Security Architecture Design and implement comprehensive security architectures that protect systems, data, and users through layered defense strategies, zero trust principles, and risk-based security controls. Purpose Security architecture provides the strategic foundation for building resilient, compliant, and trustworthy systems. This skill guides the design of defense-in-depth layers, zero trust implementations, threat modeling methodologies, and mapping to control frameworks (NIST CSF, CIS Controls, ISO 27001). Unlike tactical security skills (configuring firewalls, implementing authenti…

)\n quantity: int\n\n @validator('quantity')\n def validate_quantity(cls, v):\n if v \u003c 1 or v > 1000:\n raise ValueError('Quantity must be 1-1000')\n return v\n\n def process_order(request_data):\n # Validate even from trusted service\n validated = OrderRequest(**request_data)\n # Use parameterized query\n query = \"\"\"\n INSERT INTO orders (id, quantity)\n VALUES (?, ?)\n \"\"\"\n db.execute(query, [validated.order_id, validated.quantity])\n\n- control: Parameterized queries\n effectiveness: CRITICAL\n implementation:\n - Use prepared statements always\n - ORM with parameter binding\n - Never concatenate user input\n\n- control: Least privilege database access\n effectiveness: HIGH\n implementation:\n - Each service has separate DB user\n - Grant minimum required permissions\n - Read-only accounts where possible\n - No shared credentials\n\n- control: Database firewall\n effectiveness: MEDIUM\n implementation:\n - Monitor and block suspicious queries\n - Pattern-based SQL injection detection\n - Alert on anomalous database access\n```\n\n**Threat 2.3: Configuration Tampering**\n\n- **Description:** Attacker modifies service configuration to alter behavior\n- **Attack Vector:** Compromised config server, insecure config files, environment variable injection\n- **Impact:** HIGH - Service malfunction, security bypass, data exfiltration\n- **Likelihood:** MEDIUM - Requires config system access\n\n**Mitigations:**\n\n```yaml\n- control: Configuration encryption\n effectiveness: HIGH\n implementation:\n - Encrypt sensitive config at rest\n - Decrypt only at runtime\n - Use sealed secrets for Kubernetes\n code_example: |\n # Sealed Secrets\n kubeseal --format yaml \u003c secret.yaml > sealed-secret.yaml\n kubectl apply -f sealed-secret.yaml\n\n- control: Configuration version control\n effectiveness: HIGH\n implementation:\n - Store config in Git\n - Require code review for changes\n - Audit trail of config modifications\n - Rollback capability\n\n- control: Immutable infrastructure\n effectiveness: HIGH\n implementation:\n - Bake config into container image\n - No runtime config changes\n - Redeploy to change config\n - ConfigMaps as read-only volumes\n\n- control: Configuration validation\n effectiveness: MEDIUM\n implementation:\n - Schema validation on startup\n - Reject invalid configuration\n - Fail-safe defaults\n code_example: |\n import schema\n\n config_schema = schema.Schema({\n 'database_url': schema.And(str, len),\n 'api_timeout': schema.And(int, lambda n: 1 \u003c= n \u003c= 300),\n 'log_level': schema.Or('DEBUG', 'INFO', 'WARNING', 'ERROR')\n })\n\n config = load_config()\n validated_config = config_schema.validate(config)\n```\n\n### Repudiation (Accountability)\n\n**Threat 3.1: Distributed Tracing Blind Spots**\n\n- **Description:** Lack of correlation between service calls prevents audit trail\n- **Attack Vector:** Missing trace IDs, incomplete logging, log deletion\n- **Impact:** MEDIUM - Cannot investigate incidents, compliance violations\n- **Likelihood:** HIGH - Common in complex microservices\n\n**Mitigations:**\n\n```yaml\n- control: Distributed tracing\n effectiveness: HIGH\n implementation:\n tool: OpenTelemetry, Jaeger, Zipkin\n process:\n - Propagate trace ID across all services\n - Include trace ID in all logs\n - Sample critical paths at 100%\n code_example: |\n from opentelemetry import trace\n from opentelemetry.instrumentation.flask import FlaskInstrumentor\n\n tracer = trace.get_tracer(__name__)\n\n @app.route('/api/order')\n def create_order():\n with tracer.start_as_current_span(\"create_order\") as span:\n span.set_attribute(\"order.id\", order_id)\n span.set_attribute(\"user.id\", user_id)\n\n # Call downstream service\n response = requests.post(\n \"http://service-b/process\",\n json=order_data,\n headers={\n \"traceparent\": span.get_span_context()\n }\n )\n\n- control: Structured logging\n effectiveness: HIGH\n implementation:\n - JSON formatted logs\n - Include trace ID, span ID, service name\n - Centralized log aggregation\n code_example: |\n import structlog\n\n log = structlog.get_logger()\n\n log.info(\n \"order.created\",\n order_id=order_id,\n user_id=user_id,\n amount=total,\n trace_id=trace_id,\n span_id=span_id\n )\n\n- control: Service mesh observability\n effectiveness: HIGH\n implementation:\n - Automatic request tracking\n - Service dependency graph\n - Request flow visualization\n - Anomaly detection\n\n- control: Immutable audit logs\n effectiveness: CRITICAL\n implementation:\n - Stream logs to external SIEM\n - Append-only log storage\n - Log integrity verification\n - Long-term retention (7 years for compliance)\n```\n\n**Threat 3.2: Service-to-Service Call Denial**\n\n- **Description:** Service denies making unauthorized API call to another service\n- **Attack Vector:** Compromised service credentials, lack of audit trail\n- **Impact:** MEDIUM - Cannot prove malicious activity, insider threat investigation difficulty\n- **Likelihood:** LOW - Requires sophisticated attack\n\n**Mitigations:**\n\n```yaml\n- control: Service call authentication logs\n effectiveness: HIGH\n implementation:\n - Log all outbound service calls\n - Include service identity, timestamp, endpoint\n - Record request/response correlation\n code_example: |\n def call_downstream_service(endpoint, data):\n request_id = str(uuid.uuid4())\n\n log.info(\n \"service.call.start\",\n request_id=request_id,\n source_service=\"service-a\",\n target_service=\"service-b\",\n endpoint=endpoint,\n method=\"POST\"\n )\n\n try:\n response = requests.post(\n endpoint,\n json=data,\n headers={\n \"X-Request-ID\": request_id,\n \"X-Source-Service\": \"service-a\"\n }\n )\n\n log.info(\n \"service.call.complete\",\n request_id=request_id,\n status_code=response.status_code,\n response_time_ms=response.elapsed.total_seconds() * 1000\n )\n\n return response\n except Exception as e:\n log.error(\n \"service.call.failed\",\n request_id=request_id,\n error=str(e)\n )\n raise\n\n- control: mTLS audit trail\n effectiveness: HIGH\n implementation:\n - Service mesh logs all mTLS handshakes\n - Record client certificate details\n - Cannot be disabled by service\n\n- control: API gateway logging\n effectiveness: MEDIUM\n implementation:\n - Log all requests at gateway\n - Include authenticated service identity\n - Centralized visibility\n```\n\n### Information Disclosure (Confidentiality)\n\n**Threat 4.1: Secrets in Container Images**\n\n- **Description:** Secrets hardcoded in container images or accessible in image layers\n- **Attack Vector:** Image inspection, leaked images, registry compromise\n- **Impact:** CRITICAL - Credential exposure, lateral movement, data breach\n- **Likelihood:** HIGH - Very common mistake\n\n**Mitigations:**\n\n```yaml\n- control: Secrets management integration\n effectiveness: CRITICAL\n implementation:\n tool: HashiCorp Vault, AWS Secrets Manager\n process:\n - Never hardcode secrets\n - Retrieve secrets at runtime\n - Short-lived dynamic secrets\n code_example: |\n import hvac\n\n # Initialize Vault client\n client = hvac.Client(url='https://vault.example.com')\n client.auth.kubernetes.login(\n role='service-a',\n jwt=open('/var/run/secrets/kubernetes.io/serviceaccount/token').read()\n )\n\n # Retrieve secret\n secret = client.secrets.kv.v2.read_secret_version(\n path='database/credentials/service-a'\n )\n db_password = secret['data']['data']['password']\n\n- control: Image scanning for secrets\n effectiveness: HIGH\n implementation:\n tool: ggshield, TruffleHog, GitGuardian\n process:\n - Scan images in CI/CD\n - Block builds with detected secrets\n - Scan base images\n code_example: |\n # GitLab CI secret detection\n secret_detection:\n stage: test\n script:\n - ggshield scan docker service-a:$CI_COMMIT_SHA\n allow_failure: false\n\n- control: Kubernetes secrets with encryption at rest\n effectiveness: HIGH\n implementation:\n - Enable encryption at rest for etcd\n - Use external KMS (AWS KMS, GCP KMS)\n - Rotate encryption keys regularly\n code_example: |\n # EncryptionConfiguration\n apiVersion: apiserver.config.k8s.io/v1\n kind: EncryptionConfiguration\n resources:\n - resources:\n - secrets\n providers:\n - aescbc:\n keys:\n - name: key1\n secret: \u003cbase64-encoded-key>\n - identity: {}\n\n- control: Secret rotation\n effectiveness: HIGH\n implementation:\n - Automatic rotation every 90 days\n - Zero-downtime rotation\n - Audit secret access\n```\n\n**Threat 4.2: Service-to-Service Traffic Eavesdropping**\n\n- **Description:** Attacker intercepts unencrypted traffic between services\n- **Attack Vector:** Network snooping, compromised network infrastructure, ARP spoofing\n- **Impact:** HIGH - Data exposure, credential theft, PII leakage\n- **Likelihood:** MEDIUM - Requires network access\n\n**Mitigations:**\n\n```yaml\n- control: Mutual TLS for all service communication\n effectiveness: CRITICAL\n implementation:\n service_mesh: Istio, Linkerd\n configuration:\n - Enforce mTLS globally\n - Automatic certificate management\n - Certificate rotation every 24 hours\n code_example: |\n apiVersion: security.istio.io/v1beta1\n kind: PeerAuthentication\n metadata:\n name: default\n namespace: istio-system\n spec:\n mtls:\n mode: STRICT\n\n- control: Network encryption\n effectiveness: HIGH\n implementation:\n - TLS 1.3 minimum\n - Strong cipher suites only\n - Disable insecure protocols\n code_example: |\n # Nginx TLS config\n ssl_protocols TLSv1.3;\n ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384';\n ssl_prefer_server_ciphers on;\n\n- control: Network segmentation\n effectiveness: MEDIUM\n implementation:\n - Separate network namespaces\n - VPC/subnet isolation\n - No direct pod-to-pod without policy\n\n- control: Encrypted message queues\n effectiveness: HIGH\n implementation:\n - Enable TLS for Kafka, RabbitMQ\n - Encrypt messages at application level for sensitive data\n - Key rotation\n```\n\n**Threat 4.3: Log Data Exposure**\n\n- **Description:** Sensitive data logged in plaintext and accessible to unauthorized users\n- **Attack Vector:** Log aggregation access, log file access, log forwarding to external systems\n- **Impact:** HIGH - PII exposure, credential leaks, compliance violations (GDPR, PCI DSS)\n- **Likelihood:** HIGH - Very common mistake\n\n**Mitigations:**\n\n```yaml\n- control: Log sanitization\n effectiveness: CRITICAL\n implementation:\n - Never log passwords, tokens, credit cards, PII\n - Redact sensitive fields automatically\n - Use structured logging with field filtering\n code_example: |\n import structlog\n\n def sanitize_log_data(logger, method_name, event_dict):\n sensitive_fields = ['password', 'token', 'ssn', 'credit_card']\n for field in sensitive_fields:\n if field in event_dict:\n event_dict[field] = '***REDACTED***'\n return event_dict\n\n structlog.configure(\n processors=[\n sanitize_log_data,\n structlog.processors.JSONRenderer()\n ]\n )\n\n- control: Log access controls\n effectiveness: HIGH\n implementation:\n - RBAC on log aggregation system\n - Separate logs by sensitivity level\n - Audit log access\n - Encrypt logs at rest\n\n- control: Log retention policies\n effectiveness: MEDIUM\n implementation:\n - Automatic deletion of old logs\n - Compliance-based retention (7 years financial, 90 days debug)\n - Secure log disposal\n\n- control: Dynamic data masking\n effectiveness: HIGH\n implementation:\n - Mask PII in logs based on viewer role\n - Show full data only to authorized users\n - Audit unmasking events\n```\n\n### Denial of Service\n\n**Threat 5.1: Cascading Failures**\n\n- **Description:** Failure in one service cascades through dependent services, causing system-wide outage\n- **Attack Vector:** Service overload, resource exhaustion, synchronous blocking calls\n- **Impact:** CRITICAL - Complete system unavailability\n- **Likelihood:** MEDIUM - Common in tightly coupled systems\n\n**Mitigations:**\n\n```yaml\n- control: Circuit breakers\n effectiveness: HIGH\n implementation:\n library: Hystrix, Resilience4j, Polly\n configuration:\n - Open circuit after 50% failure rate\n - 10-second wait before retry\n - Fallback to cached data or degraded mode\n code_example: |\n from pybreaker import CircuitBreaker\n\n breaker = CircuitBreaker(\n fail_max=5,\n timeout_duration=60,\n expected_exception=ServiceException\n )\n\n @breaker\n def call_downstream_service():\n response = requests.get('http://service-b/api/data')\n return response.json()\n\n try:\n data = call_downstream_service()\n except CircuitBreakerError:\n # Circuit open, use fallback\n data = get_cached_data()\n\n- control: Bulkheads\n effectiveness: HIGH\n implementation:\n - Separate thread pools per dependency\n - Resource isolation per service\n - Limit concurrent requests\n code_example: |\n from concurrent.futures import ThreadPoolExecutor\n\n # Separate pools for different dependencies\n db_pool = ThreadPoolExecutor(max_workers=20)\n api_pool = ThreadPoolExecutor(max_workers=10)\n cache_pool = ThreadPoolExecutor(max_workers=5)\n\n- control: Timeouts\n effectiveness: CRITICAL\n implementation:\n - Set aggressive timeouts (1-5 seconds)\n - Timeout at every network boundary\n - Cancel long-running operations\n code_example: |\n import requests\n\n response = requests.get(\n 'http://service-b/api/data',\n timeout=(2, 5) # (connection, read) timeout\n )\n\n- control: Rate limiting per service\n effectiveness: HIGH\n implementation:\n - Limit requests to each dependency\n - Protect downstream services\n - Graceful degradation\n code_example: |\n apiVersion: networking.istio.io/v1alpha3\n kind: DestinationRule\n metadata:\n name: service-b-circuit-breaker\n spec:\n host: service-b\n trafficPolicy:\n connectionPool:\n tcp:\n maxConnections: 100\n http:\n http1MaxPendingRequests: 10\n http2MaxRequests: 100\n maxRequestsPerConnection: 2\n outlierDetection:\n consecutiveErrors: 5\n interval: 30s\n baseEjectionTime: 30s\n```\n\n**Threat 5.2: Resource Exhaustion**\n\n- **Description:** Attacker or bug causes service to consume excessive CPU, memory, or connections\n- **Attack Vector:** Unbounded loops, memory leaks, connection pool exhaustion\n- **Impact:** HIGH - Service crashes, degraded performance\n- **Likelihood:** HIGH - Common in production systems\n\n**Mitigations:**\n\n```yaml\n- control: Resource limits and requests\n effectiveness: CRITICAL\n implementation:\n platform: Kubernetes\n configuration:\n - Set CPU and memory limits\n - Define resource requests\n - Use LimitRanges and ResourceQuotas\n code_example: |\n apiVersion: v1\n kind: Pod\n metadata:\n name: service-a\n spec:\n containers:\n - name: service-a\n resources:\n requests:\n memory: \"256Mi\"\n cpu: \"250m\"\n limits:\n memory: \"512Mi\"\n cpu: \"500m\"\n\n- control: Horizontal Pod Autoscaling\n effectiveness: HIGH\n implementation:\n - Scale based on CPU/memory metrics\n - Custom metrics (request queue depth)\n - Minimum and maximum replicas\n code_example: |\n apiVersion: autoscaling/v2\n kind: HorizontalPodAutoscaler\n metadata:\n name: service-a-hpa\n spec:\n scaleTargetRef:\n apiVersion: apps/v1\n kind: Deployment\n name: service-a\n minReplicas: 3\n maxReplicas: 10\n metrics:\n - type: Resource\n resource:\n name: cpu\n target:\n type: Utilization\n averageUtilization: 70\n\n- control: Connection pooling\n effectiveness: MEDIUM\n implementation:\n - Limit database connections per instance\n - Reuse connections\n - Close idle connections\n code_example: |\n from sqlalchemy import create_engine\n\n engine = create_engine(\n database_url,\n pool_size=10,\n max_overflow=20,\n pool_timeout=30,\n pool_recycle=3600\n )\n\n- control: Memory leak detection\n effectiveness: MEDIUM\n implementation:\n - Monitor memory usage trends\n - Alert on gradual memory increase\n - Automatic pod restart on memory threshold\n```\n\n**Threat 5.3: Message Queue Flooding**\n\n- **Description:** Attacker floods message queue with messages, overwhelming consumers\n- **Attack Vector:** Compromised publisher, malicious internal service, bug causing message loop\n- **Impact:** HIGH - Queue backup, consumer crashes, message loss\n- **Likelihood:** MEDIUM - Can happen accidentally or maliciously\n\n**Mitigations:**\n\n```yaml\n- control: Message rate limiting\n effectiveness: HIGH\n implementation:\n - Limit messages per producer\n - Queue size limits\n - Dead letter queue for poison messages\n code_example: |\n # RabbitMQ queue limits\n channel.queue_declare(\n queue='orders',\n arguments={\n 'x-max-length': 10000,\n 'x-overflow': 'reject-publish',\n 'x-message-ttl': 3600000 # 1 hour\n }\n )\n\n- control: Consumer backpressure\n effectiveness: HIGH\n implementation:\n - Consumer acknowledges only when processed\n - Prefetch limit to prevent overwhelming consumer\n - Reject messages if consumer overloaded\n code_example: |\n channel.basic_qos(prefetch_count=10)\n\n def callback(ch, method, properties, body):\n try:\n process_message(body)\n ch.basic_ack(delivery_tag=method.delivery_tag)\n except Exception:\n ch.basic_nack(\n delivery_tag=method.delivery_tag,\n requeue=False\n )\n\n- control: Message validation\n effectiveness: MEDIUM\n implementation:\n - Reject malformed messages\n - Size limits on messages\n - Schema validation\n - Publisher authentication\n\n- control: Dead letter queue\n effectiveness: HIGH\n implementation:\n - Route failed