{ "schemaVersion": "1.0", "item": { "slug": "senior-secops", "name": "Senior Secops", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/alirezarezvani/senior-secops", "canonicalUrl": "https://clawhub.ai/alirezarezvani/senior-secops", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/senior-secops", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=senior-secops", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md", "references/compliance_requirements.md", "references/security_standards.md", "references/vulnerability_management_guide.md", "scripts/compliance_checker.py", "scripts/security_scanner.py" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/senior-secops" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/senior-secops", "agentPageUrl": "https://openagent3.xyz/skills/senior-secops/agent", "manifestUrl": "https://openagent3.xyz/skills/senior-secops/agent.json", "briefUrl": "https://openagent3.xyz/skills/senior-secops/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Senior SecOps Engineer", "body": "Complete toolkit for Security Operations including vulnerability management, compliance verification, secure coding practices, and security automation." }, { "title": "Table of Contents", "body": "Core Capabilities\nWorkflows\nTool Reference\nSecurity Standards\nCompliance Frameworks\nBest Practices" }, { "title": "1. Security Scanner", "body": "Scan source code for security vulnerabilities including hardcoded secrets, SQL injection, XSS, command injection, and path traversal.\n\n# Scan project for security issues\npython scripts/security_scanner.py /path/to/project\n\n# Filter by severity\npython scripts/security_scanner.py /path/to/project --severity high\n\n# JSON output for CI/CD\npython scripts/security_scanner.py /path/to/project --json --output report.json\n\nDetects:\n\nHardcoded secrets (API keys, passwords, AWS credentials, GitHub tokens, private keys)\nSQL injection patterns (string concatenation, f-strings, template literals)\nXSS vulnerabilities (innerHTML assignment, unsafe DOM manipulation, React unsafe patterns)\nCommand injection (shell=True, exec, eval with user input)\nPath traversal (file operations with user input)" }, { "title": "2. Vulnerability Assessor", "body": "Scan dependencies for known CVEs across npm, Python, and Go ecosystems.\n\n# Assess project dependencies\npython scripts/vulnerability_assessor.py /path/to/project\n\n# Critical/high only\npython scripts/vulnerability_assessor.py /path/to/project --severity high\n\n# Export vulnerability report\npython scripts/vulnerability_assessor.py /path/to/project --json --output vulns.json\n\nScans:\n\npackage.json and package-lock.json (npm)\nrequirements.txt and pyproject.toml (Python)\ngo.mod (Go)\n\nOutput:\n\nCVE IDs with CVSS scores\nAffected package versions\nFixed versions for remediation\nOverall risk score (0-100)" }, { "title": "3. Compliance Checker", "body": "Verify security compliance against SOC 2, PCI-DSS, HIPAA, and GDPR frameworks.\n\n# Check all frameworks\npython scripts/compliance_checker.py /path/to/project\n\n# Specific framework\npython scripts/compliance_checker.py /path/to/project --framework soc2\npython scripts/compliance_checker.py /path/to/project --framework pci-dss\npython scripts/compliance_checker.py /path/to/project --framework hipaa\npython scripts/compliance_checker.py /path/to/project --framework gdpr\n\n# Export compliance report\npython scripts/compliance_checker.py /path/to/project --json --output compliance.json\n\nVerifies:\n\nAccess control implementation\nEncryption at rest and in transit\nAudit logging\nAuthentication strength (MFA, password hashing)\nSecurity documentation\nCI/CD security controls" }, { "title": "Workflow 1: Security Audit", "body": "Complete security assessment of a codebase.