Senior Secops

Senior SecOps Engineer

Complete toolkit for Security Operations including vulnerability management, compliance verification, secure coding practices, and security automation.

Table of Contents

Core Capabilities Workflows Tool Reference Security Standards Compliance Frameworks Best Practices

1. Security Scanner

Scan source code for security vulnerabilities including hardcoded secrets, SQL injection, XSS, command injection, and path traversal. # Scan project for security issues python scripts/security_scanner.py /path/to/project # Filter by severity python scripts/security_scanner.py /path/to/project --severity high # JSON output for CI/CD python scripts/security_scanner.py /path/to/project --json --output report.json Detects: Hardcoded secrets (API keys, passwords, AWS credentials, GitHub tokens, private keys) SQL injection patterns (string concatenation, f-strings, template literals) XSS vulnerabilities (innerHTML assignment, unsafe DOM manipulation, React unsafe patterns) Command injection (shell=True, exec, eval with user input) Path traversal (file operations with user input)

2. Vulnerability Assessor

Scan dependencies for known CVEs across npm, Python, and Go ecosystems. # Assess project dependencies python scripts/vulnerability_assessor.py /path/to/project # Critical/high only python scripts/vulnerability_assessor.py /path/to/project --severity high # Export vulnerability report python scripts/vulnerability_assessor.py /path/to/project --json --output vulns.json Scans: package.json and package-lock.json (npm) requirements.txt and pyproject.toml (Python) go.mod (Go) Output: CVE IDs with CVSS scores Affected package versions Fixed versions for remediation Overall risk score (0-100)

3. Compliance Checker

Verify security compliance against SOC 2, PCI-DSS, HIPAA, and GDPR frameworks. # Check all frameworks python scripts/compliance_checker.py /path/to/project # Specific framework python scripts/compliance_checker.py /path/to/project --framework soc2 python scripts/compliance_checker.py /path/to/project --framework pci-dss python scripts/compliance_checker.py /path/to/project --framework hipaa python scripts/compliance_checker.py /path/to/project --framework gdpr # Export compliance report python scripts/compliance_checker.py /path/to/project --json --output compliance.json Verifies: Access control implementation Encryption at rest and in transit Audit logging Authentication strength (MFA, password hashing) Security documentation CI/CD security controls

Workflow 1: Security Audit

Complete security assessment of a codebase. # Step 1: Scan for code vulnerabilities python scripts/security_scanner.py . --severity medium # STOP if exit code 2 — resolve critical findings before continuing # Step 2: Check dependency vulnerabilities python scripts/vulnerability_assessor.py . --severity high # STOP if exit code 2 — patch critical CVEs before continuing # Step 3: Verify compliance controls python scripts/compliance_checker.py . --framework all # STOP if exit code 2 — address critical gaps before proceeding # Step 4: Generate combined reports python scripts/security_scanner.py . --json --output security.json python scripts/vulnerability_assessor.py . --json --output vulns.json python scripts/compliance_checker.py . --json --output compliance.json

Workflow 2: CI/CD Security Gate

Integrate security checks into deployment pipeline. # .github/workflows/security.yml name: "security-scan" on: pull_request: branches: [main, develop] jobs: security-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: "set-up-python" uses: actions/setup-python@v5 with: python-version: '3.11' - name: "security-scanner" run: python scripts/security_scanner.py . --severity high - name: "vulnerability-assessment" run: python scripts/vulnerability_assessor.py . --severity critical - name: "compliance-check" run: python scripts/compliance_checker.py . --framework soc2 Each step fails the pipeline on its respective exit code — no deployment proceeds past a critical finding.

Workflow 3: CVE Triage

Respond to a new CVE affecting your application. 1. ASSESS (0-2 hours) - Identify affected systems using vulnerability_assessor.py - Check if CVE is being actively exploited - Determine CVSS environmental score for your context - STOP if CVSS 9.0+ on internet-facing system — escalate immediately 2. PRIORITIZE - Critical (CVSS 9.0+, internet-facing): 24 hours - High (CVSS 7.0-8.9): 7 days - Medium (CVSS 4.0-6.9): 30 days - Low (CVSS < 4.0): 90 days 3. REMEDIATE - Update affected dependency to fixed version - Run security_scanner.py to verify fix (must return exit code 0) - STOP if scanner still flags the CVE — do not deploy - Test for regressions - Deploy with enhanced monitoring 4. VERIFY - Re-run vulnerability_assessor.py - Confirm CVE no longer reported - Document remediation actions