messages to DLQ\n - Analyze patterns in DLQ\n - Alert on DLQ growth\n```\n\n### Elevation of Privilege\n\n**Threat 6.1: Container Escape**\n\n- **Description:** Attacker escapes container to gain access to host or other containers\n- **Attack Vector:** Kernel vulnerabilities, privileged containers, host path mounts\n- **Impact:** CRITICAL - Full cluster compromise, data breach across all services\n- **Likelihood:** LOW - Requires specific vulnerabilities or misconfigurations\n\n**Mitigations:**\n\n```yaml\n- control: Security Context constraints\n effectiveness: CRITICAL\n implementation:\n - Run containers as non-root\n - Drop all capabilities\n - Read-only root filesystem\n - No privileged mode\n code_example: |\n apiVersion: v1\n kind: Pod\n metadata:\n name: service-a\n spec:\n securityContext:\n runAsNonRoot: true\n runAsUser: 10000\n fsGroup: 10000\n seccompProfile:\n type: RuntimeDefault\n containers:\n - name: service-a\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n capabilities:\n drop:\n - ALL\n\n- control: Pod Security Standards\n effectiveness: HIGH\n implementation:\n - Enforce Restricted PSS in production\n - Use Pod Security Admission controller\n - Block non-compliant pods\n code_example: |\n apiVersion: v1\n kind: Namespace\n metadata:\n name: production\n labels:\n pod-security.kubernetes.io/enforce: restricted\n pod-security.kubernetes.io/audit: restricted\n pod-security.kubernetes.io/warn: restricted\n\n- control: Runtime security monitoring\n effectiveness: HIGH\n implementation:\n tool: Falco, Aqua, Sysdig\n detection:\n - Unexpected process execution\n - File system modifications\n - Network connections\n - Privilege escalation attempts\n code_example: |\n # Falco rule\n - rule: Unexpected outbound connection\n desc: Detect unexpected outbound network connection\n condition: >\n outbound and container and\n not proc.name in (expected_programs)\n output: >\n Unexpected outbound connection\n (user=%user.name command=%proc.cmdline connection=%fd.name)\n priority: WARNING\n\n- control: Kernel hardening\n effectiveness: MEDIUM\n implementation:\n - Use hardened kernel\n - Enable SELinux/AppArmor\n - Disable unused kernel modules\n - Regular kernel patching\n```\n\n**Threat 6.2: Kubernetes RBAC Bypass**\n\n- **Description:** Service obtains excessive Kubernetes API permissions\n- **Attack Vector:** Overly permissive ServiceAccount, default ServiceAccount usage, RBAC misconfiguration\n- **Impact:** HIGH - Cluster-wide access, secret theft, pod manipulation\n- **Likelihood:** MEDIUM - Common RBAC misconfigurations\n\n**Mitigations:**\n\n```yaml\n- control: Least privilege ServiceAccounts\n effectiveness: CRITICAL\n implementation:\n - Dedicated ServiceAccount per service\n - Minimal required permissions only\n - Never use default ServiceAccount\n code_example: |\n apiVersion: v1\n kind: ServiceAccount\n metadata:\n name: service-a-sa\n namespace: production\n automountServiceAccountToken: true\n ---\n apiVersion: rbac.authorization.k8s.io/v1\n kind: Role\n metadata:\n name: service-a-role\n namespace: production\n rules:\n - apiGroups: [\"\"]\n resources: [\"configmaps\"]\n verbs: [\"get\", \"list\"]\n resourceNames: [\"service-a-config\"]\n ---\n apiVersion: rbac.authorization.k8s.io/v1\n kind: RoleBinding\n metadata:\n name: service-a-binding\n namespace: production\n subjects:\n - kind: ServiceAccount\n name: service-a-sa\n namespace: production\n roleRef:\n kind: Role\n name: service-a-role\n apiGroup: rbac.authorization.k8s.io\n\n- control: Disable ServiceAccount token automounting\n effectiveness: HIGH\n implementation:\n - Set automountServiceAccountToken: false\n - Only mount when Kubernetes API access needed\n - Use projected volumes for fine-grained control\n\n- control: RBAC audit\n effectiveness: MEDIUM\n implementation:\n tool: rbac-lookup, kubectl-who-can\n process:\n - Regular RBAC permission reviews\n - Identify overly permissive roles\n - Remove unused ServiceAccounts\n\n- control: Admission controller validation\n effectiveness: HIGH\n implementation:\n - OPA policy to enforce RBAC best practices\n - Block pods using default ServiceAccount\n - Require explicit RBAC bindings\n```\n\n**Threat 6.3: Supply Chain Compromise**\n\n- **Description:** Malicious code injected through compromised dependencies\n- **Attack Vector:** Compromised npm/pip package, typosquatting, dependency confusion\n- **Impact:** CRITICAL - Backdoor installation, data exfiltration, ransomware\n- **Likelihood:** MEDIUM - Increasing trend in supply chain attacks\n\n**Mitigations:**\n\n```yaml\n- control: Dependency scanning\n effectiveness: HIGH\n implementation:\n tool: Snyk, Dependabot, Renovate\n process:\n - Scan dependencies in CI/CD\n - Block high/critical vulnerabilities\n - Automated security updates\n code_example: |\n # GitHub Dependabot config\n version: 2\n updates:\n - package-ecosystem: \"pip\"\n directory: \"/\"\n schedule:\n interval: \"weekly\"\n open-pull-requests-limit: 10\n reviewers:\n - \"security-team\"\n\n- control: Software Bill of Materials (SBOM)\n effectiveness: HIGH\n implementation:\n tool: Syft, CycloneDX\n process:\n - Generate SBOM for each image\n - Track all dependencies\n - Vulnerability correlation\n code_example: |\n # Generate SBOM\n syft packages gcr.io/project/service-a:v1.2.3 \\\n -o cyclonedx-json > sbom.json\n\n- control: Private package registry\n effectiveness: HIGH\n implementation:\n - Use Artifactory, Nexus, or cloud registry\n - Proxy and cache public packages\n - Scan packages before caching\n - Block unapproved packages\n\n- control: Vendor dependency pinning\n effectiveness: MEDIUM\n implementation:\n - Pin exact versions (not ranges)\n - Use lock files (package-lock.json, Pipfile.lock)\n - Review all dependency updates\n code_example: |\n # requirements.txt with pinned versions\n flask==2.3.2\n sqlalchemy==2.0.18\n pyjwt==2.8.0\n\n- control: Code signing and verification\n effectiveness: HIGH\n implementation:\n - Verify package signatures\n - Use trusted registries only\n - Checksum verification\n```\n\n## Threat Risk Matrix\n\n| Threat | Impact | Likelihood | Risk | Priority |\n|--------|--------|------------|------|----------|\n| Service Impersonation | CRITICAL | MEDIUM | CRITICAL | P0 |\n| Container Image Tampering | CRITICAL | MEDIUM | CRITICAL | P0 |\n| Container Escape | CRITICAL | LOW | HIGH | P1 |\n| Secrets in Images | CRITICAL | HIGH | CRITICAL | P0 |\n| Database Injection | CRITICAL | MEDIUM | CRITICAL | P0 |\n| Kubernetes RBAC Bypass | HIGH | MEDIUM | HIGH | P1 |\n| Supply Chain Compromise | CRITICAL | MEDIUM | CRITICAL | P0 |\n| Cascading Failures | CRITICAL | MEDIUM | CRITICAL | P0 |\n| API Token Theft | HIGH | HIGH | HIGH | P1 |\n| Traffic Eavesdropping | HIGH | MEDIUM | HIGH | P1 |\n| Log Data Exposure | HIGH | HIGH | HIGH | P1 |\n| Resource Exhaustion | HIGH | HIGH | HIGH | P1 |\n| Message Queue Tampering | HIGH | MEDIUM | MEDIUM | P2 |\n| Configuration Tampering | HIGH | MEDIUM | MEDIUM | P2 |\n| Message Queue Flooding | HIGH | MEDIUM | MEDIUM | P2 |\n| Tracing Blind Spots | MEDIUM | HIGH | MEDIUM | P2 |\n| Service Call Denial | MEDIUM | LOW | LOW | P3 |\n\n## Security Controls Summary\n\n**Critical (P0):**\n- Mutual TLS (mTLS) for all service-to-service communication\n- Image signing and admission control\n- Secrets management system (Vault)\n- Container security contexts (non-root, read-only, no privileges)\n- Parameterized queries at every service\n- Circuit breakers and timeouts\n- RBAC least privilege\n- Dependency scanning and SBOM\n\n**High Priority (P1):**\n- Short-lived tokens with rotation\n- Network policies and segmentation\n- Distributed tracing\n- Log sanitization\n- Resource limits and autoscaling\n- Runtime security monitoring (Falco)\n- Private package registry\n\n**Recommended (P2):**\n- Message signing\n- Configuration encryption\n- Structured logging with trace context\n- Connection pooling\n- Dead letter queues\n- RBAC audit tools\n\n## Implementation Checklist\n\n- [ ] Deploy service mesh (Istio/Linkerd) with strict mTLS\n- [ ] Configure image signing and admission controller\n- [ ] Deploy HashiCorp Vault for secrets management\n- [ ] Set Pod Security Standards to Restricted\n- [ ] Implement least privilege RBAC for all services\n- [ ] Deploy distributed tracing (OpenTelemetry)\n- [ ] Configure structured logging with sanitization\n- [ ] Implement circuit breakers for all service calls\n- [ ] Set resource limits on all pods\n- [ ] Deploy horizontal pod autoscalers\n- [ ] Configure network policies\n- [ ] Enable Kubernetes audit logging\n- [ ] Deploy runtime security monitoring (Falco)\n- [ ] Implement dependency scanning in CI/CD\n- [ ] Generate SBOMs for all images\n- [ ] Configure message queue encryption\n- [ ] Set up centralized log aggregation (ELK/Splunk)\n- [ ] Implement rate limiting at API gateway and service mesh\n- [ ] Deploy monitoring and alerting (Prometheus/Grafana)\n- [ ] Conduct regular penetration testing\n\n## References\n\n- [OWASP Microservices Security](https://owasp.org/www-project-microservices-security/)\n- [NIST SP 800-204: Security Strategies for Microservices](https://csrc.nist.gov/publications/detail/sp/800-204/final)\n- [Kubernetes Security Best Practices](https://kubernetes.io/docs/concepts/security/security-best-practices/)\n- [CNCF Cloud Native Security Whitepaper](https://www.cncf.io/wp-content/uploads/2020/11/CNCF_Cloud_Native_Security_Whitepaper_Nov_2020.pdf)\n- [Container Security Guide (NIST SP 800-190)](https://csrc.nist.gov/publications/detail/sp/800-190/final)\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":43595,"content_sha256":"03d75920efa06493b18caed3b7630b9354526f4690ce1e575775a64bb70286f6"},{"filename":"examples/threat-models/web-app-stride.md","content":"# Web Application STRIDE Threat Model Example\n\n## System Overview\n\n**Application:** E-commerce Web Application\n**Architecture:** Three-tier (Web → Application → Database)\n**Technology Stack:**\n- Frontend: React SPA\n- API: Node.js/Express REST API\n- Database: PostgreSQL\n- Authentication: OAuth 2.0 + JWT\n- Hosting: AWS (CloudFront, ALB, EC2, RDS)\n\n## Data Flow Diagram\n\n```\n┌─────────┐ ┌──────────┐\n│ User │─────(1) HTTPS Request───────────────────►│CloudFront│\n│(Browser)│◄────(10) HTTPS Response──────────────────│ CDN │\n└─────────┘ └────┬─────┘\n │\n (2) Forward\n │\n ┌────▼─────┐\n │ WAF │\n │ (AWS WAF)│\n └────┬─────┘\n │\n (3) Inspect\n │\n ┌────▼─────┐\n │ ALB │\n │(Load Bal)│\n └────┬─────┘\n │\n ┌────────────────┼────────────────┐\n │ │ │\n ┌────▼────┐ ┌────▼────┐ ┌────▼────┐\n │Web App 1│ │Web App 2│ │Web App 3│\n │(Express)│ │(Express)│ │(Express)│\n └────┬────┘ └────┬────┘ └────┬────┘\n │ │ │\n └────────────────┼────────────────┘\n │\n (4) SQL Query\n │\n ┌────▼─────┐\n │PostgreSQL│\n │ RDS │\n └──────────┘\n\nTrust Boundaries:\n───────────────── Internet / AWS (1-2)\n───────────────── WAF / Application (3)\n───────────────── Application / Database (4)\n```\n\n## STRIDE Threat Analysis\n\n### Component 1: User (Browser)\n\n#### Threat: Spoofing\n\n**S1.1: Phishing Attack**\n- **Description:** Attacker creates fake login page to steal credentials\n- **Impact:** HIGH - User credentials compromised\n- **Likelihood:** MEDIUM - Common attack vector\n- **Mitigation:**\n - Implement HTTPS with EV certificate (visible in browser)\n - User education and security awareness training\n - FIDO2/WebAuthn for phishing-resistant authentication\n - Email warnings for suspicious login attempts\n\n---\n\n### Component 2: CloudFront (CDN)\n\n#### Threat: Tampering\n\n**T2.1: Man-in-the-Middle (MITM) Attack**\n- **Description:** Attacker intercepts traffic between user and CDN\n- **Impact:** HIGH - Data theft, session hijacking\n- **Likelihood:** LOW - HTTPS prevents MITM\n- **Mitigation:**\n - Enforce TLS 1.3 minimum\n - HSTS (HTTP Strict Transport Security) headers\n - Certificate pinning for mobile apps\n\n#### Threat: Denial of Service\n\n**D2.1: DDoS Attack on CDN**\n- **Description:** Volumetric DDoS attack overwhelms CDN\n- **Impact:** HIGH - Service unavailability\n- **Likelihood:** MEDIUM - E-commerce targets for extortion\n- **Mitigation:**\n - CloudFront DDoS protection (built-in)\n - AWS Shield Standard (free) or Advanced\n - Rate limiting at CDN edge\n\n---\n\n### Component 3: WAF (AWS WAF)\n\n#### Threat: Elevation of Privilege\n\n**E3.1: WAF Bypass**\n- **Description:** Attacker bypasses WAF rules to reach application\n- **Impact:** HIGH - Exposes application to attacks\n- **Likelihood:** MEDIUM - WAF rules can be bypassed\n- **Mitigation:**\n - Regularly update WAF rules (OWASP Core Rule Set)\n - Custom rules for application-specific attacks\n - Rate limiting and geographic restrictions\n - Monitor WAF logs for bypass attempts\n\n---\n\n### Component 4: Application Load Balancer (ALB)\n\n#### Threat: Denial of Service\n\n**D4.1: HTTP Flood Attack**\n- **Description:** Application-layer DDoS targeting ALB\n- **Impact:** HIGH - Service degradation\n- **Likelihood:** MEDIUM\n- **Mitigation:**\n - ALB connection limits and timeouts\n - Auto-scaling based on load\n - Rate limiting at application layer\n - WAF rate-based rules\n\n---\n\n### Component 5: Web Application (Express API)\n\n#### Threat: Spoofing\n\n**S5.1: JWT Token Forgery**\n- **Description:** Attacker forges JWT token to impersonate user\n- **Impact:** CRITICAL - Complete account takeover\n- **Likelihood:** LOW - Requires key compromise\n- **Mitigation:**\n - Strong JWT signing algorithm (RS256, not HS256 with weak secret)\n - Short token expiry (15 minutes)\n - Refresh token rotation\n - Store signing keys in AWS Secrets Manager\n - Validate token signature, expiry, issuer, audience\n\n#### Threat: Tampering\n\n**T5.1: SQL Injection**\n- **Description:** Attacker injects SQL code via user input\n- **Impact:** CRITICAL - Database compromise, data breach\n- **Likelihood:** MEDIUM - Common attack, but mitigable\n- **Mitigation:**\n - Use parameterized queries or ORM (Sequelize, TypeORM)\n - Input validation (whitelist, length limits)\n - Least privilege database user (no DROP, CREATE permissions)\n - WAF SQL injection rules\n - Regular SAST/DAST scanning\n\n**T5.2: API Parameter Tampering**\n- **Description:** User modifies request parameters to access unauthorized data\n- **Impact:** HIGH - Unauthorized data access (IDOR)\n- **Likelihood:** MEDIUM\n- **Mitigation:**\n - Server-side authorization checks (verify user owns resource)\n - Indirect object references (use UUIDs, not sequential IDs)\n - Input validation on all parameters\n\n#### Threat: Repudiation\n\n**R5.1: User Denies Transaction**\n- **Description:** User denies making purchase or action\n- **Impact:** MEDIUM - Fraud, chargebacks\n- **Likelihood:** MEDIUM\n- **Mitigation:**\n - Comprehensive audit logging (user, IP, timestamp, action)\n - Immutable logs (centralized SIEM)\n - Email confirmation for critical actions (purchases, password changes)\n - Transaction receipts and order history\n\n#### Threat: Information Disclosure\n\n**I5.1: Verbose Error Messages**\n- **Description:** Error messages reveal internal paths, stack traces\n- **Impact:** MEDIUM - Aids attacker reconnaissance\n- **Likelihood:** HIGH - Common misconfiguration\n- **Mitigation:**\n - Generic error messages to users (\"An error occurred\")\n - Detailed errors only in server logs\n - Custom error pages (500, 404)\n - Remove stack traces in production\n\n**I5.2: API Responses Leak Sensitive Data**\n- **Description:** API returns more data than necessary (full user objects)\n- **Impact:** MEDIUM - Exposure of PII, internal data\n- **Likelihood:** HIGH\n- **Mitigation:**\n - Return only necessary fields (use DTOs)\n - Serialize responses (remove sensitive fields)\n - API response schema validation\n\n**I5.3: Session Token Exposure in Logs**\n- **Description:** JWT tokens logged in application logs\n- **Impact:** HIGH - Session hijacking if logs compromised\n- **Likelihood:** MEDIUM\n- **Mitigation:**\n - Redact tokens in logs (mask Authorization headers)\n - Secure log storage (encryption, access control)\n - Short token expiry reduces exposure window\n\n#### Threat: Denial of Service\n\n**D5.1: API Rate Limit Bypass**\n- **Description:** Attacker bypasses rate limiting to exhaust resources\n- **Impact:** MEDIUM - Service degradation\n- **Likelihood:** MEDIUM\n- **Mitigation:**\n - Multiple rate limiting layers (IP, user, API key)\n - Distributed rate limiting (Redis)\n - CAPTCHA for suspicious traffic\n - Auto-scaling to handle bursts\n\n**D5.2: Resource Exhaustion (ReDoS)**\n- **Description:** Regex Denial of Service via malicious input\n- **Impact:** MEDIUM - CPU exhaustion, service unavailability\n- **Likelihood:** LOW\n- **Mitigation:**\n - Avoid complex regex patterns\n - Timeout limits for regex execution\n - Input length limits\n - Use safe regex libraries (re2)\n\n#### Threat: Elevation of Privilege\n\n**E5.1: Broken Access Control**\n- **Description:** User accesses admin endpoints without authorization\n- **Impact:** CRITICAL - Complete system compromise\n- **Likelihood:** MEDIUM\n- **Mitigation:**\n - Authorization checks on every endpoint\n - RBAC (role-based access control)\n - Separate admin API with additional authentication\n - Principle of least privilege\n\n**E5.2: Insecure Direct Object References (IDOR)**\n- **Description:** User accesses other users' data by changing ID parameter\n- **Impact:** HIGH - Unauthorized data access\n- **Likelihood:** HIGH - Very common vulnerability\n- **Mitigation:**\n - Verify user owns resource before returning data\n - Use UUIDs instead of sequential IDs\n - Indirect object references (session-based mapping)\n\n---\n\n### Component 6: PostgreSQL Database (RDS)\n\n#### Threat: Tampering\n\n**T6.1: Database Compromise via SQL Injection**\n- **Description:** SQL injection leads to data modification/deletion\n- **Impact:** CRITICAL - Data integrity loss, data