\n\n# Step 1: Scan for code vulnerabilities\npython scripts/security_scanner.py . --severity medium\n# STOP if exit code 2 — resolve critical findings before continuing\n\n# Step 2: Check dependency vulnerabilities\npython scripts/vulnerability_assessor.py . --severity high\n# STOP if exit code 2 — patch critical CVEs before continuing\n\n# Step 3: Verify compliance controls\npython scripts/compliance_checker.py . --framework all\n# STOP if exit code 2 — address critical gaps before proceeding\n\n# Step 4: Generate combined reports\npython scripts/security_scanner.py . --json --output security.json\npython scripts/vulnerability_assessor.py . --json --output vulns.json\npython scripts/compliance_checker.py . --json --output compliance.json" }, { "title": "Workflow 2: CI/CD Security Gate", "body": "Integrate security checks into deployment pipeline.\n\n# .github/workflows/security.yml\nname: \"security-scan\"\n\non:\n pull_request:\n branches: [main, develop]\n\njobs:\n security-scan:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n\n - name: \"set-up-python\"\n uses: actions/setup-python@v5\n with:\n python-version: '3.11'\n\n - name: \"security-scanner\"\n run: python scripts/security_scanner.py . --severity high\n\n - name: \"vulnerability-assessment\"\n run: python scripts/vulnerability_assessor.py . --severity critical\n\n - name: \"compliance-check\"\n run: python scripts/compliance_checker.py . --framework soc2\n\nEach step fails the pipeline on its respective exit code — no deployment proceeds past a critical finding." }, { "title": "Workflow 3: CVE Triage", "body": "Respond to a new CVE affecting your application.\n\n1. ASSESS (0-2 hours)\n - Identify affected systems using vulnerability_assessor.py\n - Check if CVE is being actively exploited\n - Determine CVSS environmental score for your context\n - STOP if CVSS 9.0+ on internet-facing system — escalate immediately\n\n2. PRIORITIZE\n - Critical (CVSS 9.0+, internet-facing): 24 hours\n - High (CVSS 7.0-8.9): 7 days\n - Medium (CVSS 4.0-6.9): 30 days\n - Low (CVSS < 4.0): 90 days\n\n3. REMEDIATE\n - Update affected dependency to fixed version\n - Run security_scanner.py to verify fix (must return exit code 0)\n - STOP if scanner still flags the CVE — do not deploy\n - Test for regressions\n - Deploy with enhanced monitoring\n\n4. VERIFY\n - Re-run vulnerability_assessor.py\n - Confirm CVE no longer reported\n - Document remediation actions" }, { "title": "Workflow 4: Incident Response", "body": "Security incident handling procedure.\n\nPHASE 1: DETECT & IDENTIFY (0-15 min)\n- Alert received and acknowledged\n- Initial severity assessment (SEV-1 to SEV-4)\n- Incident commander assigned\n- Communication channel established\n\nPHASE 2: CONTAIN (15-60 min)\n- Affected systems identified\n- Network isolation if needed\n- Credentials rotated if compromised\n- Preserve evidence (logs, memory dumps)\n\nPHASE 3: ERADICATE (1-4 hours)\n- Root cause identified\n- Malware/backdoors removed\n- Vulnerabilities patched (run security_scanner.py; must return exit code 0)\n- Systems hardened\n\nPHASE 4: RECOVER (4-24 hours)\n- Systems restored from clean backup\n- Services brought back online\n- Enhanced monitoring enabled\n- User access restored\n\nPHASE 5: POST-INCIDENT (24-72 hours)\n- Incident timeline documented\n- Root cause analysis complete\n- Lessons learned documented\n- Preventive measures implemented\n- Stakeholder report delivered" }, { "title": "security_scanner.py", "body": "OptionDescriptiontargetDirectory or file to scan--severity, -sMinimum severity: critical, high, medium, low--verbose, -vShow files as they're scanned--jsonOutput results as JSON--output, -oWrite results to file\n\nExit Codes: 0 = no critical/high findings · 1 = high severity findings · 2 = critical severity findings" }, { "title": "vulnerability_assessor.py", "body": "OptionDescriptiontargetDirectory containing dependency files--severity, -sMinimum severity: critical, high, medium, low--verbose, -vShow files as they're scanned--jsonOutput results as JSON--output, -oWrite results to file\n\nExit Codes: 0 = no critical/high vulnerabilities · 1 = high severity vulnerabilities · 2 = critical severity vulnerabilities" }, { "title": "compliance_checker.py", "body": "OptionDescriptiontargetDirectory