security

Security

Overview

Security is a cross-cutting concern that spans every layer of software development, from design through deployment and operations. Rather than being confined to a single language or framework, security principles such as defense in depth, least privilege, and secure defaults apply universally. This skill serves as the root entry point for all security-related guidance, organizing sub-skills around the major domains of application security: standards compliance (OWASP), threat modeling, authentication and authorization, cryptography, API security, input validation, data protection, supply chain integrity, security testing, logging and monitoring, secure SDLC practices, and the emerging field of AI security. Use this skill to navigate the security landscape and identify which specialized sub-skill addresses your specific concern.

Knowledge Map

+-----------------------------------------------------------------------+
|                     Governance & Compliance                           |
|            (Secure SDLC, Policies, Standards, Regulations)            |
+-----------------------------------------------------------------------+
|                       Application Security                            |
|  +-------------+  +-----------+  +--------------+  +---------------+  |
|  +--------+  +--------+  +-----------+  +-----------+  +--------+     |
|  |  Auth   |  | Crypto |  |Input/Output|  |API Security|  |Hygiene |     |
|  |(AuthN/Z)|  |(TLS,HE)|  |(Validate) |  |(REST,GQL) |  |(Trust  |     |
|  +--------+  +--------+  +-----------+  +-----------+  |Boundaries)|  |
|                                                         +--------+     |
|  +---------------------+  +--------------------------------------+    |
|  |   Data Protection    |  |         Supply Chain Security        |    |
|  | (Encryption at Rest, |  | (Dependencies, SBOMs, Signing)      |    |
|  |  Masking, PII)       |  +--------------------------------------+    |
|  +---------------------+                                              |
+-----------------------------------------------------------------------+
|                          Foundation                                    |
|  +------------------+  +-------------------+  +--------------------+  |
|  +----------------+ +----------------+ +------------------+ +--------+  |
|  | Threat Modeling | | Security Tests | | Logging/Monitor  | | Pen    |  |
|  | (STRIDE,DREAD)  | | (SAST,DAST,SCA)| | (SIEM,Alerting)  | | Test & |  |
|  +----------------+ +----------------+ +------------------+ | Red    |  |
|                                                              | Team   |  |
|                                                              +--------+  |
+-----------------------------------------------------------------------+
|  <<cross-cutting>>         AI Security                                |
|  (Prompt Injection, Model Poisoning, LLM Top 10, AI Supply Chain)     |
+-----------------------------------------------------------------------+

Canonical Works

Title	Author(s)	Year	Focus
The Web Application Hacker's Handbook	Dafydd Stuttard & Marcus Pinto	2011	Web app vulnerability discovery and exploitation techniques
Penetration Testing	Georgia Weidman	2014	Hands-on penetration testing methodology and tools
Red Team Development and Operations	Joe Vest & James Tubberville	2020	Planning and executing red team engagements
Threat Modeling: Designing for Security	Adam Shostack	2014	Systematic approach to identifying and mitigating security threats
NIST Cybersecurity Framework 2.0	NIST	2024	Risk-based framework for managing cybersecurity across organizations
OWASP Top 10 (2021)	OWASP Foundation	2021	Top 10 most critical web application security risks
OWASP API Security Top 10 (2023)	OWASP Foundation	2023	Top 10 most critical API security risks
OWASP Top 10 for LLM Applications (2025)	OWASP Foundation	2025	Top 10 security risks specific to large language model applications

Choosing the Right Sub-Skill

Problem	Look In
Need to understand common web vulnerabilities and compliance baselines	owasp
Designing a system and need to identify threats early	threat-modeling
Implementing login, OAuth, SSO, or access control	authentication
Choosing or implementing encryption, hashing, or key management	cryptography
Securing REST or GraphQL APIs against abuse	api-security
Sanitizing user input or preventing injection attacks	input-validation
Enforcing sanitization and canonicalization at every component boundary (including internal data)	hygiene
Protecting PII, encrypting data at rest, or masking sensitive fields	data-protection
Auditing dependencies, generating SBOMs, or verifying artifact integrity	supply-chain
Running SAST, DAST, or SCA scans in CI/CD	security-testing
Setting up security logging, alerting, or incident detection	logging-monitoring
Embedding security gates into the development lifecycle	secure-sdlc
Securing LLM-powered applications against prompt injection or model abuse	ai-security
Planning or conducting authorized penetration tests against applications and infrastructure	penetration-testing
Adversarial red team engagements, MITRE ATT&CK simulation, purple teaming, AI red teaming	red-teaming

Best Practices

• Defense in depth: never rely on a single security control; layer multiple defenses so that a failure in one does not compromise the system.
• Least privilege: grant the minimum permissions necessary for any user, service, or process to perform its function.
• Secure defaults: ship systems in a secure configuration; require explicit action to weaken security posture rather than to strengthen it.
• Shift left: integrate security analysis (threat modeling, SAST, dependency scanning) as early as possible in the development lifecycle.
• Zero trust mindset: authenticate and authorize every request regardless of network location; assume the perimeter has already been breached.
• Automate security gates: use CI/CD pipelines to enforce security scanning, secret detection, and compliance checks before code reaches production.
• Keep dependencies current: regularly update libraries and frameworks, monitor for CVEs, and generate Software Bills of Materials (SBOMs) for auditability.
• Treat security as a team responsibility: security is not solely the security team's job; every developer, operator, and architect shares accountability for building and maintaining secure systems.