destruction\n- **Likelihood:** LOW (if application mitigations applied)\n- **Mitigation:**\n - Parameterized queries (primary defense)\n - Database user least privilege (read-only for most operations)\n - Database audit logging\n - Immutable backups\n\n#### Threat: Information Disclosure\n\n**I6.1: Database Backup Exposure**\n- **Description:** RDS snapshot publicly accessible or stolen\n- **Impact:** CRITICAL - Full database dump exposed\n- **Likelihood:** LOW - Requires misconfiguration\n- **Mitigation:**\n - Private RDS in VPC (no internet access)\n - Encrypted snapshots (AWS KMS)\n - Access control on snapshots (IAM policies)\n - Regular snapshot access audits\n\n**I6.2: Database Connection String in Code**\n- **Description:** Database credentials hardcoded in source code\n- **Impact:** CRITICAL - Database full access if code leaked\n- **Likelihood:** MEDIUM - Common developer mistake\n- **Mitigation:**\n - Store credentials in AWS Secrets Manager\n - IAM database authentication (no passwords)\n - Secrets rotation\n - Code scanning for hardcoded secrets (git-secrets, TruffleHog)\n\n#### Threat: Denial of Service\n\n**D6.1: Database Connection Pool Exhaustion**\n- **Description:** Attacker opens many connections, exhausting pool\n- **Impact:** HIGH - Database unavailable\n- **Likelihood:** MEDIUM\n- **Mitigation:**\n - Connection pool limits\n - Connection timeouts\n - Application-level connection management\n - Auto-scaling RDS read replicas\n\n---\n\n## Threat Summary Matrix\n\n| ID | Component | STRIDE | Threat | Risk | Priority |\n|----|-----------|--------|--------|------|----------|\n| S1.1 | User | Spoofing | Phishing | HIGH | P1 |\n| T2.1 | CDN | Tampering | MITM | HIGH | P2 |\n| D2.1 | CDN | DoS | DDoS | HIGH | P1 |\n| E3.1 | WAF | Elevation | WAF Bypass | HIGH | P2 |\n| D4.1 | ALB | DoS | HTTP Flood | HIGH | P2 |\n| S5.1 | API | Spoofing | JWT Forgery | CRITICAL | P0 |\n| T5.1 | API | Tampering | SQL Injection | CRITICAL | P0 |\n| T5.2 | API | Tampering | Param Tampering | HIGH | P1 |\n| R5.1 | API | Repudiation | Deny Transaction | MEDIUM | P3 |\n| I5.1 | API | Info Disclosure | Verbose Errors | MEDIUM | P3 |\n| I5.2 | API | Info Disclosure | API Data Leak | MEDIUM | P2 |\n| I5.3 | API | Info Disclosure | Token in Logs | HIGH | P2 |\n| D5.1 | API | DoS | Rate Limit Bypass | MEDIUM | P3 |\n| D5.2 | API | DoS | ReDoS | MEDIUM | P4 |\n| E5.1 | API | Elevation | Broken Access | CRITICAL | P0 |\n| E5.2 | API | Elevation | IDOR | HIGH | P1 |\n| T6.1 | DB | Tampering | SQLi Compromise | CRITICAL | P0 |\n| I6.1 | DB | Info Disclosure | Backup Exposure | CRITICAL | P0 |\n| I6.2 | DB | Info Disclosure | Hardcoded Creds | CRITICAL | P0 |\n| D6.1 | DB | DoS | Connection Exhaust | HIGH | P2 |\n\n**Priority Levels:**\n- P0: Critical - Immediate action required\n- P1: High - Address within 1 sprint\n- P2: Medium - Address within 1 quarter\n- P3: Low - Backlog\n- P4: Informational\n\n---\n\n## Mitigation Roadmap\n\n### Sprint 1 (Immediate - P0)\n- ☐ Implement parameterized queries for all database operations (T5.1, T6.1)\n- ☐ Add authorization checks to all API endpoints (E5.1)\n- ☐ Migrate database credentials to AWS Secrets Manager (I6.2)\n- ☐ Enable RDS encryption and private VPC placement (I6.1)\n- ☐ Strengthen JWT signing (RS256, key rotation) (S5.1)\n\n### Sprint 2-3 (High Priority - P1)\n- ☐ Implement FIDO2/WebAuthn for phishing resistance (S1.1)\n- ☐ Deploy comprehensive IDOR protection (E5.2)\n- ☐ Fix API parameter tampering vulnerabilities (T5.2)\n- ☐ Enable AWS Shield and DDoS protection (D2.1)\n\n### Quarter (Medium Priority - P2)\n- ☐ Harden WAF rules and monitor bypass attempts (E3.1)\n- ☐ Implement multi-layer rate limiting (D4.1, D5.1)\n- ☐ Minimize API response data (I5.2)\n- ☐ Redact tokens from logs (I5.3)\n- ☐ TLS 1.3 enforcement and HSTS (T2.1)\n\n### Backlog (Low Priority - P3-P4)\n- ☐ Comprehensive audit logging (R5.1)\n- ☐ Custom error pages (I5.1)\n- ☐ ReDoS prevention (D5.2)\n\n---\n\n## Validation\n\n**Testing:**\n- ☐ SAST: SonarQube scan for SQL injection, hardcoded secrets\n- ☐ DAST: OWASP ZAP scan for IDOR, broken access control, XSS\n- ☐ Penetration Testing: Third-party security audit\n- ☐ Dependency Scanning: Snyk for vulnerable libraries\n\n**Monitoring:**\n- ☐ WAF logs for attack patterns\n- ☐ API logs for failed authorization attempts\n- ☐ SIEM alerts for anomalous behavior (UEBA)\n- ☐ Database audit logs for suspicious queries\n\n**Compliance:**\n- ☐ Map mitigations to OWASP Top 10\n- ☐ Map mitigations to PCI DSS requirements (if applicable)\n- ☐ Document security controls for SOC 2 audit\n\n---\n\n## Conclusion\n\nThis STRIDE analysis identified 20 threats across 6 components, with 6 critical (P0) threats requiring immediate remediation. Primary focus areas:\n\n1. **SQL Injection Prevention:** Parameterized queries, input validation\n2. **Access Control:** Authorization checks, IDOR prevention\n3. **Secrets Management:** Migrate to AWS Secrets Manager\n4. **Data Protection:** RDS encryption, private VPC placement\n5. **Authentication:** Strengthen JWT, implement phishing-resistant auth\n\nRegular threat model updates recommended after significant architecture changes or security incidents.\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":15596,"content_sha256":"5499349f94098e887059569b92bb925f58920afaf00bd58b6a5bffe430062897"},{"filename":"outputs.yaml","content":"skill: \"architecting-security\"\nversion: \"1.0\"\ndomain: \"security\"\n\nbase_outputs:\n - path: \"docs/security/architecture-overview.md\"\n must_contain:\n - \"Defense in Depth\"\n - \"Zero Trust\"\n - \"security architecture\"\n\n - path: \"docs/security/threat-model.md\"\n must_contain:\n - \"STRIDE\"\n - \"threat categories\"\n - \"mitigation\"\n\n - path: \"security/policies/security-baseline.md\"\n must_contain:\n - \"security controls\"\n - \"baseline requirements\"\n\n - path: \"docs/security/incident-response-plan.md\"\n must_contain:\n - \"incident response\"\n - \"escalation\"\n - \"recovery\"\n\nconditional_outputs:\n maturity:\n starter:\n - path: \"security/policies/access-control-policy.md\"\n must_contain:\n - \"authentication\"\n - \"MFA\"\n - \"password policy\"\n\n - path: \"security/policies/data-protection-policy.md\"\n must_contain:\n - \"encryption\"\n - \"data classification\"\n\n - path: \"docs/security/cis-controls-ig1.md\"\n must_contain:\n - \"CIS Controls\"\n - \"Implementation Group 1\"\n - \"asset inventory\"\n\n intermediate:\n - path: \"security/architecture/zero-trust-architecture.md\"\n must_contain:\n - \"Zero Trust\"\n - \"continuous verification\"\n - \"micro-segmentation\"\n\n - path: \"security/policies/privileged-access-management.md\"\n must_contain:\n - \"PAM\"\n - \"just-in-time access\"\n - \"credential vaulting\"\n\n - path: \"docs/security/nist-csf-mapping.md\"\n must_contain:\n - \"NIST CSF\"\n - \"GOVERN\"\n - \"IDENTIFY\"\n - \"PROTECT\"\n - \"DETECT\"\n - \"RESPOND\"\n - \"RECOVER\"\n\n - path: \"security/sbom/sbom-policy.md\"\n must_contain:\n - \"SBOM\"\n - \"Software Bill of Materials\"\n - \"dependency management\"\n\n - path: \"docs/security/cis-controls-ig2.md\"\n must_contain:\n - \"CIS Controls\"\n - \"Implementation Group 2\"\n\n advanced:\n - path: \"security/architecture/defense-in-depth-layers.md\"\n must_contain:\n - \"defense in depth\"\n - \"9 layers\"\n - \"physical security\"\n - \"network perimeter\"\n - \"endpoint protection\"\n\n - path: \"security/threat-models/stride-analysis.md\"\n must_contain:\n - \"STRIDE\"\n - \"Spoofing\"\n - \"Tampering\"\n - \"Repudiation\"\n - \"Information Disclosure\"\n - \"Denial of Service\"\n - \"Elevation of Privilege\"\n\n - path: \"security/threat-models/attack-trees.md\"\n must_contain:\n - \"attack tree\"\n - \"attack paths\"\n\n - path: \"security/slsa/slsa-implementation.md\"\n must_contain:\n - \"SLSA\"\n - \"supply chain\"\n - \"provenance\"\n - \"build security\"\n\n - path: \"security/monitoring/siem-architecture.md\"\n must_contain:\n - \"SIEM\"\n - \"log aggregation\"\n - \"security events\"\n - \"correlation\"\n\n - path: \"security/monitoring/soar-playbooks.md\"\n must_contain:\n - \"SOAR\"\n - \"automated response\"\n - \"playbooks\"\n\n - path: \"security/architecture/cspm-strategy.md\"\n must_contain:\n - \"CSPM\"\n - \"Cloud Security Posture Management\"\n - \"compliance monitoring\"\n\n - path: \"docs/security/cis-controls-ig3.md\"\n must_contain:\n - \"CIS Controls\"\n - \"Implementation Group 3\"\n\n cloud_provider:\n aws:\n - path: \"security/aws/security-architecture.md\"\n must_contain:\n - \"AWS\"\n - \"Well-Architected Framework\"\n - \"Security Pillar\"\n\n - path: \"security/aws/multi-account-strategy.md\"\n must_contain:\n - \"AWS Organizations\"\n - \"Security OU\"\n - \"Service Control Policies\"\n\n - path: \"security/aws/iam-strategy.md\"\n must_contain:\n - \"AWS IAM\"\n - \"IAM Identity Center\"\n - \"least privilege\"\n\n - path: \"security/aws/network-security.md\"\n must_contain:\n - \"VPC\"\n - \"Security Groups\"\n - \"AWS WAF\"\n - \"Shield\"\n\n - path: \"security/aws/monitoring.md\"\n must_contain:\n - \"GuardDuty\"\n - \"Security Hub\"\n - \"CloudTrail\"\n\n - path: \"security/aws/kms-key-management.md\"\n must_contain:\n - \"AWS KMS\"\n - \"encryption\"\n - \"key rotation\"\n\n gcp:\n - path: \"security/gcp/security-architecture.md\"\n must_contain:\n - \"GCP\"\n - \"Security Command Center\"\n - \"security best practices\"\n\n - path: \"security/gcp/organization-hierarchy.md\"\n must_contain:\n - \"GCP Organization\"\n - \"Folders\"\n - \"Projects\"\n - \"IAM inheritance\"\n\n - path: \"security/gcp/iam-strategy.md\"\n must_contain:\n - \"Cloud IAM\"\n - \"service accounts\"\n - \"least privilege\"\n\n - path: \"security/gcp/network-security.md\"\n must_contain:\n - \"VPC\"\n - \"Cloud Armor\"\n - \"VPC Service Controls\"\n\n - path: \"security/gcp/monitoring.md\"\n must_contain:\n - \"Security Command Center\"\n - \"Chronicle\"\n - \"Event Threat Detection\"\n\n - path: \"security/gcp/kms-key-management.md\"\n must_contain:\n - \"Cloud KMS\"\n - \"encryption\"\n - \"key rotation\"\n\n azure:\n - path: \"security/azure/security-architecture.md\"\n must_contain:\n - \"Azure\"\n - \"Azure Security Benchmark\"\n - \"Defender for Cloud\"\n\n - path: \"security/azure/landing-zone.md\"\n must_contain:\n - \"Azure Landing Zone\"\n - \"hub-spoke\"\n - \"Management Groups\"\n\n - path: \"security/azure/iam-strategy.md\"\n must_contain:\n - \"Azure AD\"\n - \"Entra ID\"\n - \"Conditional Access\"\n - \"Privileged Identity Management\"\n\n - path: \"security/azure/network-security.md\"\n must_contain:\n - \"VNet\"\n - \"Azure Firewall\"\n - \"Network Security Groups\"\n - \"DDoS Protection\"\n\n - path: \"security/azure/monitoring.md\"\n must_contain:\n - \"Defender for Cloud\"\n - \"Sentinel\"\n - \"Azure Monitor\"\n\n - path: \"security/azure/key-vault.md\"\n must_contain:\n - \"Azure Key Vault\"\n - \"secrets management\"\n - \"encryption\"\n\n infrastructure:\n kubernetes:\n - path: \"security/kubernetes/k8s-security-architecture.md\"\n must_contain:\n - \"Kubernetes\"\n - \"RBAC\"\n - \"Pod Security\"\n - \"Network Policies\"\n\n - path: \"security/kubernetes/pod-security-standards.md\"\n must_contain:\n - \"Pod Security Standards\"\n - \"Privileged\"\n - \"Baseline\"\n - \"Restricted\"\n\n - path: \"security/kubernetes/network-policies.md\"\n must_contain:\n - \"NetworkPolicy\"\n - \"ingress rules\"\n - \"egress rules\"\n\n - path: \"security/kubernetes/secrets-management.md\"\n must_contain:\n - \"Kubernetes Secrets\"\n - \"encryption at rest\"\n - \"external secrets\"\n\n docker:\n - path: \"security/docker/container-security.md\"\n must_contain:\n - \"container security\"\n - \"image scanning\"\n - \"runtime security\"\n\n - path: \"security/docker/image-hardening.md\"\n must_contain:\n - \"Docker image\"\n - \"minimal base images\"\n - \"vulnerability scanning\"\n\n terraform:\n - path: \"security/terraform/secure-iac.md\"\n must_contain:\n - \"Infrastructure as Code\"\n - \"Terraform\"\n - \"security best practices\"\n\n - path: \"security/terraform/state-security.md\"\n must_contain:\n - \"Terraform state\"\n - \"encryption\"\n - \"remote backend\"\n\n compliance:\n soc2:\n - path: \"security/compliance/soc2-controls.md\"\n must_contain:\n - \"SOC 2\"\n - \"Trust Services Criteria\"\n - \"security controls\"\n\n - path: \"security/compliance/soc2-evidence.md\"\n must_contain:\n - \"SOC 2\"\n - \"evidence collection\"\n - \"audit\"\n\n hipaa:\n - path: \"security/compliance/hipaa-security-rule.md\"\n must_contain:\n - \"HIPAA\"\n - \"Security Rule\"\n - \"PHI protection\"\n\n - path: \"security/compliance/hipaa-risk-assessment.md\"\n must_contain:\n - \"HIPAA\"\n - \"risk assessment\"\n - \"security controls\"\n\n pci_dss:\n - path: \"security/compliance/pci-dss-requirements.md\"\n must_contain:\n - \"PCI DSS\"\n - \"cardholder data\"\n - \"12 requirements\"\n\n - path: \"security/compliance/pci-dss-network-segmentation.md\"\n must_contain:\n - \"PCI DSS\"\n - \"network segmentation\"\n - \"cardholder data environment\"\n\n iso27001:\n - path: \"security/compliance/iso27001-isms.md\"\n must_contain:\n - \"ISO 27001\"\n - \"ISMS\"\n - \"Information Security Management System\"\n\n - path: \"security/compliance/iso27001-controls.md\"\n must_contain:\n - \"ISO 27001\"\n - \"Annex A\"\n - \"114 controls\"\n\n gdpr:\n - path: \"security/compliance/gdpr-privacy-architecture.md\"\n must_contain:\n - \"GDPR\"\n - \"privacy by design\"\n - \"personal data\"\n\n - path: \"security/compliance/gdpr-data-protection.md\"\n must_contain:\n - \"GDPR\"\n - \"data protection\"\n - \"consent management\"\n\nscaffolding:\n - path: \"security/\"\n type: \"directory\"\n\n - path: \"security/policies/\"\n type: \"directory\"\n\n - path: \"security/architecture/\"\n type: \"directory\"\n\n - path: \"security/threat-models/\"\n type: \"directory\"\n\n - path: \"security/monitoring/\"\n type: \"directory\"\n\n - path: \"security/compliance/\"\n type: \"directory\"\n\n - path: \"docs/security/\"\n type: \"directory\"\n\n - path: \"security/README.md\"\n must_contain:\n - \"Security Architecture\"\n - \"documentation\"\n\n - path: \"security/.gitignore\"\n must_contain:\n - \"*.key\"\n - \"*.pem\"\n - \"*.p12\"\n - \"secrets/\"\n\nmetadata:\n primary_blueprints: [\"security\"]\n contributes_to:\n - \"Security architecture design\"\n - \"Defense-in-depth implementation\"\n - \"Zero trust architecture\"\n - \"Threat modeling and risk assessment\"\n - \"Security control framework mapping\"\n - \"Compliance and governance\"\n - \"Cloud security architecture\"\n - \"Supply chain security\"\n - \"Identity and access management\"\n - \"Security monitoring and operations\"\n\n output_examples:\n - \"Security architecture diagrams with defense-in-depth layers\"\n - \"Zero trust implementation roadmap and architecture\"\n - \"STRIDE threat models for applications and APIs\"\n - \"NIST CSF, CIS Controls, ISO 27001 control mappings\"\n - \"Cloud security architecture (AWS, GCP, Azure)\"\n - \"SLSA and SBOM supply chain security documentation\"\n - \"IAM strategy with RBAC/ABAC/PAM patterns\"\n - \"SIEM and SOAR architecture for security operations\"\n - \"Compliance documentation for SOC 2, HIPAA, PCI DSS\"\n - \"Security policies and incident response plans\"\n\n related_skills:\n - \"infrastructure-as-code\"\n - \"kubernetes-operations\"\n - \"secret-management\"\n - \"building-ci-pipelines\"\n - \"configuring-firewalls\"\n - \"vulnerability-management\"\n - \"auth-security\"\n - \"siem-logging\"\n - \"compliance-frameworks\"\n\n tags:\n - \"security\"\n - \"architecture\"\n - \"zero-trust\"\n - \"defense-in-depth\"\n - \"threat-modeling\"\n - \"compliance\"\n - \"nist\"\n - \"cis-controls\"\n - \"cloud-security\"\n - \"iam\"\n","content_type":"application/yaml; charset=utf-8","language":"yaml","size":11842,"content_sha256":"4c803141dd9ebd08660a658ee130dd244de5bd3739a042dceac90f18d885ce73"},{"filename":"references/aws-security-architecture.md","content":"# AWS Security Architecture Reference\n\n\n## Table of Contents\n\n- [AWS Well-Architected Framework - Security Pillar](#aws-well-architected-framework-security-pillar)\n - [5 Design Principles](#5-design-principles)\n- [Key AWS Security Services](#key-aws-security-services)\n - [Identity & Access Management](#identity-access-management)\n - [Detection & Response](#detection-response)\n - [Network Security](#network-security)\n - [Data Protection](#data-protection)\n - [Infrastructure Security](#infrastructure-security)\n- [Multi-Account Security Architecture](#multi-account-security-architecture)\n- [VPC Security Architecture](#vpc-security-architecture)\n\n## AWS Well-Architected Framework - Security Pillar\n\n### 5 Design Principles\n\n1. **Implement strong identity foundation:** Centralize IAM, least privilege, separation of duties\n2. **Enable traceability:** Log and monitor all actions\n3. **Apply security at all layers:** Defense in depth across network, instance, application, data\n4. **Automate security best practices:** Infrastructure as Code\n5. **Protect data in transit and at rest:** Encryption everywhere\n\n## Key AWS Security Services\n\n### Identity & Access Management\n\n| Service | Purpose |\n|---------|---------|\n| **AWS IAM** | User and service identity management |\n| **IAM Identity Center** | SSO for multi-account environments |\n| **AWS Cognito** | Customer identity and authentication |\n| **AWS Organizations** | Multi-account management |\n\n### Detection & Response\n\n| Service | Purpose |\n|---------|---------|\n| **Amazon GuardDuty** | Threat detection (ML-based) |\n| **AWS Security Hub** | Centralized security findings |\n| **Amazon Detective** | Security investigation |\n| **AWS CloudTrail** | API audit logging |\n\n### Network Security\n\n| Service | Purpose |\n|---------|---------|\n| **AWS WAF** | Web application firewall |\n| **AWS Shield** | DDoS protection |\n| **AWS Network Firewall** | Stateful network firewall |\n| **AWS PrivateLink** | Private connectivity to services |\n\n### Data Protection\n\n| Service | Purpose |\n|---------|---------|\n| **AWS KMS** | Key management service |\n| **AWS Secrets Manager** | Secrets rotation and management |\n| **Amazon Macie** | Data discovery and classification |\n| **AWS Certificate Manager** | SSL/TLS certificate management |\n\n### Infrastructure Security\n\n| Service | Purpose |\n|---------|---------|\n| **AWS Systems Manager** | Patch management, configuration |\n| **Amazon Inspector** | Vulnerability scanning |\n| **AWS Config** | Configuration compliance monitoring |\n\n## Multi-Account Security Architecture\n\n```\nAWS Organizations (Root)\n│\n├── Security OU\n│ ├── Security Account (GuardDuty, Security Hub)\n│ ├── Logging Account (CloudTrail, Config, VPC Flow Logs)\n│ └── Audit Account (Read-only cross-account access)\n│\n├── Production OU\n│ ├── App1 Production Account\n│ ├── App2 Production Account\n│ └── Shared Services Account\n│\n└── Non-Production OU\n ├── Development Account\n ├── Staging Account\n └── Testing Account\n```\n\n**Key Patterns:**\n\n- **Service Control Policies (SCPs):** Apply guardrails at OU level\n- **IAM Identity Center:** SSO across all accounts\n- **GuardDuty/Security Hub:** Organization-wide threat detection\n- **Centralized Logging:** All CloudTrail logs to dedicated Logging Account\n- **Network Isolation:** Separate VPCs per account, Transit Gateway for connectivity\n\n## VPC Security Architecture\n\n**Best Practices:**\n- Public subnets: Internet-facing resources (ALB, NAT Gateway)\n- Private subnets: Application tier (no direct internet access)\n- Isolated subnets: Database tier (no outbound internet)\n- Security groups: Stateful, least privilege rules\n- NACLs: Stateless, additional layer of defense\n\n**Example:**\n```\nVPC (10.0.0.0/16)\n├── Public Subnet (10.0.1.0/24)\n│ └── Internet Gateway → ALB → Internet\n├── Private Subnet (10.0.2.0/24)\n│ └── EC2 Instances (application tier)\n└── Isolated Subnet (10.0.3.0/24)\n └── RDS (database tier)\n```\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":4089,"content_sha256":"5dbffc3d163509537bb976a48383ad094d8a47f5966911ef39aaeaef9be18337"},{"filename":"references/azure-security-architecture.md","content":"# Azure Security Architecture Reference\n\n## Microsoft Defender for Cloud\n\n### Key Azure Security Services\n\n#### Identity & Access Management\n\n| Service | Purpose |\n|---------|---------|\n| **Azure AD (Entra ID)** | Identity platform |\n| **Privileged Identity Management** | JIT access for admins |\n| **Conditional Access** | Risk-based access policies |\n\n#### Detection & Response\n\n| Service | Purpose |\n|---------|---------|\n| **Microsoft Defender for Cloud** | CSPM and CWPP |\n| **Microsoft Sentinel** | SIEM and SOAR platform |\n| **Azure Monitor** | Logging and metrics collection |\n\n#### Network Security\n\n| Service | Purpose |\n|---------|---------|\n| **Azure Firewall** | Stateful network firewall |\n| **Azure Front Door + WAF** | Global CDN and web application firewall |\n| **Azure DDoS Protection** | DDoS mitigation |\n\n#### Data Protection\n\n| Service | Purpose |\n|---------|---------|\n| **Azure Key Vault** | Secrets, keys, certificates management |\n| **Azure Information Protection** | Data classification and DLP |\n| **Storage Encryption** | At-rest encryption for storage |\n\n#### Infrastructure Security\n\n| Service | Purpose |\n|---------|---------|\n| **Just-in-Time VM Access** | Time-bound SSH/RDP access |\n| **Azure Policy** | Compliance enforcement |\n| **Azure Blueprints** | Repeatable compliant environments |\n\n## Azure Landing Zone Architecture (Hub-Spoke)\n\n```\nAzure AD Tenant (Root)\n│\nManagement Groups Hierarchy:\n Root → Platform → Landing Zones → Applications\n│\n├── Hub VNet (Shared Services)\n│ ├── Azure Firewall\n│ ├── VPN Gateway\n│ ├── Azure Bastion\n│ └── Shared Services (DNS, monitoring)\n│\n├── Spoke VNet 1 (Production Workloads)\n│ └── Application VMs/Services\n│\n├── Spoke VNet 2 (Development Workloads)\n│ └── Application VMs/Services\n│\n└── Shared Services Subscription\n ├── Microsoft Defender for Cloud\n ├── Azure Monitor / Log Analytics\n └── Microsoft Sentinel\n```\n\n**Key Patterns:**\n\n- **Hub-Spoke Topology:** Centralized security and networking\n- **Management Groups:** Policy hierarchy and governance\n- **Azure Policy:** Enforce compliance (e.g., require encryption)\n- **Landing Zones:** Pre-configured secure environments\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":2280,"content_sha256":"291cca4fc5a4133395bdcd325d34a2dbe8b908cdf17e6f52e8301b625765f65a"},{"filename":"references/cis-controls.md","content":"# CIS Critical Security Controls v8 Reference\n\n\n## Table of Contents\n\n- [Overview](#overview)\n- [Implementation Groups](#implementation-groups)\n- [18 CIS Controls](#18-cis-controls)\n - [CIS 1: Inventory and Control of Enterprise Assets](#cis-1-inventory-and-control-of-enterprise-assets)\n - [CIS 2: Inventory and Control of Software Assets](#cis-2-inventory-and-control-of-software-assets)\n - [CIS 3: Data Protection](#cis-3-data-protection)\n - [CIS 4: Secure Configuration of Enterprise Assets and Software](#cis-4-secure-configuration-of-enterprise-assets-and-software)\n - [CIS 5: Account Management](#cis-5-account-management)\n - [CIS 6: Access Control Management](#cis-6-access-control-management)\n - [CIS 7: Continuous Vulnerability Management](#cis-7-continuous-vulnerability-management)\n - [CIS 8: Audit Log Management](#cis-8-audit-log-management)\n - [CIS 13: Network Monitoring and Defense](#cis-13-network-monitoring-and-defense)\n - [CIS 17: Incident Response Management](#cis-17-incident-response-management)\n\n## Overview\n\nCIS Controls provide prioritized, prescriptive security guidance organized in 3 Implementation Groups (IG1, IG2, IG3).\n\n## Implementation Groups\n\n**IG1 (Basic Cyber Hygiene):**\n- 56 safeguards\n- Small organizations, limited IT security staff\n- Essential security baseline\n\n**IG2 (Intermediate):**\n- +74 safeguards (130 total)\n- Mid-sized organizations with IT security staff\n- More sophisticated controls\n\n**IG3 (Advanced):**\n- +23 safeguards (153 total)\n- Large enterprises with dedicated security teams\n- Advanced threat detection and response\n\n## 18 CIS Controls\n\n### CIS 1: Inventory and Control of Enterprise Assets\n\n**Objective:** Maintain accurate asset inventory\n\n**Key Safeguards:**\n- 1.1: Establish and maintain detailed asset inventory\n- 1.2: Address unauthorized assets\n- 1.3: Utilize asset inventory tool\n- 1.4: Use dynamic host configuration (DHCP) logging\n\n### CIS 2: Inventory and Control of Software Assets\n\n**Objective:** Track all software and prevent unauthorized software\n\n**Key Safeguards:**\n- 2.1: Establish software inventory\n- 2.2: Ensure authorized software is supported\n- 2.3: Address unauthorized software\n- 2.4: Utilize software inventory tools\n\n### CIS 3: Data Protection\n\n**Objective:** Protect sensitive data\n\n**Key Safeguards:**\n- 3.1: Establish data management process\n- 3.2: Establish data inventory\n- 3.3: Configure data access control lists\n- 3.6: Encrypt data on end-user devices\n- 3.11: Encrypt sensitive data at rest\n- 3.14: Log sensitive data access\n\n### CIS 4: Secure Configuration of Enterprise Assets and Software\n\n**Objective:** Harden configurations\n\n**Key Safeguards:**\n- 4.1: Establish secure configurations\n- 4.2: Establish configuration management\n- 4.7: Manage default accounts\n- 4.8: Uninstall or disable unnecessary services\n\n### CIS 5: Account Management\n\n**Objective:** Manage user accounts and credentials\n\n**Key Safeguards:**\n- 5.1: Establish centralized account management\n- 5.2: Use unique passwords\n- 5.3: Disable dormant accounts\n- 5.4: Restrict admin privileges to dedicated accounts\n\n### CIS 6: Access Control Management\n\n**Objective:** Control access to resources\n\n**Key Safeguards:**\n- 6.1: Establish access granting process\n- 6.2: Establish access revoking process\n- 6.3: Require MFA\n- 6.5: Require MFA for remote network access\n- 6.8: Define and maintain role-based access control\n\n### CIS 7: Continuous Vulnerability Management\n\n**Objective:** Identify and remediate vulnerabilities\n\n**Key Safeguards:**\n- 7.1: Establish vulnerability management process\n- 7.2: Remediate vulnerabilities\n- 7.3: Perform automated operating system patch management\n- 7.4: Perform automated application patch management\n- 7.5: Perform automated vulnerability scans\n\n### CIS 8: Audit Log Management\n\n**Objective:** Collect, alert, review, and retain audit logs\n\n**Key Safeguards:**\n- 8.1: Establish audit log management process\n- 8.2: Collect audit logs\n- 8.3: Ensure adequate storage for logs\n- 8.9: Centralize audit log collection\n- 8.10: Retain audit logs\n- 8.11: Conduct audit log reviews\n\n### CIS 13: Network Monitoring and Defense\n\n**Objective:** Monitor and defend network traffic\n\n**Key Safeguards:**\n- 13.1: Centralize security event collection\n- 13.2: Deploy network-based IDS sensors\n- 13.3: Deploy network-based IPS\n- 13.6: Collect network traffic flow logs\n- 13.10: Perform application layer filtering\n\n### CIS 17: Incident Response Management\n\n**Objective:** Establish incident response capability\n\n**Key Safeguards:**\n- 17.1: Designate incident response personnel\n- 17.2: Establish incident response process\n- 17.3: Maintain incident response contact information\n- 17.6: Maintain incident response documentation\n- 17.9: Conduct post-incident reviews\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":4756,"content_sha256":"758b72cbb7614694e43dd0138157dbdac69b5eab798c41558456e3ac7ed75e8a"},{"filename":"references/defense-in-depth.md","content":"# Defense in Depth Reference\n\n## Table of Contents\n\n1. [Overview](#overview)\n2. [9-Layer Defense Model](#9-layer-defense-model)\n3. [Implementation Patterns](#implementation-patterns)\n4. [Layer Integration Strategies](#layer-integration-strategies)\n5. [Failure Impact Analysis](#failure-impact-analysis)\n6. [Architecture Selection Decision Tree](#architecture-selection-decision-tree)\n\n## Overview\n\nDefense in Depth (DiD) is the foundational security architecture principle of implementing multiple independent layers of security controls. If one layer fails or is breached, other layers continue to protect critical assets.\n\n**Core Principle:** Redundancy and diversity of defense mechanisms across all layers from physical to operational.\n\n**Modern Context (2025):** Defense in Depth now incorporates behavioral analytics, workload security, and identity threat detection to address cloud-native architectures and sophisticated attack vectors.\n\n## 9-Layer Defense Model\n\n### Layer 1: Physical Security\n\n**Purpose:** Protect physical access to hardware and facilities.\n\n**Controls:**\n- Physical access control systems (badge readers, biometrics, mantrap entries)\n- Surveillance systems (CCTV, motion detection, security guards)\n- Environmental controls (HVAC, fire suppression, power redundancy, UPS)\n- Hardware security modules (HSM) for cryptographic key storage\n- Secure disposal of hardware (degaussing magnetic media, physical destruction of drives)\n\n**Cloud Considerations:**\n- Cloud providers (AWS, GCP, Azure) handle physical security of data centers\n- SOC 2 Type II and ISO 27001 certified facilities\n- Shared responsibility: Provider secures data centers, customer secures workloads\n\n**Failure Impact:** Limited (cloud providers provide strong physical security)\n\n**Monitoring:** Access logs, video surveillance, environmental sensors\n\n---\n\n### Layer 2: Network Perimeter\n\n**Purpose:** Control and inspect traffic entering and leaving the network.\n\n**Controls:**\n- **Next-Generation Firewalls (NGFW):** Application-aware firewalls (Palo Alto, Fortinet, Cisco)\n- **Web Application Firewall (WAF):** OWASP Top 10 protection (Cloudflare, Imperva, F5, AWS WAF)\n- **DDoS Protection:** Volumetric attack mitigation (Cloudflare, AWS Shield, Azure DDoS)\n- **Intrusion Prevention System (IPS/IDS):** Signature and anomaly-based detection\n- **Deep Packet Inspection (DPI):** Traffic analysis and content filtering\n- **SSL/TLS Inspection:** Decrypt and inspect encrypted traffic for threats\n\n**Architecture Pattern:**\n```\nInternet → DDoS Protection → WAF/CDN → NGFW → Internal Network\n```\n\n**Failure Impact:** High (direct exposure to internet threats if perimeter fails)\n\n**Monitoring:** Firewall logs, IDS/IPS alerts, traffic flow analysis, DDoS metrics\n\n---\n\n### Layer 3: Network Segmentation\n\n**Purpose:** Divide network into isolated zones to limit lateral movement.\n\n**Controls:**\n- **VLANs:** Virtual LAN segmentation (Layer 2)\n- **VPCs/Subnets:** Cloud virtual networks (AWS VPC, GCP VPC, Azure VNet)\n- **Security Groups:** Stateful firewall rules for cloud instances\n- **Network Access Control Lists (NACLs):** Stateless firewall rules for subnets\n- **Micro-Segmentation:** Fine-grained segmentation at workload level (service mesh, zero trust)\n- **Internal Firewalls:** East-west traffic control between zones\n\n**Segmentation Zones:**\n- **DMZ (Demilitarized Zone):** Public-facing services (web servers, mail servers)\n- **Web Tier:** Application front-end\n- **Application Tier:** Business logic, APIs\n- **Data Tier:** Databases, data stores (most restricted)\n- **Management Zone:** Administrative access, jump boxes\n\n**Architecture Pattern:**\n```\n┌─────────────┐\n│ Internet │\n└──────┬──────┘\n │\n┌──────▼──────────────────────────┐\n│ DMZ Zone (Public Web Servers) │\n└──────┬──────────────────────────┘\n │\n┌──────▼──────────────────────────┐\n│ Web Tier (App Front-End) │\n└──────┬──────────────────────────┘\n │\n┌──────▼──────────────────────────┐\n│ App Tier (Business Logic) │\n└──────┬──────────────────────────┘\n │\n┌──────▼──────────────────────────┐\n│ Data Tier (Databases) │ ← Most Restricted\n└──────────────────────────────────┘\n```\n\n**Failure Impact:** Medium (limits lateral movement even if one zone is compromised)\n\n**Monitoring:** VPC flow logs, network traffic analysis, connection attempts between zones\n\n---\n\n### Layer 4: Endpoint Protection\n\n**Purpose:** Secure individual devices (workstations, servers, mobile devices).\n\n**Controls:**\n- **Antivirus/Anti-malware:** Signature-based and heuristic detection (Windows Defender, CrowdStrike, SentinelOne)\n- **Endpoint Detection & Response (EDR):** Real-time monitoring, threat hunting, automated response\n- **Mobile Device Management (MDM):** BYOD policies, remote wipe, app control (Intune, Jamf, VMware Workspace ONE)\n- **Patch Management:** Automated OS and application patching (WSUS, SCCM, Systems Manager)\n- **Device Encryption:** Full-disk encryption (BitLocker, FileVault, LUKS)\n- **Device Posture Validation:** Health checks before network access (compliance checks, OS version, encryption status)\n- **Host-based Firewall:** Windows Firewall, iptables/nftables (Linux)\n\n**Zero Trust Integration:**\n- Continuous device posture assessment\n- Device compliance verification before access grant\n- Adaptive access based on device trust score\n\n**Failure Impact:** High (endpoint compromise is a common attack vector)\n\n**Monitoring:** EDR alerts, patch compliance dashboards, device health status, antivirus detections\n\n---\n\n### Layer 5: Application Security\n\n**Purpose:** Protect applications, APIs, and software from exploitation.\n\n**Controls:**\n- **Secure SDLC:** Security requirements, threat modeling, security testing in development\n- **Web Application Firewall (WAF):** OWASP Top 10 protection at application layer\n- **API Security:** Authentication (OAuth 2.0, API keys), authorization, rate limiting, input validation\n- **Code Analysis:**\n - **SAST (Static Application Security Testing):** Scan source code (SonarQube, Checkmarx)\n - **DAST (Dynamic Application Security Testing):** Scan running applications (OWASP ZAP, Burp Suite)\n - **IAST (Interactive Application Security Testing):** Runtime analysis (Contrast Security)\n - **SCA (Software Composition Analysis):** Dependency scanning (Snyk, Dependabot, Trivy)\n- **Runtime Protection:** RASP (Runtime Application Self-Protection)\n- **Dependency Management:** SBOM generation, vulnerability scanning, automated updates\n- **Input Validation:** Sanitize and validate all user inputs\n- **Output Encoding:** Prevent XSS attacks through proper encoding\n\n**OWASP Top 10 Controls:**\n1. Injection → Parameterized queries, ORM frameworks\n2. Broken Authentication → MFA, secure session management\n3. Sensitive Data Exposure → Encryption, key management\n4. XXE → Disable XML external entities, prefer JSON\n5. Broken Access Control → Authorization checks at every endpoint\n6. Security Misconfiguration → Hardening guides, remove defaults\n7. XSS → Output encoding, Content Security Policy (CSP)\n8. Insecure Deserialization → Validate serialized objects\n9. Known Vulnerabilities → Patch management, SBOM\n10. Insufficient Logging → Centralized logging, SIEM\n\n**Failure Impact:** High (application vulnerabilities are easily exploitable)\n\n**Monitoring:** WAF logs, application logs, DAST findings, dependency vulnerability alerts\n\n---\n\n### Layer 6: Data Security\n\n**Purpose:** Protect data confidentiality, integrity, and availability throughout its lifecycle.