to check--framework, -fFramework: soc2, pci-dss, hipaa, gdpr, all--verbose, -vShow checks as they run--jsonOutput results as JSON--output, -oWrite results to file\n\nExit Codes: 0 = compliant (90%+ score) · 1 = non-compliant (50-69% score) · 2 = critical gaps (<50% score)" }, { "title": "Security Standards", "body": "See references/security_standards.md for OWASP Top 10 full guidance, secure coding standards, authentication requirements, and API security controls." }, { "title": "Secure Coding Checklist", "body": "## Input Validation\n- [ ] Validate all input on server side\n- [ ] Use allowlists over denylists\n- [ ] Sanitize for specific context (HTML, SQL, shell)\n\n## Output Encoding\n- [ ] HTML encode for browser output\n- [ ] URL encode for URLs\n- [ ] JavaScript encode for script contexts\n\n## Authentication\n- [ ] Use bcrypt/argon2 for passwords\n- [ ] Implement MFA for sensitive operations\n- [ ] Enforce strong password policy\n\n## Session Management\n- [ ] Generate secure random session IDs\n- [ ] Set HttpOnly, Secure, SameSite flags\n- [ ] Implement session timeout (15 min idle)\n\n## Error Handling\n- [ ] Log errors with context (no secrets)\n- [ ] Return generic messages to users\n- [ ] Never expose stack traces in production\n\n## Secrets Management\n- [ ] Use environment variables or secrets manager\n- [ ] Never commit secrets to version control\n- [ ] Rotate credentials regularly" }, { "title": "Compliance Frameworks", "body": "See references/compliance_requirements.md for full control mappings. Run compliance_checker.py to verify the controls below:" }, { "title": "SOC 2 Type II", "body": "CC6 Logical Access: authentication, authorization, MFA\nCC7 System Operations: monitoring, logging, incident response\nCC8 Change Management: CI/CD, code review, deployment controls" }, { "title": "PCI-DSS v4.0", "body": "Req 3/4: Encryption at rest and in transit (TLS 1.2+)\nReq 6: Secure development (input validation, secure coding)\nReq 8: Strong authentication (MFA, password policy)\nReq 10/11: Audit logging, SAST/DAST/penetration testing" }, { "title": "HIPAA Security Rule", "body": "Unique user IDs and audit trails for PHI access (164.312(a)(1), 164.312(b))\nMFA for person/entity authentication (164.312(d))\nTransmission encryption via TLS (164.312(e)(1))" }, { "title": "GDPR", "body": "Art 25/32: Privacy by design, encryption, pseudonymization\nArt 33: Breach notification within 72 hours\nArt 17/20: Right to erasure and data portability" }, { "title": "Secrets Management", "body": "# BAD: Hardcoded secret\nAPI_KEY = \"sk-1234567890abcdef\"\n\n# GOOD: Environment variable\nimport os\nAPI_KEY = os.environ.get(\"API_KEY\")\n\n# BETTER: Secrets manager\nfrom your_vault_client import get_secret\nAPI_KEY = get_secret(\"api/key\")" }, { "title": "SQL Injection Prevention", "body": "# BAD: String concatenation\nquery = f\"SELECT * FROM users WHERE id = {user_id}\"\n\n# GOOD: Parameterized query\ncursor.execute(\"SELECT * FROM users WHERE id = %s\", (user_id,))" }, { "title": "XSS Prevention", "body": "// BAD: Direct innerHTML assignment is vulnerable\n// GOOD: Use textContent (auto-escaped)\nelement.textContent = userInput;\n\n// GOOD: Use sanitization library for HTML\nimport DOMPurify from 'dompurify';\nconst safeHTML = DOMPurify.sanitize(userInput);" }, { "title": "Authentication", "body": "// Password hashing\nconst bcrypt = require('bcrypt');\nconst SALT_ROUNDS = 12;\n\n// Hash password\nconst hash = await bcrypt.hash(password, SALT_ROUNDS);\n\n// Verify password\nconst match = await bcrypt.compare(password, hash);" }, { "title": "Security Headers", "body": "// Express.js security headers\nconst helmet = require('helmet');\napp.use(helmet());\n\n// Or manually set headers:\napp.use((req, res, next) => {\n res.setHeader('X-Content-Type-Options', 'nosniff');\n res.setHeader('X-Frame-Options', 'DENY');\n res.setHeader('X-XSS-Protection', '1; mode=block');\n res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');\n