Workflow 4: Incident Response

• Security incident handling procedure.
• PHASE 1: DETECT & IDENTIFY (0-15 min)
• Alert received and acknowledged
• Initial severity assessment (SEV-1 to SEV-4)
• Incident commander assigned
• Communication channel established
• PHASE 2: CONTAIN (15-60 min)
• Affected systems identified
• Network isolation if needed
• Credentials rotated if compromised
• Preserve evidence (logs, memory dumps)
• PHASE 3: ERADICATE (1-4 hours)
• Root cause identified
• Malware/backdoors removed
• Vulnerabilities patched (run security_scanner.py; must return exit code 0)
• Systems hardened
• PHASE 4: RECOVER (4-24 hours)
• Systems restored from clean backup
• Services brought back online
• Enhanced monitoring enabled
• User access restored
• PHASE 5: POST-INCIDENT (24-72 hours)
• Incident timeline documented
• Root cause analysis complete
• Lessons learned documented
• Preventive measures implemented
• Stakeholder report delivered

security_scanner.py

OptionDescriptiontargetDirectory or file to scan--severity, -sMinimum severity: critical, high, medium, low--verbose, -vShow files as they're scanned--jsonOutput results as JSON--output, -oWrite results to file Exit Codes: 0 = no critical/high findings · 1 = high severity findings · 2 = critical severity findings

vulnerability_assessor.py

OptionDescriptiontargetDirectory containing dependency files--severity, -sMinimum severity: critical, high, medium, low--verbose, -vShow files as they're scanned--jsonOutput results as JSON--output, -oWrite results to file Exit Codes: 0 = no critical/high vulnerabilities · 1 = high severity vulnerabilities · 2 = critical severity vulnerabilities

compliance_checker.py

OptionDescriptiontargetDirectory to check--framework, -fFramework: soc2, pci-dss, hipaa, gdpr, all--verbose, -vShow checks as they run--jsonOutput results as JSON--output, -oWrite results to file Exit Codes: 0 = compliant (90%+ score) · 1 = non-compliant (50-69% score) · 2 = critical gaps (<50% score)

Security Standards

See references/security_standards.md for OWASP Top 10 full guidance, secure coding standards, authentication requirements, and API security controls.

Secure Coding Checklist

• ## Input Validation
• [ ] Validate all input on server side
• [ ] Use allowlists over denylists
• [ ] Sanitize for specific context (HTML, SQL, shell)
• ## Output Encoding
• [ ] HTML encode for browser output
• [ ] URL encode for URLs
• [ ] JavaScript encode for script contexts
• ## Authentication
• [ ] Use bcrypt/argon2 for passwords
• [ ] Implement MFA for sensitive operations
• [ ] Enforce strong password policy
• ## Session Management
• [ ] Generate secure random session IDs
• [ ] Set HttpOnly, Secure, SameSite flags
• [ ] Implement session timeout (15 min idle)
• ## Error Handling
• [ ] Log errors with context (no secrets)
• [ ] Return generic messages to users
• [ ] Never expose stack traces in production
• ## Secrets Management
• [ ] Use environment variables or secrets manager
• [ ] Never commit secrets to version control
• [ ] Rotate credentials regularly

Compliance Frameworks

See references/compliance_requirements.md for full control mappings. Run compliance_checker.py to verify the controls below:

SOC 2 Type II

CC6 Logical Access: authentication, authorization, MFA CC7 System Operations: monitoring, logging, incident response CC8 Change Management: CI/CD, code review, deployment controls

PCI-DSS v4.0

Req 3/4: Encryption at rest and in transit (TLS 1.2+) Req 6: Secure development (input validation, secure coding) Req 8: Strong authentication (MFA, password policy) Req 10/11: Audit logging, SAST/DAST/penetration testing

HIPAA Security Rule

Unique user IDs and audit trails for PHI access (164.312(a)(1), 164.312(b)) MFA for person/entity authentication (164.312(d)) Transmission encryption via TLS (164.312(e)(1))

GDPR

Art 25/32: Privacy by design, encryption, pseudonymization Art 33: Breach notification within 72 hours Art 17/20: Right to erasure and data portability

Secrets Management

# BAD: Hardcoded secret API_KEY = "sk-1234567890abcdef" # GOOD: Environment variable import os API_KEY = os.environ.get("API_KEY") # BETTER: Secrets manager from your_vault_client import get_secret API_KEY = get_secret("api/key")

SQL Injection Prevention

# BAD: String concatenation query = f"SELECT * FROM users WHERE id = {user_id}" # GOOD: Parameterized query cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))

XSS Prevention

// BAD: Direct innerHTML assignment is vulnerable // GOOD: Use textContent (auto-escaped) element.textContent = userInput; // GOOD: Use sanitization library for HTML import DOMPurify from 'dompurify'; const safeHTML = DOMPurify.sanitize(userInput);

Authentication

// Password hashing const bcrypt = require('bcrypt'); const SALT_ROUNDS = 12; // Hash password const hash = await bcrypt.hash(password, SALT_ROUNDS); // Verify password const match = await bcrypt.compare(password, hash);

Security Headers

// Express.js security headers const helmet = require('helmet'); app.use(helmet()); // Or manually set headers: app.use((req, res, next) => { res.setHeader('X-Content-Type-Options', 'nosniff'); res.setHeader('X-Frame-Options', 'DENY'); res.setHeader('X-XSS-Protection', '1; mode=block'); res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains'); res.setHeader('Content-Security-Policy', "default-src 'self'"); next(); });

Reference Documentation

DocumentDescriptionreferences/security_standards.mdOWASP Top 10, secure coding, authentication, API securityreferences/vulnerability_management_guide.mdCVE triage, CVSS scoring, remediation workflowsreferences/compliance_requirements.mdSOC 2, PCI-DSS, HIPAA, GDPR full control mappings