts/pentest_automator.py --target https://example.com

Focus on web application

python scripts/pentest_automator.py --target https://example.com --scope web

Generate executive report

python scripts/pentest_automator.py --target https://example.com --report executive

Help

python scripts/pentest_automator.py --help

Use Cases:

• Annual penetration testing requirements

• Pre-launch security validation

• Red team exercises

• Security posture assessment

Reference Documentation

Security Architecture Patterns

Comprehensive guide available in references/security_architecture_patterns.md :

• Detailed patterns and practices

• Code examples

• Best practices

• Anti-patterns to avoid

• Real-world scenarios

Penetration Testing Guide

Complete workflow documentation in references/penetration_testing_guide.md :

• Step-by-step processes

• Optimization strategies

• Tool integrations

• Performance tuning

• Troubleshooting guide

Cryptography Implementation

Technical reference guide in references/cryptography_implementation.md :

• Technology stack details

• Configuration examples

• Integration patterns

• Security considerations

• Scalability guidelines

Tech Stack

Languages: TypeScript, JavaScript, Python, Go, Swift, Kotlin Frontend: React, Next.js, React Native, Flutter Backend: Node.js, Express, GraphQL, REST APIs Database: PostgreSQL, Prisma, NeonDB, Supabase DevOps: Docker, Kubernetes, Terraform, GitHub Actions, CircleCI Cloud: AWS, GCP, Azure

Development Workflow

1. Setup and Configuration

Install dependencies

npm install

or

pip install -r requirements.txt

Configure environment

cp .env.example .env

2. Run Quality Checks

Use the analyzer script

python scripts/security_auditor.py .

Review recommendations

Apply fixes

3. Implement Best Practices

Follow the patterns and practices documented in:

• references/security_architecture_patterns.md

• references/penetration_testing_guide.md

• references/cryptography_implementation.md

Best Practices Summary

Code Quality

• Follow established patterns

• Write comprehensive tests

• Document decisions

• Review regularly

Performance

• Measure before optimizing

• Use appropriate caching

• Optimize critical paths

• Monitor in production

Security

• Validate all inputs

• Use parameterized queries

• Implement proper authentication

• Keep dependencies updated

Maintainability

• Write clear code

• Use consistent naming

• Add helpful comments

• Keep it simple

Common Commands

Development

npm run dev npm run build npm run test npm run lint

Analysis

python scripts/security_auditor.py . python scripts/pentest_automator.py --analyze

Deployment

docker build -t app:latest . docker-compose up -d kubectl apply -f k8s/

Troubleshooting

Common Issues

Check the comprehensive troubleshooting section in references/cryptography_implementation.md .

Getting Help

• Review reference documentation

• Check script output messages

• Consult tech stack documentation

• Review error logs

Resources

• Pattern Reference: references/security_architecture_patterns.md

• Workflow Guide: references/penetration_testing_guide.md

• Technical Guide: references/cryptography_implementation.md

• Tool Scripts: scripts/ directory