\n\n**Controls:**\n- **Encryption at Rest:** AES-256, Transparent Database Encryption (TDE)\n- **Encryption in Transit:** TLS 1.3, mutual TLS (mTLS), VPN tunnels\n- **Encryption in Use:** Confidential computing (Intel SGX, AMD SEV, ARM TrustZone)\n- **Key Management:** HSM (hardware security modules), cloud KMS (AWS KMS, GCP KMS, Azure Key Vault)\n- **Data Classification:** Public, Internal, Confidential, Restricted\n- **Data Loss Prevention (DLP):** Content inspection, policy enforcement, alerting (Microsoft Purview, Symantec DLP)\n- **Database Security:** Least privilege access, audit logging, query monitoring\n- **Backup & Recovery:** 3-2-1 rule (3 copies, 2 media types, 1 offsite), immutable backups\n- **Data Masking:** Anonymization, pseudonymization for non-production environments\n\n**Data Lifecycle Security:**\n```\nCreate → Store → Process → Share → Archive → Destroy\n │ │ │ │ │ │\n ▼ ▼ ▼ ▼ ▼ ▼\nClassify Encrypt Access Encrypt Retention Secure\n +Key Mgmt Control +Audit Policy Deletion\n```\n\n**Failure Impact:** Critical (data is the ultimate target of attacks)\n\n**Monitoring:** Data access logs, DLP alerts, encryption status, backup verification, unauthorized access attempts\n\n---\n\n### Layer 7: Identity & Access Management (IAM)\n\n**Purpose:** Control who and what can access resources.\n\n**Authentication Controls:**\n- **Multi-Factor Authentication (MFA):** TOTP, push notifications, biometrics, hardware tokens (YubiKey, FIDO2)\n- **Passwordless:** WebAuthn, FIDO2, passkeys\n- **Single Sign-On (SSO):** SAML 2.0, OAuth 2.0, OpenID Connect (Azure AD, Okta, Auth0)\n\n**Authorization Controls:**\n- **Role-Based Access Control (RBAC):** Users → Roles → Permissions\n- **Attribute-Based Access Control (ABAC):** Fine-grained based on attributes (department, location, time)\n- **Policy-Based Access Control (PBAC):** Centralized policy engines (Open Policy Agent, AWS Cedar)\n\n**Privileged Access Management (PAM):**\n- **Just-in-Time (JIT) Access:** Temporary elevated privileges\n- **Session Recording:** Audit all privileged sessions\n- **Credential Vaulting:** CyberArk, HashiCorp Vault, AWS Secrets Manager\n\n**Identity Governance:**\n- User lifecycle management (joiner/mover/leaver)\n- Access certification and recertification\n- Segregation of Duties (SoD) enforcement\n\n**Identity-First Zero Trust:**\n- Identity is the control plane\n- Every access request authenticates identity\n- Risk-based adaptive authentication (device, location, behavior)\n\n**Failure Impact:** Critical (identity compromise grants full access)\n\n**Monitoring:** Authentication logs, failed login attempts, privileged access, MFA enrollment, risky sign-ins\n\n---\n\n### Layer 8: Behavioral Analytics\n\n**Purpose:** Detect anomalies and threats through machine learning and behavioral analysis.\n\n**Controls:**\n- **User & Entity Behavior Analytics (UEBA):** ML-based anomaly detection (Microsoft Sentinel, Splunk)\n- **Anomaly Detection:** Detect deviations from normal behavior patterns\n- **Threat Intelligence:** Integrate feeds from ISACs, threat intel platforms (MISP, ThreatConnect)\n- **Risk Scoring:** Assign risk scores to users, entities, activities\n- **Contextual Analysis:** Combine multiple signals (time, location, device, resource accessed)\n\n**Detection Use Cases:**\n- Account compromise (unusual login location, time, device)\n- Insider threats (unusual data access, exfiltration patterns)\n- Lateral movement (unusual network connections)\n- Privilege escalation (unusual administrative actions)\n- Data exfiltration (large data transfers, unusual file access)\n\n**Failure Impact:** Medium (detection layer, not prevention; delays in detection increase breach impact)\n\n**Monitoring:** UEBA alerts, risk score changes, anomaly detection dashboards\n\n---\n\n### Layer 9: Security Operations\n\n**Purpose:** Continuous monitoring, detection, response, and improvement.\n\n**Controls:**\n- **Security Information & Event Management (SIEM):** Centralized log aggregation, correlation, alerting (Splunk, Elastic, Sentinel, Chronicle)\n- **Security Orchestration, Automation & Response (SOAR):** Playbook automation, incident response (Splunk SOAR, Cortex XSOAR)\n- **Extended Detection & Response (XDR):** Unified visibility across endpoints, network, cloud (Palo Alto Cortex XDR, Trend Micro Vision One)\n- **Vulnerability Management:** Continuous scanning, risk-based prioritization (Tenable, Qualys, Rapid7)\n- **Penetration Testing:** Red team exercises, bug bounty programs\n- **Incident Response:** Documented playbooks, tabletop exercises, post-incident reviews\n- **Threat Hunting:** Proactive search for threats using MITRE ATT&CK TTPs\n\n**SIEM Architecture:**\n```\nData Sources → Log Collection → Normalization → Correlation → Alerting → Investigation\n(Firewalls, (Agents, APIs) (Common format) (Rules, ML) (SOC Team) (Search, Viz)\n Endpoints,\n Apps, Cloud)\n```\n\n**Failure Impact:** High (inability to detect or respond to breaches extends dwell time)\n\n**Monitoring:** SIEM alert metrics, MTTD (mean time to detect), MTTR (mean time to respond), incident counts\n\n---\n\n## Implementation Patterns\n\n### Pattern 1: Cloud-Native Defense in Depth (AWS Example)\n\n**Layer Mapping:**\n\n1. **Physical:** AWS data center security (managed by AWS)\n2. **Network Perimeter:** AWS WAF + CloudFront + Shield (DDoS)\n3. **Network Segmentation:** VPCs, subnets, security groups, NACLs\n4. **Endpoint:** Systems Manager (patch), Inspector (vuln scan), GuardDuty (threat detection)\n5. **Application:** API Gateway (rate limit, auth), WAF rules, CodeGuru (code analysis)\n6. **Data:** S3 encryption, RDS encryption, KMS (key management), Macie (data discovery)\n7. **IAM:** IAM Identity Center (SSO), MFA, IAM policies (least privilege), IAM Access Analyzer\n8. **Behavioral Analytics:** GuardDuty (anomaly detection), Detective (investigation)\n9. **Security Operations:** Security Hub (centralized findings), CloudWatch (monitoring), CloudTrail (audit logs)\n\n**Implementation Steps:**\n1. Design VPC architecture with public/private subnets\n2. Enable GuardDuty, Security Hub, CloudTrail organization-wide\n3. Implement IAM Identity Center for SSO and MFA\n4. Deploy WAF on CloudFront and API Gateway\n5. Enable encryption for all data stores (S3, RDS, EBS)\n6. Configure Security Hub automated response (Lambda)\n7. Centralize logs in dedicated Logging Account\n\n---\n\n### Pattern 2: Zero Trust Overlay on Defense in Depth\n\n**Strategy:** Maintain existing Defense in Depth perimeter controls, layer Zero Trust controls progressively.\n\n**Phase 1: Identity Foundation**\n- Implement SSO and MFA for all users\n- Deploy identity provider (Azure AD, Okta)\n- Enable device posture checks\n\n**Phase 2: Least Privilege Access**\n- Migrate to RBAC/ABAC\n- Implement JIT access for privileged accounts\n- Remove standing admin permissions\n\n**Phase 3: Micro-Segmentation**\n- Segment critical applications\n- Deploy ZTNA (Zero Trust Network Access) for remote access\n- Implement service mesh for east-west traffic control\n\n**Phase 4: Continuous Verification**\n- Deploy UEBA for anomaly detection\n- Implement risk-based conditional access\n- Enable continuous compliance monitoring\n\n**Result:** Hybrid architecture with perimeter defense + identity-first zero trust controls\n\n---\n\n### Pattern 3: Defense in Depth for Web Applications\n\n**Layered Controls:**\n\n```\nLayer 9: SIEM + SOAR (Splunk, Sentinel)\n ↓\nLayer 8: UEBA (Anomaly detection)\n ↓\nLayer 7: OAuth 2.0 + MFA + RBAC\n ↓\nLayer 6: Database encryption + DLP\n ↓\nLayer 5: WAF + SAST/DAST + Secure coding\n ↓\nLayer 4: Container security (runtime protection)\n ↓\nLayer 3: Kubernetes Network Policies + Service mesh\n ↓\nLayer 2: Cloud WAF + DDoS protection\n ↓\nLayer 1: Cloud provider data center security\n```\n\n**Example Tech Stack:**\n- **Layer 2:** Cloudflare (WAF + DDoS)\n- **Layer 3:** Kubernetes Network Policies + Istio service mesh\n- **Layer 4:** Falco (runtime security) + Trivy (image scanning)\n- **Layer 5:** OWASP ZAP (DAST) + SonarQube (SAST) + Snyk (SCA)\n- **Layer 6:** PostgreSQL with TDE + AWS KMS\n- **Layer 7:** Auth0 (OAuth 2.0 + MFA) + OPA (policy-based authz)\n- **Layer 8:** Elastic Security (UEBA)\n- **Layer 9:** Elastic SIEM + TheHive (SOAR)\n\n---\n\n## Layer Integration Strategies\n\n### Strategy 1: Centralized Logging\n\nAggregate logs from all layers into SIEM for unified visibility.\n\n**Log Sources:**\n- Layer 2: Firewall logs, IDS/IPS alerts\n- Layer 3: VPC flow logs, network connection logs\n- Layer 4: Endpoint logs, EDR alerts\n- Layer 5: Application logs, WAF logs\n- Layer 6: Database audit logs, data access logs\n- Layer 7: Authentication logs, IAM events\n- Layer 8: UEBA alerts, anomaly scores\n- Layer 9: Incident response actions\n\n**SIEM Correlation Rules:**\n- Multiple failed logins (Layer 7) + Endpoint compromise (Layer 4) = Account takeover\n- Unusual data access (Layer 6) + Large data transfer (Layer 3) = Data exfiltration\n- Malware detection (Layer 4) + Lateral movement (Layer 3) = Active breach\n\n---\n\n### Strategy 2: Policy Enforcement Across Layers\n\nDefine security policies centrally and enforce at multiple layers.\n\n**Example Policy: \"Only encrypted data in transit\"**\n- Layer 2: WAF blocks HTTP requests (enforce HTTPS)\n- Layer 3: Security group rules block port 80 (HTTP)\n- Layer 5: Application redirects HTTP to HTTPS\n- Layer 6: Database rejects non-TLS connections\n- Layer 9: SIEM alerts on any HTTP traffic detected\n\n**Enforcement Points:**\n- Network layer (firewalls, security groups)\n- Application layer (WAF, API gateway)\n- Data layer (database configuration)\n- Monitoring layer (SIEM alerts)\n\n---\n\n### Strategy 3: Defense Redundancy\n\nImplement multiple defenses for critical assets.\n\n**Example: Database Protection**\n- Layer 2: Firewall blocks external access to database ports\n- Layer 3: Database in private subnet, no internet gateway\n- Layer 4: Database server hardened (minimal services, patched)\n- Layer 5: Application uses parameterized queries (prevent SQL injection)\n- Layer 6: Database encryption at rest + TLS in transit\n- Layer 7: Database access requires authentication + least privilege\n- Layer 8: UEBA detects unusual database queries\n- Layer 9: Database audit logs sent to SIEM\n\n**Result:** Even if one layer fails (e.g., SQL injection bypasses Layer 5), other layers still protect the database.\n\n---\n\n## Failure Impact Analysis\n\n### Critical Failures (Immediate Risk)\n\n**Layer 7 (IAM) Failure:**\n- **Impact:** Compromised credentials grant full access\n- **Mitigation:** MFA prevents credential-only compromise, PAM limits privilege duration\n- **Detection:** Monitor failed logins, unusual access patterns\n\n**Layer 6 (Data) Failure:**\n- **Impact:** Data breach, regulatory violations, reputational damage\n- **Mitigation:** Encryption limits exposure (encrypted data less valuable), DLP prevents exfiltration\n- **Detection:** Monitor data access patterns, large transfers\n\n---\n\n### High Failures (Significant Risk)\n\n**Layer 2 (Perimeter) Failure:**\n- **Impact:** Direct exposure to internet threats\n- **Mitigation:** Layer 3 segmentation limits lateral movement, Layer 7 IAM prevents unauthorized access\n- **Detection:** IDS/IPS alerts, unusual inbound traffic\n\n**Layer 4 (Endpoint) Failure:**\n- **Impact:** Malware execution, lateral movement platform\n- **Mitigation:** Layer 3 micro-segmentation limits spread, Layer 7 prevents privilege escalation\n- **Detection:** EDR alerts, anomalous process execution\n\n---\n\n### Medium Failures (Moderate Risk)\n\n**Layer 3 (Segmentation) Failure:**\n- **Impact:** Lateral movement possible\n- **Mitigation:** Layer 7 IAM limits access even within same network, Layer 8 detects lateral movement\n- **Detection:** Flow logs, connection attempts to unusual destinations\n\n**Layer 8 (Behavioral Analytics) Failure:**\n- **Impact:** Delayed threat detection\n- **Mitigation:** Layer 9 SIEM still provides rule-based detection, Layer 4/5/6 still prevent many attacks\n- **Detection:** Increased undetected dwell time\n\n---\n\n## Architecture Selection Decision Tree\n\n```\nSTART: Designing security architecture\n │\n ├─► Is this a greenfield (new) system?\n │ YES ──► Zero Trust from Day 1\n │ ├─► Identity-first architecture (Layer 7 primary)\n │ ├─► Micro-segmentation by default (Layer 3)\n │ ├─► Assume breach mentality\n │ └─► Continuous verification (Layer 8)\n │\n │ NO ──► Brownfield (existing) system?\n │ └─► Hybrid: Defense in Depth + Zero Trust overlay\n │ ├─► Maintain perimeter controls (Layers 1-3)\n │ ├─► Strengthen IAM (Layer 7: SSO, MFA, RBAC)\n │ ├─► Add behavioral analytics (Layer 8)\n │ └─► Segment critical assets first\n │\n ├─► What is the deployment environment?\n │ CLOUD-NATIVE ──► Cloud provider reference architectures\n │ ├─► AWS: Well-Architected Security Pillar\n │ ├─► GCP: Security Best Practices\n │ └─► Azure: Security Benchmark\n │\n │ HYBRID CLOUD ──► Multi-cloud security posture management\n │ ├─► Unified policy enforcement (CSPM)\n │ ├─► Cross-cloud visibility\n │ └─► Cloud-agnostic IAM (Okta, Azure AD)\n │\n │ ON-PREMISES ──► Traditional Defense in Depth\n │ ├─► Strong perimeter (Layer 2)\n │ ├─► Network segmentation (Layer 3)\n │ └─► Progressive modernization to Zero Trust\n │\n ├─► What are compliance requirements?\n │ SOC 2 ──► NIST CSF + CIS Controls baseline\n │ HIPAA ──► NIST CSF + HIPAA Security Rule mappings\n │ PCI DSS ──► PCI DSS requirements + network segmentation\n │ GDPR ──► NIST Privacy Framework + data protection controls\n │ ISO 27001 ──► ISO 27001/27002 control framework\n │\n └─► What is the risk tolerance?\n HIGH RISK (Financial, Healthcare, Government)\n ├─► Maximum controls across all 9 layers\n ├─► Zero Trust + Defense in Depth\n ├─► 24/7 SOC monitoring\n └─► Penetration testing, red team exercises\n\n MEDIUM RISK (Enterprise SaaS, E-commerce)\n ├─► Balanced security and usability\n ├─► Cloud-native security services\n └─► Managed SIEM/SOC\n\n LOW RISK (Internal tools, non-sensitive data)\n ├─► Essential controls (Layers 2, 5, 7, 9)\n ├─► Cloud-native security defaults\n └─► Automated monitoring\n```\n\n---\n\n## Summary\n\nDefense in Depth provides comprehensive security through layered, independent controls. Implement all 9 layers for maximum protection, with critical focus on:\n\n1. **Layer 7 (IAM):** Identity is the new perimeter - strongest authentication and authorization\n2. **Layer 6 (Data):** Data is the ultimate target - encrypt and protect at all stages\n3. **Layer 9 (Security Operations):** Detection and response capabilities determine breach impact\n\nFor new systems, design Zero Trust architecture on top of Defense in Depth foundation. For existing systems, progressively add Zero Trust controls while maintaining perimeter defenses.\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":23808,"content_sha256":"39ad30ff0ca52a25191ea080a9fa4d8aaab91cafcf2ca33438e57f2b5d99a064"},{"filename":"references/gcp-security-architecture.md","content":"# GCP Security Architecture Reference\n\n## GCP Security Best Practices\n\n### Key GCP Security Services\n\n#### Identity & Access Management\n\n| Service | Purpose |\n|---------|---------|\n| **Cloud IAM** | Identity and access management |\n| **Identity Platform** | Customer identity (CIAM) |\n| **Cloud Identity** | Workforce identity management |\n\n#### Detection & Response\n\n| Service | Purpose |\n|---------|---------|\n| **Security Command Center** | Unified security and risk dashboard |\n| **Chronicle** | SIEM and threat intelligence platform |\n| **Event Threat Detection** | Real-time threat detection |\n\n#### Network Security\n\n| Service | Purpose |\n|---------|---------|\n| **Cloud Armor** | DDoS protection and WAF |\n| **VPC Service Controls** | Data exfiltration prevention |\n| **Cloud Firewall** | Stateful firewall rules |\n\n#### Data Protection\n\n| Service | Purpose |\n|---------|---------|\n| **Cloud KMS** | Key management service |\n| **Secret Manager** | Secrets management |\n| **Cloud DLP** | Data loss prevention |\n\n#### Infrastructure Security\n\n| Service | Purpose |\n|---------|---------|\n| **Binary Authorization** | Container image signing |\n| **Confidential Computing** | Encryption in use (VMs, GKE) |\n\n## GCP Organization Hierarchy\n\n```\nOrganization (example.com)\n│\n├── Folder: Production\n│ ├── Project: prod-app1\n│ ├── Project: prod-app2\n│ └── Project: prod-shared-services\n│\n├── Folder: Non-Production\n│ ├── Project: dev-app1\n│ ├── Project: staging-app1\n│ └── Project: test-app1\n│\n└── Folder: Security\n ├── Project: security-logging\n └── Project: security-monitoring\n```\n\n**Key Patterns:**\n\n- **Organization Policies:** Enforce constraints at org/folder level\n- **Shared VPC:** Centralized network management\n- **Security Command Center:** Organization-wide security posture\n- **VPC Service Controls:** Protect sensitive projects from data exfiltration\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":1966,"content_sha256":"9f4defae94841e803ef3a0a4a5509f487fb48d30bcd64b9badd3b098179b8aea"},{"filename":"references/iam-patterns.md","content":"# Identity & Access Management Patterns Reference\n\n## Authentication Controls\n\n### Multi-Factor Authentication (MFA)\n\n**Types:**\n- TOTP (Time-based One-Time Password): Google Authenticator, Authy\n- Push Notifications: Duo, Okta Verify\n- Biometrics: Fingerprint, Face ID\n- Hardware Tokens: YubiKey, FIDO2\n\n**Implementation:**\n- Enforce MFA for all users (prioritize privileged accounts)\n- Support multiple MFA methods (user choice)\n- Backup codes for account recovery\n- Risk-based MFA (adaptive authentication)\n\n### Single Sign-On (SSO)\n\n**Protocols:**\n- SAML 2.0: Enterprise federation\n- OAuth 2.0: API authorization\n- OpenID Connect (OIDC): Authentication layer on OAuth 2.0\n\n**Benefits:**\n- Centralized authentication\n- Reduced password fatigue\n- Improved security posture\n- Better user experience\n\n## Authorization Controls\n\n### Role-Based Access Control (RBAC)\n\n**Structure:**\n- Users → Roles → Permissions\n- Roles represent job functions (admin, developer, analyst)\n- Coarse-grained, simple to implement\n\n**Best For:** Organizations with stable role structures\n\n### Attribute-Based Access Control (ABAC)\n\n**Structure:**\n- Fine-grained