playbooks

home / skills / pluginagentmarketplace / custom-plugin-sql / security

security skill

/skills/security

This skill helps you implement database security covering access control, encryption, and audit logging to protect data and meet compliance.

npx playbooks add skill pluginagentmarketplace/custom-plugin-sql --skill security

Review the files below or copy the command above to add this skill to your agents.

Files (6)
SKILL.md
1.1 KB
---
name: security
description: Database security, access control, and data protection
sasmp_version: "1.3.0"
bonded_agent: 08-sql-devops
bond_type: PRIMARY_BOND
---

# Database Security Skill

## Overview
Implement comprehensive database security including access control, encryption, and audit logging.

## Topics Covered

### Access Control
- User management
- Role-based access (RBAC)
- Row-level security
- Column-level permissions
- Privilege management

### SQL Injection Prevention
- Parameterized queries
- Input validation
- ORM security
- Stored procedure security
- Application layer defense

### Encryption
- TDE (Transparent Data Encryption)
- Column-level encryption
- TLS/SSL connections
- Key management
- Encryption at rest

### Auditing
- Audit logging
- Change tracking
- Compliance requirements
- Log analysis
- Forensic investigation

### Compliance
- GDPR requirements
- PCI-DSS compliance
- HIPAA considerations
- Data masking
- Data retention policies

## Prerequisites
- SQL fundamentals
- Security concepts

## Learning Outcomes
- Implement access control
- Prevent SQL injection
- Configure encryption
- Set up audit logging

Overview

This skill teaches practical database security: access control, encryption, SQL injection prevention, and auditing. It focuses on actionable configuration and patterns to protect data, control privileges, and meet compliance requirements. It pairs defensive techniques with monitoring and forensic-ready logging.

How this skill works

The skill inspects and hardens authentication, authorization, and privilege models (RBAC, row- and column-level rules) and shows how to apply least privilege. It demonstrates code- and database-level protections against SQL injection, encryption options (TDE, column-level, TLS), and key-management basics. It also covers audit logging, change tracking, and mapping controls to GDPR/PCI/HIPAA requirements for compliance and investigations.

When to use it

  • Designing or refactoring database schemas with security in mind
  • Implementing application-to-database access controls and least-privilege models
  • Hardening production databases against injection and data exfiltration
  • Preparing systems for compliance audits (GDPR, PCI-DSS, HIPAA)
  • Implementing encryption and key management for sensitive data

Best practices

  • Apply least privilege and role-based access; grant broad rights only to administrative roles
  • Use parameterized queries or prepared statements; validate inputs at the application boundary
  • Enable TLS for client/server connections and encrypt data at rest with managed keys
  • Implement column-level encryption or tokenization for high-risk fields (PII, payment data)
  • Centralize audit logging and retain immutable logs for investigation and compliance
  • Automate periodic privilege reviews and rotate keys and credentials on a regular schedule

Example use cases

  • Build RBAC and row-level policies for a multi-tenant SaaS database
  • Harden an application stack to eliminate SQL injection vectors using ORM best practices
  • Deploy Transparent Data Encryption and manage keys for compliance with PCI or HIPAA
  • Set up audit trails and change tracking to support incident response and forensic analysis
  • Design data retention and masking strategies to comply with GDPR data subject requests

FAQ

How do I stop SQL injection in legacy code?

Start by identifying dynamic SQL patterns, introduce parameterized queries or prepared statements, and add input validation. If refactoring is costly, use stored procedures and strict database permissions as interim controls.

When should I use column-level encryption vs full-disk/TDE?

Use TDE to protect backups and disks from theft; use column-level encryption or tokenization when specific fields require stricter access controls or selective decryption at the application level.