res.setHeader('Content-Security-Policy', \"default-src 'self'\");\n next();\n});" }, { "title": "Reference Documentation", "body": "DocumentDescriptionreferences/security_standards.mdOWASP Top 10, secure coding, authentication, API securityreferences/vulnerability_management_guide.mdCVE triage, CVSS scoring, remediation workflowsreferences/compliance_requirements.mdSOC 2, PCI-DSS, HIPAA, GDPR full control mappings" } ], "body": "Senior SecOps Engineer\n\nComplete toolkit for Security Operations including vulnerability management, compliance verification, secure coding practices, and security automation.\n\nTable of Contents\nCore Capabilities\nWorkflows\nTool Reference\nSecurity Standards\nCompliance Frameworks\nBest Practices\nCore Capabilities\n1. Security Scanner\n\nScan source code for security vulnerabilities including hardcoded secrets, SQL injection, XSS, command injection, and path traversal.\n\n# Scan project for security issues\npython scripts/security_scanner.py /path/to/project\n\n# Filter by severity\npython scripts/security_scanner.py /path/to/project --severity high\n\n# JSON output for CI/CD\npython scripts/security_scanner.py /path/to/project --json --output report.json\n\n\nDetects:\n\nHardcoded secrets (API keys, passwords, AWS credentials, GitHub tokens, private keys)\nSQL injection patterns (string concatenation, f-strings, template literals)\nXSS vulnerabilities (innerHTML assignment, unsafe DOM manipulation, React unsafe patterns)\nCommand injection (shell=True, exec, eval with user input)\nPath traversal (file operations with user input)\n2. Vulnerability Assessor\n\nScan dependencies for known CVEs across npm, Python, and Go ecosystems.\n\n# Assess project dependencies\npython scripts/vulnerability_assessor.py /path/to/project\n\n# Critical/high only\npython scripts/vulnerability_assessor.py /path/to/project --severity high\n\n# Export vulnerability report\npython scripts/vulnerability_assessor.py /path/to/project --json --output vulns.json\n\n\nScans:\n\npackage.json and package-lock.json (npm)\nrequirements.txt and pyproject.toml (Python)\ngo.mod (Go)\n\nOutput:\n\nCVE IDs with CVSS scores\nAffected package versions\nFixed versions for remediation\nOverall risk score (0-100)\n3. Compliance Checker\n\nVerify security compliance against SOC 2, PCI-DSS, HIPAA, and GDPR frameworks.\n\n# Check all frameworks\npython scripts/compliance_checker.py /path/to/project\n\n# Specific framework\npython scripts/compliance_checker.py /path/to/project --framework soc2\npython scripts/compliance_checker.py /path/to/project --framework pci-dss\npython scripts/compliance_checker.py /path/to/project --framework hipaa\npython scripts/compliance_checker.py /path/to/project --framework gdpr\n\n# Export compliance report\npython scripts/compliance_checker.py /path/to/project --json --output compliance.json\n\n\nVerifies:\n\nAccess control implementation\nEncryption at rest and in transit\nAudit logging\nAuthentication strength (MFA, password hashing)\nSecurity documentation\nCI/CD security controls\nWorkflows\nWorkflow 1: Security Audit\n\nComplete security assessment of a codebase.\n\n# Step 1: Scan for code vulnerabilities\npython scripts/security_scanner.py . --severity medium\n# STOP if exit code 2 — resolve critical findings before continuing\n\n# Step 2: Check dependency vulnerabilities\npython scripts/vulnerability_assessor.py . --severity high\n# STOP if exit code 2 — patch critical CVEs before continuing\n\n# Step 3: Verify compliance controls\npython scripts/compliance_checker.py . --framework all\n# STOP if exit code 2 — address critical gaps before proceeding\n\n# Step 4: Generate combined reports\npython scripts/security_scanner.py . --json --output security.json\npython scripts/vulnerability_assessor.py . --json --output vulns.json\npython scripts/compliance_checker.py . --json --output compliance.json\n\nWorkflow 2: CI/CD Security Gate\n\nIntegrate security checks into deployment pipeline.