access based on attributes\n- User attributes (department, clearance level)\n- Resource attributes (classification, owner)\n- Environmental attributes (time, location)\n\n**Best For:** Complex, dynamic access requirements\n\n### Policy-Based Access Control (PBAC)\n\n**Centralized Policy Engines:**\n- Open Policy Agent (OPA)\n- AWS Cedar\n- Authzed (SpiceDB)\n\n**Best For:** Microservices, API gateways, cloud-native architectures\n\n## Privileged Access Management (PAM)\n\n### Just-in-Time (JIT) Access\n\n**Principle:** Temporary elevated privileges for specific tasks\n\n**Implementation:**\n- Request-based access (approval workflow)\n- Time-bound grants (4-8 hours)\n- Automated de-provisioning\n- Audit all privilege activations\n\n### Credential Vaulting\n\n**Solutions:**\n- CyberArk\n- HashiCorp Vault\n- AWS Secrets Manager\n- Azure Key Vault\n\n**Features:**\n- Centralized credential storage\n- Automatic password rotation\n- Session recording\n- Break-glass procedures\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":2089,"content_sha256":"0dcee3e7f4d1fc917ff196185b0fbf8876e0c62c6120c03017f8a04af4e5d395"},{"filename":"references/nist-csf-mapping.md","content":"# NIST Cybersecurity Framework (CSF) 2.0 Reference\n\n\n## Table of Contents\n\n- [Overview](#overview)\n- [Framework Structure](#framework-structure)\n- [6 Core Functions](#6-core-functions)\n - [GOVERN (GV) - NEW in CSF 2.0](#govern-gv-new-in-csf-20)\n - [IDENTIFY (ID)](#identify-id)\n - [PROTECT (PR)](#protect-pr)\n - [DETECT (DE)](#detect-de)\n - [RESPOND (RS)](#respond-rs)\n - [RECOVER (RC)](#recover-rc)\n- [NIST CSF Implementation Tiers](#nist-csf-implementation-tiers)\n- [NIST CSF Profiles](#nist-csf-profiles)\n- [Control Mapping Examples](#control-mapping-examples)\n - [Mapping OWASP Top 10 to NIST CSF](#mapping-owasp-top-10-to-nist-csf)\n - [Mapping CIS Controls to NIST CSF](#mapping-cis-controls-to-nist-csf)\n - [Mapping Cloud Security to NIST CSF (AWS Example)](#mapping-cloud-security-to-nist-csf-aws-example)\n- [Implementation Roadmap](#implementation-roadmap)\n - [Phase 1: Assess Current State (Weeks 1-4)](#phase-1-assess-current-state-weeks-1-4)\n - [Phase 2: Define Target State (Weeks 5-6)](#phase-2-define-target-state-weeks-5-6)\n - [Phase 3: Gap Analysis (Weeks 7-8)](#phase-3-gap-analysis-weeks-7-8)\n - [Phase 4: Implement Controls (Months 3-12)](#phase-4-implement-controls-months-3-12)\n - [Phase 5: Continuous Improvement (Ongoing)](#phase-5-continuous-improvement-ongoing)\n- [NIST CSF vs Other Frameworks](#nist-csf-vs-other-frameworks)\n- [Summary](#summary)\n\n## Overview\n\nThe NIST Cybersecurity Framework provides a risk-based approach to managing cybersecurity risks. Version 2.0 (released 2024) introduces the GOVERN function and expands scope to all organizations.\n\n**Official Source:** NIST CSF 2.0 (https://www.nist.gov/cyberframework)\n\n## Framework Structure\n\n**Hierarchy:**\n- 6 Functions (high-level categories)\n- 23 Categories (specific outcomes)\n- 106 Subcategories (detailed controls)\n\n## 6 Core Functions\n\n### GOVERN (GV) - NEW in CSF 2.0\n\n**Purpose:** Establish and monitor cybersecurity governance, risk management strategy, and policies.\n\n**Categories:**\n- **GV.OC:** Organizational Context\n- **GV.RM:** Risk Management Strategy\n- **GV.RR:** Roles, Responsibilities, and Authorities\n- **GV.PO:** Policy\n- **GV.OV:** Oversight\n- **GV.SC:** Cybersecurity Supply Chain Risk Management\n\n**Key Controls:**\n- Establish cybersecurity governance structure\n- Define risk tolerance and risk appetite\n- Assign cybersecurity roles and responsibilities\n- Develop security policies and procedures\n- Supply chain risk management program\n- Third-party risk assessments\n\n---\n\n### IDENTIFY (ID)\n\n**Purpose:** Develop organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.\n\n**Categories:**\n- **ID.AM:** Asset Management\n- **ID.RA:** Risk Assessment\n- **ID.IM:** Improvement\n\n**Key Controls:**\n\n**ID.AM (Asset Management):**\n- Hardware asset inventory (servers, workstations, network devices, IoT)\n- Software asset inventory (applications, operating systems, firmware)\n- Data asset classification (public, internal, confidential, restricted)\n- Personnel inventory (employees, contractors, privileged users)\n- Network architecture documentation (network diagrams, data flows)\n\n**ID.RA (Risk Assessment):**\n- Identify and document cybersecurity risks\n- Threat intelligence integration\n- Vulnerability assessments (continuous scanning)\n- Risk prioritization (likelihood × impact)\n- Critical asset identification\n\n**ID.IM (Improvement):**\n- Lessons learned from incidents\n- Continuous improvement processes\n- Security metrics and KPIs\n\n---\n\n### PROTECT (PR)\n\n**Purpose:** Develop and implement appropriate safeguards to ensure delivery of critical services.\n\n**Categories:**\n- **PR.AA:** Identity Management, Authentication and Access Control\n- **PR.AT:** Awareness and Training\n- **PR.DS:** Data Security\n- **PR.IP:** Platform Security\n- **PR.MA:** Maintenance\n- **PR.PS:** Technology Infrastructure Resilience\n\n**Key Controls:**\n\n**PR.AA (Access Control):**\n- Identity and credential management\n- Multi-factor authentication (MFA)\n- Role-based access control (RBAC)\n- Privileged access management (PAM)\n- Remote access management (ZTNA, VPN)\n\n**PR.DS (Data Security):**\n- Encryption at rest (AES-256)\n- Encryption in transit (TLS 1.3)\n- Data loss prevention (DLP)\n- Key management (HSM, KMS)\n- Secure data disposal\n\n**PR.IP (Platform Security):**\n- Configuration management and hardening\n- Secure software development lifecycle (SDLC)\n- Security testing (SAST, DAST, SCA)\n- Change control processes\n- Baseline security configurations (CIS Benchmarks)\n\n**PR.MA (Maintenance):**\n- Patch management (automated, risk-based)\n- Remote maintenance security\n- Asset maintenance logs\n\n**PR.PS (Technology Infrastructure Resilience):**\n- Backup and recovery (3-2-1 rule)\n- Redundancy and failover\n- Capacity planning\n- Business continuity planning\n\n---\n\n### DETECT (DE)\n\n**Purpose:** Develop and implement appropriate activities to identify occurrence of cybersecurity events.\n\n**Categories:**\n- **DE.AE:** Adverse Event Analysis\n- **DE.CM:** Continuous Security Monitoring\n\n**Key Controls:**\n\n**DE.AE (Adverse Event Analysis):**\n- Baseline network and system behavior\n- Anomaly detection (UEBA, ML-based)\n- Security event correlation (SIEM)\n- Threat intelligence integration\n- Alert prioritization and triage\n\n**DE.CM (Continuous Monitoring):**\n- Network monitoring (IDS/IPS, flow logs)\n- Endpoint monitoring (EDR)\n- Application monitoring (WAF logs, application logs)\n- Cloud security monitoring (GuardDuty, Security Command Center)\n- Vulnerability scanning (continuous, risk-based)\n- Physical access monitoring\n\n---\n\n### RESPOND (RS)\n\n**Purpose:** Develop and implement appropriate activities to take action regarding detected cybersecurity incidents.\n\n**Categories:**\n- **RS.MA:** Incident Management\n- **RS.AN:** Incident Analysis\n- **RS.RP:** Incident Response Reporting and Communication\n- **RS.MI:** Incident Mitigation\n\n**Key Controls:**\n\n**RS.MA (Incident Management):**\n- Incident response plan (documented, tested)\n- Incident response team and roles (CSIRT)\n- Incident detection and reporting mechanisms\n- Incident categorization and prioritization\n\n**RS.AN (Incident Analysis):**\n- Forensic analysis capabilities\n- Root cause analysis\n- Impact assessment\n- Threat intelligence enrichment\n\n**RS.MI (Incident Mitigation):**\n- Containment strategies (isolate, quarantine)\n- Eradication procedures (remove malware, close vulnerabilities)\n- Recovery procedures (restore systems, validate integrity)\n- Lessons learned and post-incident review\n\n---\n\n### RECOVER (RC)\n\n**Purpose:** Develop and implement appropriate activities to maintain resilience and restore capabilities or services impaired by cybersecurity incidents.\n\n**Categories:**\n- **RC.RP:** Recovery Planning\n- **RC.CO:** Recovery Communications\n\n**Key Controls:**\n\n**RC.RP (Recovery Planning):**\n- Recovery plan development and maintenance\n- Recovery testing (tabletop exercises, full simulations)\n- Backup restoration procedures\n- Business continuity and disaster recovery (BC/DR)\n- Recovery time objectives (RTO) and recovery point objectives (RPO)\n\n**RC.CO (Recovery Communications):**\n- Internal communication plans (employees, management)\n- External communication plans (customers, regulators, media)\n- Stakeholder coordination\n- Public relations and reputation management\n\n---\n\n## NIST CSF Implementation Tiers\n\n**Tier 1: Partial**\n- Ad-hoc, reactive security\n- Limited awareness of cybersecurity risk\n- Cybersecurity risk management not formalized\n\n**Tier 2: Risk Informed**\n- Risk management practices approved by management but not organization-wide\n- Some awareness of cybersecurity risk\n- Informal processes\n\n**Tier 3: Repeatable**\n- Formal cybersecurity policies and procedures\n- Organization-wide risk management program\n- Regular risk assessments\n- Consistent implementation\n\n**Tier 4: Adaptive**\n- Continuous improvement culture\n- Advanced threat intelligence integration\n- Real-time risk assessment and response\n- Predictive indicators and adaptive processes\n\n---\n\n## NIST CSF Profiles\n\n**Current Profile:** Current state of cybersecurity posture (as-is)\n\n**Target Profile:** Desired state of cybersecurity posture (to-be)\n\n**Gap Analysis:** Difference between Current and Target profiles\n\n**Roadmap:** Plan to close gaps and achieve Target profile\n\n---\n\n## Control Mapping Examples\n\n### Mapping OWASP Top 10 to NIST CSF\n\n| OWASP Risk | NIST CSF Function | Category | Example Control |\n|------------|-------------------|----------|-----------------|\n| **A01: Broken Access Control** | PROTECT | PR.AA | Implement RBAC, least privilege |\n| **A02: Cryptographic Failures** | PROTECT | PR.DS | Encryption at rest/transit, key management |\n| **A03: Injection** | PROTECT | PR.IP | Input validation, parameterized queries |\n| **A04: Insecure Design** | IDENTIFY | ID.RA | Threat modeling, security by design |\n| **A05: Security Misconfiguration** | PROTECT | PR.IP | Configuration management, hardening |\n| **A06: Vulnerable Components** | IDENTIFY | ID.RA | SCA scanning, dependency management |\n| **A07: Authentication Failures** | PROTECT | PR.AA | MFA, secure session management |\n| **A08: Software/Data Integrity** | PROTECT | PR.DS | Code signing, integrity checks |\n| **A09: Logging/Monitoring Failures** | DETECT | DE.CM | SIEM, centralized logging |\n| **A10: Server-Side Request Forgery** | PROTECT | PR.IP | Input validation, network segmentation |\n\n---\n\n### Mapping CIS Controls to NIST CSF\n\n| CIS Control | NIST CSF Function | Category |\n|-------------|-------------------|----------|\n| **CIS 1: Asset Inventory** | IDENTIFY | ID.AM |\n| **CIS 2: Software Inventory** | IDENTIFY | ID.AM |\n| **CIS 3: Data Protection** | PROTECT | PR.DS |\n| **CIS 4: Secure Configuration** | PROTECT | PR.IP |\n| **CIS 5: Account Management** | PROTECT | PR.AA |\n| **CIS 6: Access Control** | PROTECT | PR.AA |\n| **CIS 7: Vulnerability Management** | IDENTIFY | ID.RA |\n| **CIS 8: Audit Log Management** | DETECT | DE.CM |\n| **CIS 9: Email/Web Protection** | PROTECT | PR.IP |\n| **CIS 10: Malware Defenses** | PROTECT | PR.IP |\n| **CIS 11: Data Recovery** | RECOVER | RC.RP |\n| **CIS 12: Network Infrastructure** | PROTECT | PR.PS |\n| **CIS 13: Network Monitoring** | DETECT | DE.CM |\n| **CIS 14: Security Awareness** | PROTECT | PR.AT |\n| **CIS 15: Service Provider Mgmt** | GOVERN | GV.SC |\n| **CIS 16: Application Security** | PROTECT | PR.IP |\n| **CIS 17: Incident Response** | RESPOND | RS.MA |\n| **CIS 18: Penetration Testing** | IDENTIFY | ID.RA |\n\n---\n\n### Mapping Cloud Security to NIST CSF (AWS Example)\n\n| AWS Service | NIST CSF Function | Category | Purpose |\n|-------------|-------------------|----------|---------|\n| **IAM, IAM Identity Center** | PROTECT | PR.AA | Identity and access management |\n| **GuardDuty** | DETECT | DE.CM | Threat detection |\n| **Security Hub** | DETECT | DE.AE | Centralized security findings |\n| **KMS** | PROTECT | PR.DS | Key management |\n| **WAF** | PROTECT | PR.IP | Web application firewall |\n| **Shield** | PROTECT | PR.PS | DDoS protection |\n| **CloudTrail** | DETECT | DE.CM | Audit logging |\n| **Config** | PROTECT | PR.IP | Configuration management |\n| **Inspector** | IDENTIFY | ID.RA | Vulnerability assessment |\n| **Macie** | PROTECT | PR.DS | Data discovery and classification |\n| **Systems Manager** | PROTECT | PR.MA | Patch management |\n| **Backup** | RECOVER | RC.RP | Backup and recovery |\n\n---\n\n## Implementation Roadmap\n\n### Phase 1: Assess Current State (Weeks 1-4)\n\n1. Conduct cybersecurity risk assessment\n2. Document current security controls (Current Profile)\n3. Map existing controls to NIST CSF categories\n4. Identify gaps and weaknesses\n\n### Phase 2: Define Target State (Weeks 5-6)\n\n1. Define security objectives based on business goals\n2. Determine acceptable risk levels (risk appetite)\n3. Define Target Profile (desired security posture)\n4. Select appropriate Implementation Tier\n\n### Phase 3: Gap Analysis (Weeks 7-8)\n\n1. Compare Current Profile vs. Target Profile\n2. Prioritize gaps by risk and business impact\n3. Estimate resources and budget for remediation\n4. Develop implementation roadmap\n\n### Phase 4: Implement Controls (Months 3-12)\n\n1. Implement high-priority controls first\n2. Track progress against roadmap\n3. Update Current Profile as controls implemented\n4. Regular management reporting\n\n### Phase 5: Continuous Improvement (Ongoing)\n\n1. Monitor security metrics and KPIs\n2. Conduct periodic reassessments (annually)\n3. Update Target Profile as business changes\n4. Lessons learned from incidents\n\n---\n\n## NIST CSF vs Other Frameworks\n\n| Aspect | NIST CSF | CIS Controls | ISO 27001 |\n|--------|----------|--------------|-----------|\n| **Approach** | Risk-based, flexible | Prescriptive, prioritized | Comprehensive ISMS |\n| **Complexity** | Medium | Low (clear priorities) | High (formal certification) |\n| **Industry Recognition** | Very high (US focus) | High | Very high (international) |\n| **Certification** | No | No | Yes |\n| **Cost** | Free | Free | Certification cost |\n| **Best For** | Risk management, governance | Baseline security, tactical | Formal ISMS, certification |\n\n---\n\n## Summary\n\nNIST CSF 2.0 provides comprehensive, risk-based framework with 6 functions: GOVERN (new), IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER. Use for security program governance, compliance mapping, and continuous improvement. Implement through phased approach: Assess → Define Target → Gap Analysis → Implement → Improve.\n\nMap NIST CSF to tactical frameworks (CIS Controls for implementation, OWASP for app security, cloud provider frameworks for cloud security). Track progress with Current Profile → Target Profile comparison and Implementation Tiers (1-4).\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":13696,"content_sha256":"3b2d94cd5dd276601f830918045d63d5018c8d86069910dfae6888a756b5590f"},{"filename":"references/owasp-top10-mitigation.md","content":"# OWASP Top 10 Risk Mitigation Reference\n\n\n## Table of Contents\n\n- [Overview](#overview)\n- [OWASP Top 10 (2021)](#owasp-top-10-2021)\n - [A01: Broken Access Control](#a01-broken-access-control)\n - [A02: Cryptographic Failures](#a02-cryptographic-failures)\n - [A03: Injection](#a03-injection)\n - [A04: Insecure Design](#a04-insecure-design)\n - [A05: Security Misconfiguration](#a05-security-misconfiguration)\n - [A06: Vulnerable and Outdated Components](#a06-vulnerable-and-outdated-components)\n - [A07: Identification and Authentication Failures](#a07-identification-and-authentication-failures)\n - [A08: Software and Data Integrity Failures](#a08-software-and-data-integrity-failures)\n - [A09: Security Logging and Monitoring Failures](#a09-security-logging-and-monitoring-failures)\n - [A10: Server-Side Request Forgery (SSRF)](#a10-server-side-request-forgery-ssrf)\n\n## Overview\n\nThe OWASP Top 10 represents the most critical web application security risks. This reference provides detailed mitigation strategies for each risk mapped to security architecture controls.\n\n## OWASP Top 10 (2021)\n\n### A01: Broken Access Control\n\n**Risk Description:** Authorization failures allowing users to access unauthorized data or functionality.\n\n**Common Examples:**\n- Insecure Direct Object References (IDOR): Changing URL parameter to access other users' data\n- Missing authorization checks on API endpoints\n- Privilege escalation (standard user accessing admin functions)\n- CORS misconfiguration allowing unauthorized origins\n\n**Architectural Mitigations:**\n- Implement RBAC (role-based access control) or ABAC (attribute-based access control)\n- Deny access by default (explicit allow lists)\n- Authorization checks at every API endpoint\n- Use indirect object references (map session → object, not expose IDs)\n- Log all authorization failures for monitoring\n\n**Code Example (Node.js/Express):**\n```javascript\n// Verify user owns resource before returning\napp.get('/api/orders/:id', authenticateUser, async (req, res) => {\n const order = await Order.findById(req.params.id);\n\n // Authorization check: user owns this order\n if (order.userId !== req.user.id) {\n return res.status(403).json({ error: 'Forbidden' });\n }\n\n res.json(order);\n});\n```\n\n---\n\n### A02: Cryptographic Failures\n\n**Risk Description:** Failures in cryptography leading to exposure of sensitive data.