Senior Security

Senior Security is a community skill for advanced application and infrastructure security engineering, covering threat modeling, penetration testing guidance, security architecture review, cryptographic implementation, and compliance frameworks for enterprise systems.

What Is This?

Overview

Senior Security provides guidance on designing and verifying security controls across application and infrastructure layers. It covers threat modeling that maps attack surfaces and prioritizes risks based on business impact, penetration testing guidance that structures security assessments with scoping and methodology selection, security architecture review that evaluates system designs for defense-in-depth and least-privilege principles, cryptographic implementation that applies encryption, hashing, and key management correctly, and compliance frameworks that map technical controls to regulatory requirements. The skill helps engineers build secure systems.

Who Should Use This

This skill serves security architects designing system protections, senior engineers implementing cryptographic controls, and compliance teams mapping technical safeguards to regulatory standards.

Why Use It?

Problems It Solves

Systems designed without threat modeling miss critical attack vectors that adversaries exploit. Cryptographic implementations using incorrect algorithms or parameters provide false security assurance. Security reviews without structured methodology produce inconsistent coverage. Compliance requirements are difficult to translate into concrete technical controls.

Core Highlights

Threat modeler maps attack surfaces with risk prioritization. Architecture reviewer evaluates designs for defense-in-depth. Crypto advisor validates encryption and key management choices. Compliance mapper connects technical controls to regulatory requirements.

How to Use It?

Basic Usage

from dataclasses import (
  dataclass, field)
from enum import Enum

class RiskLevel(Enum):
  LOW = 'low'
  MEDIUM = 'medium'
  HIGH = 'high'
  CRITICAL = 'critical'

@dataclass
class ThreatEntry:
  name: str
  category: str
  risk: RiskLevel
  mitigation: str

class ThreatModel:
  def __init__(
    self, system: str
  ):
    self.system = system
    self.threats: list[
      ThreatEntry] = []

  def add_threat(
    self,
    name: str,
    category: str,
    risk: RiskLevel,
    mitigation: str
  ):
    self.threats.append(
      ThreatEntry(
        name, category,
        risk, mitigation))

  def by_risk(
    self,
    level: RiskLevel
  ) -> list:
    return [
      t for t in
      self.threats
      if t.risk == level]

  def summary(self) -> dict:
    counts = {}
    for t in self.threats:
      r = t.risk.value
      counts[r] = (
        counts.get(r, 0)
        + 1)
    return counts

model = ThreatModel(
  'payment-api')
model.add_threat(
  'SQL injection',
  'injection',
  RiskLevel.CRITICAL,
  'Parameterized queries')
model.add_threat(
  'Weak TLS config',
  'crypto',
  RiskLevel.HIGH,
  'Enforce TLS 1.3')
print(model.summary())

Real-World Examples

import hashlib
import hmac
import secrets
import base64

class CryptoValidator:
  WEAK_HASHES = {
    'md5', 'sha1'}
  MIN_KEY_BITS = 256

  def check_hash(
    self, algo: str
  ) -> dict:
    is_weak = (
      algo.lower() in
      self.WEAK_HASHES)
    return {
      'algorithm': algo,
      'secure':
        not is_weak,
      'recommendation':
        'Use SHA-256+'
        if is_weak
        else 'OK'}

  def check_key_length(
    self,
    key_bytes: bytes
  ) -> dict:
    bits = (
      len(key_bytes) * 8)
    return {
      'bits': bits,
      'secure': bits >= (
        self.MIN_KEY_BITS),
      'recommendation':
        f'Min {self'
        f'.MIN_KEY_BITS}'
        if bits < self
          .MIN_KEY_BITS
        else 'OK'}

  def generate_key(
    self,
    bits: int = 256
  ) -> bytes:
    return secrets\
      .token_bytes(
        bits // 8)

validator = (
  CryptoValidator())
print(validator
  .check_hash('md5'))
print(validator
  .check_hash('sha256'))
key = validator\
  .generate_key(256)
print(validator
  .check_key_length(key))

Advanced Tips

Use the STRIDE methodology to systematically categorize threats during architecture review. Implement key rotation schedules and automate the process to prevent stale cryptographic material. Map security controls to specific compliance requirements in a traceability matrix for audit readiness.

When to Use It?

Use Cases

Conduct a threat model for a new payment processing API identifying injection, authentication, and data exposure risks. Validate that cryptographic implementations use appropriate algorithms and key sizes. Map application security controls to SOC 2 or PCI-DSS compliance requirements.

Related Topics

Application security, threat modeling, cryptography, penetration testing, compliance, security architecture, and risk management.

Important Notes

Requirements

Understanding of OWASP Top 10 and common vulnerability patterns. Familiarity with cryptographic primitives and their correct usage. Knowledge of relevant compliance frameworks for your industry.

Usage Recommendations

Do: perform threat modeling early in the design phase before implementation begins. Use established cryptographic libraries rather than implementing algorithms from scratch. Regularly review and update security controls as threat landscapes evolve.

Don't: use deprecated cryptographic algorithms such as MD5 or SHA-1 for security purposes. Treat compliance checkbox completion as a substitute for genuine security assessment. Assume that a single security layer provides adequate protection.

Limitations

Threat models represent a point-in-time assessment and require updates as systems change. Compliance frameworks may not cover all security risks relevant to your specific application. Security assessments depend on the expertise and methodology of the reviewer conducting the analysis.