playbooks

home / skills / hyperb1iss / hyperskills / security

security skill

/skills/security

This skill guides security reviews and incident response with threat modeling, compliance checks, and best practices from zero trust to SBOM.

npx playbooks add skill hyperb1iss/hyperskills --skill security

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
5.7 KB
---
name: security
description: Use this skill when doing security reviews, penetration testing, threat modeling, compliance work, or incident response. Activates on mentions of security audit, vulnerability, penetration test, pentest, OWASP, CVE, security review, threat model, zero trust, SOC 2, HIPAA, GDPR, compliance, incident response, SBOM, supply chain security, secrets management, or authentication security.
---

# Security Operations

Secure systems from design through deployment and incident response.

## Quick Reference

### Security Architecture Principles

**Zero Trust Model:**

1. Never trust, always verify
2. Assume breach
3. Verify explicitly
4. Least privilege access
5. Micro-segmentation

**SLSA Framework (Supply Chain):**

- Level 1: Documentation
- Level 2: Hosted build, signed provenance
- Level 3: Hardened builds, 2-person review
- Level 4: Hermetic, reproducible builds

### Threat Modeling (STRIDE)

| Threat                     | Example             | Mitigation                  |
| -------------------------- | ------------------- | --------------------------- |
| **S**poofing               | Fake identity       | Strong auth, MFA            |
| **T**ampering              | Modified data       | Integrity checks, signing   |
| **R**epudiation            | Deny actions        | Audit logs, non-repudiation |
| **I**nformation Disclosure | Data leak           | Encryption, access control  |
| **D**enial of Service      | Overload            | Rate limiting, scaling      |
| **E**levation of Privilege | Unauthorized access | Least privilege, RBAC       |

### Code Security Review Checklist

```markdown
## OWASP Top 10 (2021)

- [ ] A01: Broken Access Control
- [ ] A02: Cryptographic Failures
- [ ] A03: Injection (SQL, NoSQL, OS, LDAP)
- [ ] A04: Insecure Design
- [ ] A05: Security Misconfiguration
- [ ] A06: Vulnerable Components
- [ ] A07: Auth Failures
- [ ] A08: Software/Data Integrity Failures
- [ ] A09: Logging/Monitoring Failures
- [ ] A10: SSRF
```

### Secrets Management

**Never commit secrets.** Use environment-based injection:

```yaml
# Kubernetes External Secrets
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: api-keys
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: vault-backend
    kind: ClusterSecretStore
  target:
    name: api-keys
  data:
    - secretKey: OPENAI_API_KEY
      remoteRef:
        key: secret/data/api-keys
        property: openai
```

### SBOM Generation

```bash
# Generate SBOM with Syft
syft packages dir:. -o spdx-json > sbom.spdx.json

# Scan for vulnerabilities with Grype
grype sbom:sbom.spdx.json --fail-on high
```

### Container Security

```dockerfile
# Secure Dockerfile patterns
FROM cgr.dev/chainguard/node:latest AS build
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production

FROM cgr.dev/chainguard/node:latest
WORKDIR /app
COPY --from=build /app/node_modules ./node_modules
COPY . .
USER nonroot
CMD ["node", "server.js"]
```

**Scan images:**

```bash
trivy image myapp:latest --severity HIGH,CRITICAL
```

### Runtime Security (eBPF)

**Tetragon** for kernel-level enforcement:

```yaml
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: sensitive-file-access
spec:
  kprobes:
    - call: "fd_install"
      selectors:
        - matchArgs:
            - index: 1
              operator: "Prefix"
              values: ["/etc/shadow", "/etc/passwd"]
      action: NotifyEnforcer
```

**Falco** for threat detection:

```yaml
- rule: Shell Spawned in Container
  desc: Detect shell spawned in a container
  condition: >
    spawned_process and container and
    proc.name in (shell_binaries)
  output: >
    Shell spawned in container
    (user=%user.name container=%container.name shell=%proc.name)
  priority: WARNING
```

### Compliance Automation

**Vanta/Drata Integration:**

- Continuous monitoring of 35+ frameworks
- Automated evidence collection
- Risk flagging and remediation tracking