\n\n**Common Examples:**\n- Transmitting data in cleartext (HTTP instead of HTTPS)\n- Using weak encryption algorithms (DES, MD5, SHA-1)\n- Storing passwords in plaintext or weak hashing\n- Hardcoded cryptographic keys\n\n**Architectural Mitigations:**\n- Enforce TLS 1.3 for all data in transit\n- Encrypt all sensitive data at rest (AES-256)\n- Use strong password hashing (Argon2, bcrypt, scrypt)\n- Implement key management system (AWS KMS, Azure Key Vault, HashiCorp Vault)\n- Rotate encryption keys regularly\n\n---\n\n### A03: Injection\n\n**Risk Description:** Injection flaws (SQL, NoSQL, OS command, LDAP) allowing arbitrary code execution.\n\n**Common Examples:**\n- SQL injection via unsanitized user input\n- NoSQL injection in MongoDB queries\n- OS command injection\n- LDAP injection\n\n**Architectural Mitigations:**\n- Use parameterized queries or ORM frameworks\n- Input validation (whitelist allowed characters, length limits)\n- Least privilege database users (no DROP, CREATE permissions)\n- WAF with injection detection rules\n- Code scanning (SAST/DAST) in CI/CD\n\n**Code Example (SQL Injection Prevention):**\n```javascript\n// BAD: String concatenation (vulnerable to SQLi)\nconst query = `SELECT * FROM users WHERE email = '${userInput}'`;\n\n// GOOD: Parameterized query\nconst query = 'SELECT * FROM users WHERE email = ?';\ndb.query(query, [userInput], (err, results) => { ... });\n```\n\n---\n\n### A04: Insecure Design\n\n**Risk Description:** Missing or ineffective security controls in design phase.\n\n**Mitigations:**\n- Conduct threat modeling (STRIDE, PASTA) during design\n- Apply secure design patterns\n- Separation of concerns (business logic separate from presentation)\n- Defense in depth architecture\n- Security requirements in every user story\n\n---\n\n### A05: Security Misconfiguration\n\n**Risk Description:** Insecure default configurations, incomplete setups, verbose errors.\n\n**Common Examples:**\n- Default admin credentials unchanged\n- Directory listing enabled\n- Unnecessary services running\n- Verbose error messages revealing system details\n- Missing security headers\n\n**Architectural Mitigations:**\n- Configuration management (CIS Benchmarks, STIG)\n- Remove default accounts and sample applications\n- Minimal platform (disable unnecessary features)\n- Custom error pages (generic messages)\n- Security headers (CSP, HSTS, X-Frame-Options)\n\n---\n\n### A06: Vulnerable and Outdated Components\n\n**Risk Description:** Using components with known vulnerabilities.\n\n**Architectural Mitigations:**\n- Generate SBOM (Software Bill of Materials)\n- Continuous dependency scanning (Snyk, Dependabot, Trivy)\n- Automated security updates\n- Remove unused dependencies\n- Monitor security advisories\n\n---\n\n### A07: Identification and Authentication Failures\n\n**Risk Description:** Weak authentication and session management.\n\n**Architectural Mitigations:**\n- Multi-factor authentication (MFA) for all users\n- Strong password policies (length > complexity)\n- Secure session management (HttpOnly, Secure, SameSite flags)\n- Rate limiting on authentication endpoints\n- Account lockout after failed attempts\n\n---\n\n### A08: Software and Data Integrity Failures\n\n**Risk Description:** Code and infrastructure not protected from integrity violations.\n\n**Architectural Mitigations:**\n- Code signing and verification\n- SLSA framework for build integrity\n- Subresource Integrity (SRI) for CDN resources\n- Integrity checks (checksums, digital signatures)\n\n---\n\n### A09: Security Logging and Monitoring Failures\n\n**Risk Description:** Insufficient logging and monitoring delays breach detection.\n\n**Architectural Mitigations:**\n- Centralized logging (SIEM)\n- Log all security events (authentication, authorization failures, input validation failures)\n- Immutable logs (append-only)\n- Real-time alerting\n- UEBA for anomaly detection\n\n---\n\n### A10: Server-Side Request Forgery (SSRF)\n\n**Risk Description:** Application fetches remote resource without validating URL.\n\n**Architectural Mitigations:**\n- Input validation (whitelist allowed domains)\n- Network segmentation (deny outbound traffic from application tier)\n- Disable unnecessary URL schemas (file://, gopher://)\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":6507,"content_sha256":"9c672620165a6785e909a48b67ab7a1ab7985a6de1a4244c687d9b75ef505e6f"},{"filename":"references/security-operations.md","content":"# Security Operations Reference\n\n## SIEM (Security Information & Event Management)\n\n**Purpose:** Centralize log aggregation, correlation, and alerting\n\n**Leading Platforms:**\n- Splunk Enterprise Security\n- Elastic Security\n- Microsoft Sentinel\n- Google Chronicle\n\n**Architecture:**\n1. Log Collection: Ingest from all sources\n2. Normalization: Standardize log formats\n3. Correlation: Apply rules to detect patterns\n4. Alerting: Notify SOC team\n5. Investigation: Search and visualization\n\n## SOAR (Security Orchestration, Automation & Response)\n\n**Purpose:** Automate incident response workflows\n\n**Capabilities:**\n- Playbooks: Automated response workflows\n- Orchestration: Integrate security tools\n- Case Management: Track incidents\n\n**Leading Platforms:**\n- Splunk SOAR\n- Palo Alto Cortex XSOAR\n- IBM Resilient\n\n## Detection Strategies\n\n### UEBA (User & Entity Behavior Analytics)\n\n**Purpose:** ML-based anomaly detection\n\n**Use Cases:**\n- Account compromise detection\n- Insider threat detection\n- Data exfiltration detection\n- Lateral movement detection\n\n### Threat Intelligence\n\n**Sources:**\n- MISP (Malware Information Sharing Platform)\n- ThreatConnect\n- ISACs (Information Sharing and Analysis Centers)\n\n**Integration:**\n- Enrich SIEM alerts with threat context\n- Block known malicious IPs/domains\n- Proactive threat hunting\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":1329,"content_sha256":"a43413a5530bb86c83792cd4ace2f1b6c918cbbd7afce850ae1da3c718919b01"},{"filename":"references/supply-chain-security.md","content":"# Supply Chain Security Reference\n\n\n## Table of Contents\n\n- [Overview](#overview)\n- [SLSA Framework](#slsa-framework)\n - [4 SLSA Levels](#4-slsa-levels)\n - [SLSA Requirements Matrix](#slsa-requirements-matrix)\n - [SLSA Implementation Steps](#slsa-implementation-steps)\n- [SBOM (Software Bill of Materials)](#sbom-software-bill-of-materials)\n - [SBOM Standards](#sbom-standards)\n - [CycloneDX SBOM Structure](#cyclonedx-sbom-structure)\n - [Generating SBOMs](#generating-sboms)\n - [SBOM Use Cases](#sbom-use-cases)\n- [Dependency Scanning Tools](#dependency-scanning-tools)\n- [Dependency Management Best Practices](#dependency-management-best-practices)\n - [1. Minimize Dependencies](#1-minimize-dependencies)\n - [2. Pin Dependency Versions](#2-pin-dependency-versions)\n - [3. Continuous Dependency Scanning](#3-continuous-dependency-scanning)\n - [4. Automated Security Updates](#4-automated-security-updates)\n - [5. Vendor and Maintainer Monitoring](#5-vendor-and-maintainer-monitoring)\n - [6. Private Dependency Mirrors](#6-private-dependency-mirrors)\n- [Supply Chain Attack Vectors](#supply-chain-attack-vectors)\n - [1. Compromised Dependencies](#1-compromised-dependencies)\n - [2. Typosquatting](#2-typosquatting)\n - [3. Dependency Confusion](#3-dependency-confusion)\n - [4. Compromised Build Pipeline](#4-compromised-build-pipeline)\n- [Summary](#summary)\n\n## Overview\n\nSupply chain attacks target software development and distribution pipelines to inject malicious code or compromise dependencies. High-profile attacks (SolarWinds, Log4Shell, CodeCov) demonstrate critical need for supply chain security.\n\n**Key Frameworks:**\n- **SLSA (Supply-chain Levels for Software Artifacts):** Build integrity framework\n- **SBOM (Software Bill of Materials):** Dependency transparency\n- **SSDF (Secure Software Development Framework):** NIST SP 800-218\n\n## SLSA Framework\n\n**Developed by:** Google (Open Source Security Foundation)\n\n**Purpose:** Protect software artifacts from tampering and ensure build integrity\n\n### 4 SLSA Levels\n\n**SLSA Level 1: Provenance**\n- Build process generates provenance metadata\n- Documents how artifact was built\n- NOT tamper-proof (can be forged)\n\n**Requirements:**\n- Provenance generated automatically\n- Provenance contains build information\n\n**Example:** GitHub Actions basic workflow with attestation\n\n---\n\n**SLSA Level 2: Hosted Build Platform**\n- Build on trusted hosted service\n- Provenance generated by platform (more trustworthy than Level 1)\n\n**Requirements:**\n- Use hosted build service (GitHub Actions, Cloud Build, GitLab CI)\n- Platform generates provenance\n- Source and build logs available\n\n**Example:** GitHub Actions with signed attestations\n\n---\n\n**SLSA Level 3: Hardened Build Platform**\n- Build platform prevents tampering\n- Provenance generation cannot be compromised\n- Audit logs of build process\n\n**Requirements:**\n- Build service hardened against admin tampering\n- Provenance is non-falsifiable\n- Isolated build execution\n- Audit logs retained\n\n**Example:** Google Cloud Build with Binary Authorization\n\n---\n\n**SLSA Level 4: Hermetic, Reproducible Builds**\n- Fully hermetic builds (no network access during build)\n- Reproducible builds (same inputs = same output)\n- Two-party review for all changes\n\n**Requirements:**\n- Hermetic builds (no external dependencies during build)\n- Reproducible (deterministic builds)\n- Two-person review (pull request approval)\n- Immutable build history\n\n**Example:** Debian reproducible builds, Bazel hermetic builds\n\n---\n\n### SLSA Requirements Matrix\n\n| Requirement | L1 | L2 | L3 | L4 |\n|-------------|----|----|----|----|\n| Provenance exists | ✓ | ✓ | ✓ | ✓ |\n| Hosted build platform | | ✓ | ✓ | ✓ |\n| Build service hardened | | | ✓ | ✓ |\n| Provenance non-falsifiable | | | ✓ | ✓ |\n| Isolated build process | | | | ✓ |\n| Hermetic builds | | | | ✓ |\n| Reproducible builds | | | | ✓ |\n| Two-party review | | | | ✓ |\n\n---\n\n### SLSA Implementation Steps\n\n**Step 1: Generate Provenance (SLSA L1)**\n\nUse GitHub Actions to generate attestations:\n\n```yaml\nname: Build with Provenance\non: [push]\njobs:\n build:\n runs-on: ubuntu-latest\n permissions:\n id-token: write\n contents: read\n attestations: write\n steps:\n - uses: actions/checkout@v4\n - name: Build artifact\n run: make build\n - name: Generate attestation\n uses: actions/attest-build-provenance@v1\n with:\n subject-path: 'dist/myapp'\n```\n\n**Step 2: Use Hosted Build Service (SLSA L2)**\n\nMigrate to GitHub Actions, GitLab CI, or Cloud Build (already hosted).\n\n**Step 3: Harden Build Platform (SLSA L3)**\n\n- Enable required reviews on protected branches\n- Use GitHub Environment protection rules\n- Enable audit logging\n- Restrict admin access to build pipelines\n\n**Step 4: Implement Hermetic Builds (SLSA L4)**\n\n- Use container-based builds with pinned images\n- No network access during build (cache dependencies)\n- Reproducible builds with Bazel or Nix\n\n---\n\n## SBOM (Software Bill of Materials)\n\n### SBOM Standards\n\n**1. CycloneDX (OWASP)**\n- JSON or XML format\n- Comprehensive (components, services, vulnerabilities)\n- Strong tooling ecosystem\n\n**2. SPDX (Linux Foundation)**\n- ISO/IEC 5962:2021 standard\n- Extensive license information\n- Wide industry adoption\n\n**3. SWID (Software Identification Tags)**\n- ISO/IEC 19770-2 standard\n- XML format\n- Software asset management focus\n\n---\n\n### CycloneDX SBOM Structure\n\n```json\n{\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"metadata\": {\n \"component\": {\n \"type\": \"application\",\n \"name\": \"my-app\",\n \"version\": \"1.0.0\"\n }\n },\n \"components\": [\n {\n \"type\": \"library\",\n \"name\": \"express\",\n \"version\": \"4.18.2\",\n \"purl\": \"pkg:npm/[email protected]\",\n \"licenses\": [{\"license\": {\"id\": \"MIT\"}}],\n \"hashes\": [\n {\n \"alg\": \"SHA-256\",\n \"content\": \"abc123...\"\n }\n ]\n }\n ],\n \"dependencies\": [\n {\n \"ref\": \"pkg:npm/[email protected]\",\n \"dependsOn\": [\"pkg:npm/[email protected]\"]\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"CVE-2024-1234\",\n \"source\": {\"name\": \"NVD\"},\n \"ratings\": [{\"severity\": \"high\"}],\n \"affects\": [{\"ref\": \"pkg:npm/[email protected]\"}]\n }\n ]\n}\n```\n\n---\n\n### Generating SBOMs\n\n**Node.js (NPM):**\n```bash\n# Using CycloneDX\nnpx @cyclonedx/cyclonedx-npm --output-file sbom.json\n\n# Using Syft\nsyft dir:. -o cyclonedx-json > sbom.json\n```\n\n**Python:**\n```bash\n# Using CycloneDX\npip install cyclonedx-bom\ncyclonedx-py -o sbom.json\n\n# Using Syft\nsyft dir:. -o cyclonedx-json > sbom.json\n```\n\n**Java (Maven):**\n```bash\n# Using CycloneDX Maven Plugin\nmvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom\n```\n\n**Container Images:**\n```bash\n# Using Syft\nsyft nginx:latest -o cyclonedx-json > sbom.json\n\n# Using Trivy\ntrivy image --format cyclonedx nginx:latest > sbom.json\n```\n\n---\n\n### SBOM Use Cases\n\n**1. Vulnerability Management**\n\nWhen CVE disclosed (e.g., Log4Shell):\n```bash\n# Search SBOM for affected component\ncat sbom.json | jq '.components[] | select(.name == \"log4j-core\")'\n\n# Output: All instances of log4j-core and versions\n# Action: Identify affected applications and prioritize patches\n```\n\n**2. License Compliance**\n\n```bash\n# Extract all licenses from SBOM\ncat sbom.json | jq '.components[].licenses[].license.id' | sort | uniq\n\n# Flag non-approved licenses\ncat sbom.json | jq '.components[] | select(.licenses[].license.id == \"GPL-3.0\")'\n```\n\n**3. Supply Chain Risk Assessment**\n\n```bash\n# Identify all components from specific maintainer\ncat sbom.json | jq '.components[] | select(.supplier.name == \"Compromised Vendor\")'\n\n# Identify components without hash verification\ncat sbom.json | jq '.components[] | select(.hashes == null)'\n```\n\n**4. Incident Response**\n\nDuring security incident:\n- Quickly identify all applications using vulnerable component\n- Assess blast radius across organization\n- Prioritize remediation based on SBOM data\n\n---\n\n## Dependency Scanning Tools\n\n| Tool | Languages | Features | Best For |\n|------|-----------|----------|----------|\n| **Dependabot** | Multi-language | Automated PRs, GitHub native | GitHub users |\n| **Snyk** | Multi-language | Vuln scanning, license compliance, fix PRs | Developers, CI/CD |\n| **OWASP Dependency-Check** | Java, .NET, Python, Ruby, Node.js | CVE scanning, CLI/CI | Open-source projects |\n| **Renovate** | Multi-language | Automated updates, flexible config | Advanced automation |\n| **Trivy** | Multi-language, containers, IaC | CVE scanning, misconfiguration | Containers, cloud-native |\n| **Grype** | Multi-language, containers | Fast CVE scanning | CI/CD pipelines |\n| **JFrog Xray** | Multi-language, artifacts | Artifact scanning, policy enforcement | Enterprise, JFrog users |\n\n---\n\n## Dependency Management Best Practices\n\n### 1. Minimize Dependencies\n\n**Principle:** Fewer dependencies = smaller attack surface\n\n**Actions:**\n- Remove unused dependencies\n- Evaluate necessity before adding new dependencies\n- Consider implementing simple functionality in-house vs. adding dependency\n- Use tree-shaking and dead code elimination\n\n**Example:**\n```bash\n# Analyze dependency tree\nnpm ls --all\n\n# Find unused dependencies (Node.js)\nnpx depcheck\n\n# Remove unused\nnpm uninstall \u003cunused-package>\n```\n\n---\n\n### 2. Pin Dependency Versions\n\n**Principle:** Lock files prevent unexpected updates with vulnerabilities\n\n**Actions:**\n- Commit lock files (package-lock.json, Pipfile.lock, go.sum)\n- Use exact versions in production (avoid `^` or `~` ranges)\n- Pin Docker base image versions with SHA digests\n\n**Example:**\n```dockerfile\n# Bad: Uses mutable tag\nFROM node:18\n\n# Better: Use specific version\nFROM node:18.19.0\n\n# Best: Pin to specific SHA digest (immutable)\nFROM node:18.19.0@sha256:abc123...