\n\n# .github/workflows/security.yml\nname: \"security-scan\"\n\non:\n pull_request:\n branches: [main, develop]\n\njobs:\n security-scan:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n\n - name: \"set-up-python\"\n uses: actions/setup-python@v5\n with:\n python-version: '3.11'\n\n - name: \"security-scanner\"\n run: python scripts/security_scanner.py . --severity high\n\n - name: \"vulnerability-assessment\"\n run: python scripts/vulnerability_assessor.py . --severity critical\n\n - name: \"compliance-check\"\n run: python scripts/compliance_checker.py . --framework soc2\n\n\nEach step fails the pipeline on its respective exit code — no deployment proceeds past a critical finding.\n\nWorkflow 3: CVE Triage\n\nRespond to a new CVE affecting your application.\n\n1. ASSESS (0-2 hours)\n - Identify affected systems using vulnerability_assessor.py\n - Check if CVE is being actively exploited\n - Determine CVSS environmental score for your context\n - STOP if CVSS 9.0+ on internet-facing system — escalate immediately\n\n2. PRIORITIZE\n - Critical (CVSS 9.0+, internet-facing): 24 hours\n - High (CVSS 7.0-8.9): 7 days\n - Medium (CVSS 4.0-6.9): 30 days\n - Low (CVSS < 4.0): 90 days\n\n3. REMEDIATE\n - Update affected dependency to fixed version\n - Run security_scanner.py to verify fix (must return exit code 0)\n - STOP if scanner still flags the CVE — do not deploy\n - Test for regressions\n - Deploy with enhanced monitoring\n\n4. VERIFY\n - Re-run vulnerability_assessor.py\n - Confirm CVE no longer reported\n - Document remediation actions\n\nWorkflow 4: Incident Response\n\nSecurity incident handling procedure.\n\nPHASE 1: DETECT & IDENTIFY (0-15 min)\n- Alert received and acknowledged\n- Initial severity assessment (SEV-1 to SEV-4)\n- Incident commander assigned\n- Communication channel established\n\nPHASE 2: CONTAIN (15-60 min)\n- Affected systems identified\n- Network isolation if needed\n- Credentials rotated if compromised\n- Preserve evidence (logs, memory dumps)\n\nPHASE 3: ERADICATE (1-4 hours)\n- Root cause identified\n- Malware/backdoors removed\n- Vulnerabilities patched (run security_scanner.py; must return exit code 0)\n- Systems hardened\n\nPHASE 4: RECOVER (4-24 hours)\n- Systems restored from clean backup\n- Services brought back online\n- Enhanced monitoring enabled\n- User access restored\n\nPHASE 5: POST-INCIDENT (24-72 hours)\n- Incident timeline documented\n- Root cause analysis complete\n- Lessons learned documented\n- Preventive measures implemented\n- Stakeholder report delivered\n\nTool Reference\nsecurity_scanner.py\nOption\tDescription\ntarget\tDirectory or file to scan\n--severity, -s\tMinimum severity: critical, high, medium, low\n--verbose, -v\tShow files as they're scanned\n--json\tOutput results as JSON\n--output, -o\tWrite results to file\n\nExit Codes: 0 = no critical/high findings · 1 = high severity findings · 2 = critical severity findings\n\nvulnerability_assessor.py\nOption\tDescription\ntarget\tDirectory containing dependency files\n--severity, -s\tMinimum severity: critical, high, medium, low\n--verbose, -v\tShow files as they're scanned\n--json\tOutput results as JSON\n--output, -o\tWrite results to file\n\nExit Codes: 0 = no critical/high vulnerabilities · 1 = high severity vulnerabilities · 2 = critical severity vulnerabilities\n\ncompliance_checker.py\nOption\tDescription\ntarget\tDirectory to check\n--framework, -f\tFramework: soc2, pci-dss, hipaa, gdpr, all\n--verbose, -v\tShow checks as they run\n--json\tOutput results as JSON\n--output, -o\tWrite results to file\n\nExit Codes: 0 = compliant (90%+ score) · 1 = non-compliant (50-69% score) · 2 = critical gaps (<50% score)\n\nSecurity Standards\n\nSee references/security_standards.md for OWASP Top 10 full guidance, secure coding standards, authentication requirements, and API security controls.