**Key Frameworks:**

- SOC 2 Type II
- ISO 27001
- HIPAA
- GDPR
- PCI DSS

### Incident Response Playbook

```markdown
## Phase 1: Detection & Analysis (MTTD < 5 min)

1. Alert triggered → Acknowledge in SOAR
2. Gather initial IOCs (IPs, hashes, usernames)
3. Determine scope and severity
4. Escalate if P1/P2

## Phase 2: Containment (MTTR < 1 hour)

1. Isolate affected systems
2. Block malicious IPs/domains
3. Disable compromised accounts
4. Preserve evidence (disk images, logs)

## Phase 3: Eradication

1. Remove malware/backdoors
2. Patch vulnerabilities
3. Reset credentials
4. Verify clean state

## Phase 4: Recovery

1. Restore from clean backups
2. Monitor for re-infection
3. Gradual service restoration
4. Validate functionality

## Phase 5: Lessons Learned

1. Timeline reconstruction
2. Root cause analysis
3. Update playbooks
4. Security improvements
```

### Penetration Testing Checklist

```markdown
## Reconnaissance

- [ ] DNS enumeration
- [ ] Subdomain discovery
- [ ] Port scanning
- [ ] Service fingerprinting

## Web Application

- [ ] Authentication bypass
- [ ] Session management
- [ ] Input validation
- [ ] Access control
- [ ] Business logic

## Infrastructure

- [ ] Network segmentation
- [ ] Privilege escalation
- [ ] Lateral movement
- [ ] Data exfiltration paths
```

## Agents

- **security-architect** - Threat modeling, secure design, compliance
- **incident-responder** - Incident handling, forensics, recovery

## Deep Dives

- [references/zero-trust.md](references/zero-trust.md)
- [references/sbom-slsa.md](references/sbom-slsa.md)
- [references/ebpf-security.md](references/ebpf-security.md)
- [references/incident-response.md](references/incident-response.md)

## Examples

- [examples/security-pipeline/](examples/security-pipeline/)
- [examples/tetragon-policies/](examples/tetragon-policies/)
- [examples/compliance-checks/](examples/compliance-checks/)

Overview

This skill provides a practical, engineer-focused toolkit for security reviews, threat modeling, penetration testing, compliance automation, and incident response. It consolidates architecture principles, checklists (OWASP, STRIDE), secure coding and container patterns, secrets management, SBOM generation, and playbooks for detection-to-recovery. Use it to standardize assessments, accelerate remediation, and reduce time-to-detect and time-to-recover.

How this skill works

The skill inspects system design, code, infrastructure, and runtime telemetry against proven frameworks like Zero Trust, STRIDE, SLSA, and OWASP Top 10. It provides concrete checks and commands for SBOM creation, image scanning, secrets handling, and eBPF-based runtime enforcement. For incidents it maps a phased playbook (detect, contain, eradicate, recover, learn) and supplies checklists for pentests and compliance evidence collection.

When to use it

  • During architecture reviews or threat modeling to apply Zero Trust and STRIDE mitigations
  • When preparing for or performing penetration tests and web/infrastructure assessments
  • To generate SBOMs, scan images, and validate supply-chain hygiene with SLSA guidance
  • While auditing secrets management and removing hardcoded credentials
  • When responding to an active incident to follow a structured containment and recovery playbook
  • To automate evidence collection for SOC 2, HIPAA, GDPR, ISO 27001, or PCI DSS

Best practices

  • Assume breach; apply least privilege and micro-segmentation across services
  • Never commit secrets; use environment or secret-store injection and rotate keys frequently
  • Generate and scan SBOMs early in CI and fail builds on high-severity findings
  • Harden build pipelines toward SLSA levels and require signed provenance for releases
  • Run image and dependency scans (Trivy/Grype) and use minimal non-root base images
  • Maintain an incident playbook with short MTTD/MTTR goals and preserve evidence before remediation

Example use cases

  • Run a security review of a new microservice: threat model, OWASP checklist, container scan, and IAM review
  • Perform a pentest engagement using reconnaissance, web app tests, and infrastructure privilege escalation checks
  • Integrate SBOM generation (Syft) and vulnerability scanning (Grype) into CI to block high-risk releases
  • Hunt runtime threats with eBPF policies (Tetragon) and detect anomalous container activity with Falco rules
  • Execute incident response for a suspected data breach: collect IOCs, isolate systems, remediate, and run postmortem

FAQ

How do I start with secrets management for Kubernetes?

Use an external secret operator with a vault-backed secret store; avoid in-repo secrets, rotate keys, and inject at runtime via environment or mounted volumes.

Which tools should I run in CI for supply chain security?

Generate SBOMs with Syft, scan them with Grype, run dependency and image scanners like Trivy, and enforce policy gates for high/critical findings.