\n\nSecure Coding Checklist\n## Input Validation\n- [ ] Validate all input on server side\n- [ ] Use allowlists over denylists\n- [ ] Sanitize for specific context (HTML, SQL, shell)\n\n## Output Encoding\n- [ ] HTML encode for browser output\n- [ ] URL encode for URLs\n- [ ] JavaScript encode for script contexts\n\n## Authentication\n- [ ] Use bcrypt/argon2 for passwords\n- [ ] Implement MFA for sensitive operations\n- [ ] Enforce strong password policy\n\n## Session Management\n- [ ] Generate secure random session IDs\n- [ ] Set HttpOnly, Secure, SameSite flags\n- [ ] Implement session timeout (15 min idle)\n\n## Error Handling\n- [ ] Log errors with context (no secrets)\n- [ ] Return generic messages to users\n- [ ] Never expose stack traces in production\n\n## Secrets Management\n- [ ] Use environment variables or secrets manager\n- [ ] Never commit secrets to version control\n- [ ] Rotate credentials regularly\n\nCompliance Frameworks\n\nSee references/compliance_requirements.md for full control mappings. Run compliance_checker.py to verify the controls below:\n\nSOC 2 Type II\nCC6 Logical Access: authentication, authorization, MFA\nCC7 System Operations: monitoring, logging, incident response\nCC8 Change Management: CI/CD, code review, deployment controls\nPCI-DSS v4.0\nReq 3/4: Encryption at rest and in transit (TLS 1.2+)\nReq 6: Secure development (input validation, secure coding)\nReq 8: Strong authentication (MFA, password policy)\nReq 10/11: Audit logging, SAST/DAST/penetration testing\nHIPAA Security Rule\nUnique user IDs and audit trails for PHI access (164.312(a)(1), 164.312(b))\nMFA for person/entity authentication (164.312(d))\nTransmission encryption via TLS (164.312(e)(1))\nGDPR\nArt 25/32: Privacy by design, encryption, pseudonymization\nArt 33: Breach notification within 72 hours\nArt 17/20: Right to erasure and data portability\nBest Practices\nSecrets Management\n# BAD: Hardcoded secret\nAPI_KEY = \"sk-1234567890abcdef\"\n\n# GOOD: Environment variable\nimport os\nAPI_KEY = os.environ.get(\"API_KEY\")\n\n# BETTER: Secrets manager\nfrom your_vault_client import get_secret\nAPI_KEY = get_secret(\"api/key\")\n\nSQL Injection Prevention\n# BAD: String concatenation\nquery = f\"SELECT * FROM users WHERE id = {user_id}\"\n\n# GOOD: Parameterized query\ncursor.execute(\"SELECT * FROM users WHERE id = %s\", (user_id,))\n\nXSS Prevention\n// BAD: Direct innerHTML assignment is vulnerable\n// GOOD: Use textContent (auto-escaped)\nelement.textContent = userInput;\n\n// GOOD: Use sanitization library for HTML\nimport DOMPurify from 'dompurify';\nconst safeHTML = DOMPurify.sanitize(userInput);\n\nAuthentication\n// Password hashing\nconst bcrypt = require('bcrypt');\nconst SALT_ROUNDS = 12;\n\n// Hash password\nconst hash = await bcrypt.hash(password, SALT_ROUNDS);\n\n// Verify password\nconst match = await bcrypt.compare(password, hash);\n\nSecurity Headers\n// Express.js security headers\nconst helmet = require('helmet');\napp.use(helmet());\n\n// Or manually set headers:\napp.use((req, res, next) => {\n res.setHeader('X-Content-Type-Options', 'nosniff');\n res.setHeader('X-Frame-Options', 'DENY');\n res.setHeader('X-XSS-Protection', '1; mode=block');\n res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');\n res.setHeader('Content-Security-Policy', \"default-src 'self'\");\n next();\n});\n\nReference Documentation\nDocument\tDescription\nreferences/security_standards.md\tOWASP Top 10, secure coding, authentication, API security\nreferences/vulnerability_management_guide.md\tCVE triage, CVSS scoring, remediation workflows\nreferences/compliance_requirements.md\tSOC 2, PCI-DSS, HIPAA, GDPR full control mappings" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/alirezarezvani/senior-secops", "publisherUrl": "https://clawhub.ai/alirezarezvani/senior-secops", "owner": "alirezarezvani", "version": "2.1.1", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/senior-secops", "downloadUrl": "https://openagent3.xyz/downloads/senior-secops", "agentUrl": "https://openagent3.xyz/skills/senior-secops/agent", "manifestUrl": "https://openagent3.xyz/skills/senior-secops/agent.json", "briefUrl": "https://openagent3.xyz/skills/senior-secops/agent.md" } }