\n```\n\n---\n\n### 3. Continuous Dependency Scanning\n\n**Principle:** Detect vulnerabilities as soon as they're disclosed\n\n**Actions:**\n- Scan on every commit (CI/CD integration)\n- Scheduled scans (nightly) even without code changes\n- Monitor security advisories (GitHub Security Advisories, NVD)\n\n**Example (GitHub Actions):**\n```yaml\nname: Dependency Scan\non:\n push:\n schedule:\n - cron: '0 0 * * *' # Daily at midnight\njobs:\n scan:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n - name: Run Trivy\n uses: aquasecurity/trivy-action@master\n with:\n scan-type: 'fs'\n severity: 'CRITICAL,HIGH'\n```\n\n---\n\n### 4. Automated Security Updates\n\n**Principle:** Reduce time-to-patch for security vulnerabilities\n\n**Actions:**\n- Enable Dependabot security updates\n- Configure auto-merge for patch updates\n- Test updates automatically (CI/CD)\n\n**Example (Dependabot config):**\n```yaml\nversion: 2\nupdates:\n - package-ecosystem: \"npm\"\n directory: \"/\"\n schedule:\n interval: \"daily\"\n open-pull-requests-limit: 10\n reviewers:\n - \"security-team\"\n # Auto-merge patch updates\n auto-merge:\n enabled: true\n allowed-updates:\n - match:\n dependency-type: \"all\"\n update-type: \"security:patch\"\n```\n\n---\n\n### 5. Vendor and Maintainer Monitoring\n\n**Principle:** Abandoned or compromised maintainers pose supply chain risks\n\n**Actions:**\n- Monitor maintainer activity (last release, commit frequency)\n- Check number of maintainers (single maintainer = risk)\n- Subscribe to security advisories from vendors\n- Consider package reputation and trust scores\n\n**Red Flags:**\n- No updates in > 1 year\n- Single maintainer with no activity\n- Recent ownership transfer\n- Unusual dependency additions\n- Obfuscated code\n\n---\n\n### 6. Private Dependency Mirrors\n\n**Principle:** Control and audit all dependencies before use\n\n**Actions:**\n- Host private package registry (JFrog Artifactory, Nexus, npm Enterprise)\n- Proxy public registries through private mirror\n- Scan and approve packages before internal use\n- Audit all package downloads\n\n**Architecture:**\n```\nDeveloper → Private Registry → Public Registry (npm, PyPI)\n (scan, approve) (upstream source)\n```\n\n---\n\n## Supply Chain Attack Vectors\n\n### 1. Compromised Dependencies\n\n**Attack:** Attacker publishes malicious package or compromises existing package\n\n**Examples:**\n- event-stream (npm): Malicious code injected to steal cryptocurrency\n- ua-parser-js (npm): Compromised package downloaded cryptocurrency miner\n- codecov (Bash uploader): Compromised to steal credentials\n\n**Mitigations:**\n- Dependency scanning (detect known malicious packages)\n- SBOM generation (visibility into all dependencies)\n- Subresource Integrity (SRI) for CDN-hosted scripts\n- Private package mirrors with approval workflow\n\n---\n\n### 2. Typosquatting\n\n**Attack:** Attacker creates package with similar name to popular package\n\n**Examples:**\n- `requessts` (typo of `requests` in Python)\n- `electorn` (typo of `electron` in npm)\n\n**Mitigations:**\n- Code review of dependency additions\n- Use package manager lockfiles (prevent unexpected installs)\n- Namespace verification (official org/maintainer)\n- IDE/linter warnings for common typos\n\n---\n\n### 3. Dependency Confusion\n\n**Attack:** Attacker publishes public package with same name as internal package, causing package manager to install public (malicious) version\n\n**Examples:**\n- Alex Birsan's research (2021): Compromised Apple, Microsoft, Tesla via dependency confusion\n\n**Mitigations:**\n- Use scoped packages (@mycompany/package-name)\n- Configure package manager to prefer private registry\n- Namespace reservation on public registries\n\n**Example (npm config):**\n```ini\n# .npmrc\n@mycompany:registry=https://npm.internal.company.com\nregistry=https://registry.npmjs.org\n```\n\n---\n\n### 4. Compromised Build Pipeline\n\n**Attack:** Attacker gains access to CI/CD pipeline to inject malicious code during build\n\n**Examples:**\n- SolarWinds Orion (2020): Build pipeline compromised to inject backdoor\n- CodeCov (2021): Compromised Bash uploader script\n\n**Mitigations:**\n- SLSA Level 3+ (hardened build platform)\n- Least privilege for CI/CD service accounts\n- Audit logging for all build pipeline changes\n- Two-party review for pipeline modifications\n- Hermetic builds (no network access during build)\n\n---\n\n## Summary\n\n**Supply Chain Security Framework:**\n\n1. **SLSA:** Implement progressive build integrity (Level 1 → Level 4)\n2. **SBOM:** Generate and maintain dependency transparency (CycloneDX, SPDX)\n3. **Dependency Scanning:** Continuous vulnerability detection (Snyk, Trivy, Grype)\n4. **Dependency Management:** Pin versions, minimize dependencies, auto-update security patches\n5. **Monitoring:** Track maintainer activity, monitor for compromised packages\n\n**Priority Actions:**\n- Generate SBOM for all applications (CycloneDX)\n- Implement dependency scanning in CI/CD (Trivy, Snyk)\n- Achieve SLSA Level 2 (GitHub Actions with attestations)\n- Enable automated security updates (Dependabot, Renovate)\n- Establish incident response plan for supply chain incidents\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":14972,"content_sha256":"c6d7bbb5a6d1b96f6e21cfea74e9126fe74a643176517d02b59e925fe468607e"},{"filename":"references/threat-modeling.md","content":"# Threat Modeling Reference\n\n## Table of Contents\n\n1. [Overview](#overview)\n2. [STRIDE Methodology](#stride-methodology)\n3. [PASTA Methodology](#pasta-methodology)\n4. [DREAD Risk Scoring](#dread-risk-scoring)\n5. [Attack Trees](#attack-trees)\n6. [Methodology Selection Guide](#methodology-selection-guide)\n\n## Overview\n\nThreat modeling systematically identifies, analyzes, and prioritizes security threats to design appropriate mitigations proactively.\n\n**When to Threat Model:**\n- Designing new applications or systems\n- Making significant architecture changes\n- Entering new threat environments (cloud migration, IoT deployment)\n- Regulatory compliance requirements (PCI DSS, HIPAA)\n- After security incidents (lessons learned)\n\n**Threat Modeling Process:**\n1. Model the system (data flow diagrams, architecture diagrams)\n2. Identify threats (apply methodology - STRIDE, PASTA)\n3. Prioritize threats (risk scoring - DREAD, business impact)\n4. Design mitigations (security controls)\n5. Validate mitigations (testing, review)\n6. Document and maintain (living document, update regularly)\n\n---\n\n## STRIDE Methodology\n\n**Developed by:** Microsoft (Loren Kohnfelder and Praerit Garg, 1999)\n\n**Purpose:** Systematic threat identification using 6 threat categories\n\n**Complexity:** Low (accessible to development teams)\n\n### STRIDE Threat Categories\n\n#### S - Spoofing Identity\n\n**Definition:** Attacker pretends to be someone else (user, service, system)\n\n**Examples:**\n- Phishing emails impersonating legitimate senders\n- Session hijacking (stealing session tokens)\n- Credential theft and replay\n- Man-in-the-middle attacks\n- IP address spoofing\n\n**Mitigations:**\n- Multi-factor authentication (MFA)\n- Certificate validation (mutual TLS)\n- Anti-phishing controls (DMARC, SPF, DKIM)\n- Session token security (HttpOnly, Secure flags, short expiry)\n- Strong authentication protocols (OAuth 2.0, SAML 2.0)\n\n---\n\n#### T - Tampering with Data\n\n**Definition:** Unauthorized modification of data in storage or transit\n\n**Examples:**\n- SQL injection modifying database records\n- Man-in-the-middle modifying network traffic\n- File system tampering\n- Log tampering to hide malicious activity\n- Message interception and alteration\n\n**Mitigations:**\n- Encryption in transit (TLS 1.3)\n- Encryption at rest (AES-256)\n- Digital signatures and hashing (SHA-256, HMAC)\n- Integrity checks (checksums, cryptographic hashes)\n- Input validation and parameterized queries\n- Immutable logs (append-only, centralized SIEM)\n\n---\n\n#### R - Repudiation\n\n**Definition:** User denies performing an action, and no proof exists\n\n**Examples:**\n- \"I didn't make that purchase\"\n- \"I didn't delete that file\"\n- \"I didn't send that email\"\n- \"I didn't access that data\"\n\n**Mitigations:**\n- Comprehensive audit logging\n- Digital signatures (non-repudiation)\n- Timestamping (trusted time source)\n- Centralized log aggregation (SIEM)\n- Tamper-proof logs (immutable storage)\n- Video/session recording for critical actions\n\n---\n\n#### I - Information Disclosure\n\n**Definition:** Exposure of confidential information to unauthorized parties\n\n**Examples:**\n- SQL injection revealing database contents\n- Directory traversal exposing file system\n- API responses leaking sensitive data\n- Error messages revealing system details\n- Unencrypted data transmission\n- Misconfigured cloud storage (public S3 buckets)\n\n**Mitigations:**\n- Encryption (at rest, in transit, in use)\n- Access control (RBAC, ABAC, least privilege)\n- Data classification and DLP (Data Loss Prevention)\n- Minimize data exposure (return only necessary data)\n- Secure error handling (generic error messages)\n- Regular security scanning (DAST, penetration testing)\n\n---\n\n#### D - Denial of Service\n\n**Definition:** Making system unavailable to legitimate users\n\n**Examples:**\n- DDoS attacks (volumetric, protocol, application layer)\n- Resource exhaustion (memory leaks, CPU spikes)\n- Application crash exploits (buffer overflow)\n- Database locking attacks\n- API rate limit bypass\n\n**Mitigations:**\n- DDoS protection services (Cloudflare, AWS Shield)\n- Rate limiting and throttling (API gateways)\n- Resource quotas and limits (CPU, memory, connections)\n- Auto-scaling (horizontal scaling under load)\n- Circuit breakers and graceful degradation\n- Input validation (prevent malformed requests)\n- Redundancy and load balancing\n\n---\n\n#### E - Elevation of Privilege\n\n**Definition:** Gaining higher privileges than authorized\n\n**Examples:**\n- Privilege escalation exploits (kernel exploits, sudo misconfigurations)\n- Buffer overflow attacks\n- SQL injection leading to admin access\n- Insecure direct object references (IDOR)\n- Misconfigured permissions (excessive IAM policies)\n\n**Mitigations:**\n- Principle of least privilege\n- Input validation and sanitization\n- Regular security patching\n- Secure coding practices (OWASP guidelines)\n- SAST/DAST scanning in CI/CD\n- Role-based access control (RBAC)\n- Privilege separation (run services as non-root)\n- Security testing (penetration testing, fuzzing)\n\n---\n\n### STRIDE Application Process\n\n**Step 1: Model the System**\n\nCreate Data Flow Diagrams (DFDs) showing:\n- **External Entities:** Users, external systems, APIs\n- **Processes:** Application components, services, functions\n- **Data Stores:** Databases, file systems, caches\n- **Data Flows:** Communication paths between components\n- **Trust Boundaries:** Network perimeters, authentication boundaries\n\n**Example DFD Elements:**\n```\n[User] --(HTTPS)--> [Web Server] --(SQL)--> [Database]\n │ │\n External Entity Process Data Store\n │ │\n ─────┼───────────────────────────┼──────── Trust Boundary\n```\n\n**Step 2: Identify Threats**\n\nApply STRIDE to each element:\n- **External Entities:** Spoofing\n- **Processes:** Tampering, Repudiation, Denial of Service, Elevation of Privilege\n- **Data Stores:** Tampering, Information Disclosure, Denial of Service\n- **Data Flows:** Tampering, Information Disclosure, Denial of Service\n\n**Step 3: Document Threats**\n\nCreate threat list with:\n- Threat ID\n- STRIDE category\n- Affected component\n- Threat description\n- Potential impact\n- Proposed mitigation\n\n**Step 4: Prioritize Threats**\n\nUse DREAD scoring or business impact to prioritize.\n\n**Step 5: Mitigate Threats**\n\nDesign and implement security controls.\n\n---\n\n### STRIDE Example: Web Application Login\n\n| Component | Threat Type | Threat | Mitigation |\n|-----------|-------------|--------|------------|\n| Login page | Spoofing | Credential phishing | MFA, anti-phishing (FIDO2), user education |\n| Login form | Tampering | Form field manipulation | Server-side validation, CSRF tokens |\n| Authentication flow | Repudiation | User denies login | Audit logs with IP, timestamp, device info |\n| Database | Info Disclosure | SQL injection exposing passwords | Parameterized queries, password hashing (bcrypt, Argon2) |\n| Login endpoint | Denial of Service | Brute force attacks | Rate limiting, account lockout, CAPTCHA |\n| Session management | Elevation | Session hijacking → admin access | Secure session tokens, HttpOnly/Secure flags, short expiry |\n\n---\n\n## PASTA Methodology\n\n**Process for Attack Simulation and Threat Analysis**\n\n**Developed by:** VerSprite (Tony UcedaVélez and Marco Morana)\n\n**Purpose:** Risk-centric threat analysis aligned with business objectives\n\n**Complexity:** High (enterprise-level, comprehensive)\n\n### 7 Stages of PASTA\n\n#### Stage 1: Define Business Objectives\n\nIdentify business goals, compliance requirements, and acceptable risk levels.\n\n**Activities:**\n- Document business objectives (revenue, customer trust, compliance)\n- Define security objectives aligned with business (data protection, availability, integrity)\n- Identify compliance requirements (GDPR, SOC 2, HIPAA, PCI DSS)\n- Determine risk tolerance (risk appetite, risk thresholds)\n\n**Output:** Business context and security objectives\n\n---\n\n#### Stage 2: Define Technical Scope\n\nInventory assets and document technical architecture.\n\n**Activities:**\n- Asset inventory (applications, databases, servers, network devices, cloud resources)\n- Network architecture documentation (network diagrams, data flows)\n- Identify trust boundaries (internet-facing, internal networks, DMZ)\n- Document dependencies (third-party services, APIs, libraries)\n\n**Output:** Technical scope and asset inventory\n\n---\n\n#### Stage 3: Application Decomposition\n\nBreak down application into components and analyze each.\n\n**Activities:**\n- Identify application components (front-end, API, database, authentication)\n- Map data flows between components\n- Document authentication and authorization mechanisms\n- Identify entry points (user inputs, API endpoints, file uploads)\n- Analyze session management\n\n**Output:** Detailed application architecture and data flow diagrams\n\n---\n\n#### Stage 4: Threat Analysis\n\nIdentify threat actors and attack vectors.\n\n**Activities:**\n- Identify threat actors (cybercriminals, nation-states, insiders, competitors)\n- Determine threat actor motivations (financial gain, espionage, disruption)\n- Map to MITRE ATT&CK framework (tactics, techniques, procedures)\n- Analyze past attack patterns (threat intelligence, incident history)\n- Identify attack surfaces (internet-facing assets, supply chain)\n\n**Output:** Threat actor profiles and attack scenarios\n\n---\n\n#### Stage 5: Vulnerability & Weakness Analysis\n\nIdentify vulnerabilities in the system.\n\n**Activities:**\n- Code review (SAST findings, manual review)\n- DAST/penetration testing findings\n- Configuration review (misconfigurations, default credentials)\n- Map to CWE (Common Weakness Enumeration)\n- Dependency vulnerabilities (SCA findings, SBOM analysis)\n\n**Output:** Vulnerability inventory and weaknesses\n\n---\n\n#### Stage 6: Attack Modeling\n\nSimulate attack scenarios and analyze feasibility.\n\n**Activities:**\n- Create attack trees for identified threats\n- Simulate attack scenarios (walkthrough attack paths)\n- Analyze attack feasibility (required skills, resources, time)\n- Determine likelihood of success\n- Estimate attack impact (data loss, downtime, financial)\n\n**Output:** Attack scenarios and feasibility analysis\n\n---\n\n#### Stage 7: Risk & Impact Analysis\n\nQuantify business impact and prioritize remediation.\n\n**Activities:**\n- Quantify financial impact (data breach costs, downtime costs, regulatory fines)\n- Assess reputational impact (customer trust, brand damage)\n- Calculate risk scores (likelihood × impact)\n- Prioritize risks by business impact\n- Recommend risk treatments (mitigate, accept, transfer, avoid)\n\n**Output:** Prioritized risk list with business impact and remediation recommendations\n\n---\n\n### PASTA vs STRIDE Comparison\n\n| Aspect | PASTA | STRIDE |\n|--------|-------|--------|\n| **Focus** | Risk-centric, business-aligned | Threat identification |\n| **Complexity** | High (7 stages, comprehensive) | Low (6 categories, straightforward) |\n| **Time Required** | Weeks to months | Days to weeks |\n| **Output** | Prioritized risks, attack scenarios, business impact | Threat list with mitigations |\n| **Best For** | Enterprise risk management, C-level reporting | Development teams, agile environments |\n| **Business Alignment** | Strong (starts with business objectives) | Weak (technical focus) |\n\n**When to Use PASTA:**\n- Enterprise risk assessments\n- Compliance-driven threat modeling\n- C-level security reporting\n- High-risk systems (financial, healthcare, critical infrastructure)\n\n**When to Use STRIDE:**\n- Development team threat modeling\n- Agile/DevSecOps integration\n- Quick threat identification\n- Low to medium risk systems\n\n---\n\n## DREAD Risk Scoring\n\n**Developed by:** Microsoft (now deprecated internally but still widely used)\n\n**Purpose:** Quantify risk with numeric scores for prioritization\n\n### DREAD Factors (1-10 scale)\n\n#### D - Damage Potential\n\nHow much damage can the attack cause?\n\n- **10:** Complete system compromise, data destruction, total business disruption\n- **7-9:** Significant data loss, major service disruption, regulatory violations\n- **4-6:** Information disclosure, partial denial of service, limited data loss\n- **1-3:** Minor inconvenience, limited impact\n\n**Example:**\n- SQL injection exposing customer database: **9** (massive data breach)\n- XSS on low-traffic page: **4** (limited user impact)\n\n---\n\n#### R - Reproducibility\n\nHow easily can the attack be reproduced?\n\n- **10:** Attack works every time with no special conditions\n- **7-9:** Attack works most of the time with minimal setup\n- **4-6:** Attack requires specific timing, conditions, or configuration\n- **1-3:** Attack is extremely difficult to reproduce, requires rare conditions\n\n**Example:**\n- SQL injection with automated tool: **10** (always works)\n- Race condition exploit: **4** (requires precise timing)\n\n---\n\n#### E - Exploitability\n\nHow easy is it to launch the attack?\n\n- **10:** No authentication required, automated exploit available, script kiddie level\n- **7-9:** Requires authentication, manual exploit, moderate skill\n- **4-6:** Requires deep technical knowledge, custom exploit development\n- **1-3:** Requires expert-level skills, significant resources, insider access\n\n**Example:**\n- Public RCE exploit for known CVE: **10** (Metasploit module available)\n- Zero-day kernel exploit: **3** (requires advanced skills)\n\n---\n\n#### A - Affected Users\n\nHow many users are affected?\n\n- **10:** All users affected (entire user base)\n- **7-9:** Large subset of users (most users, all customers)\n- **4-6:** Some users affected (specific user segment)\n- **1-3:** Few users affected (admin only, single user)\n\n**Example:**\n- Authentication bypass on public website: **10** (all users)\n- Privilege escalation requiring admin role: **2** (admin only)\n\n---\n\n#### D - Discoverability\n\nHow easy is it to discover the vulnerability?\n\n- **10:** Vulnerability is obvious, already public, scanners detect it\n- **7-9:** Vulnerability easily found with standard tools\n- **4-6:** Requires some effort, security testing to discover\n- **1-3:** Nearly impossible to discover, requires source code access\n\n**Example:**\n- Unpatched public CVE: **10** (scanners detect, exploits available)\n- Logic flaw in business workflow: **4** (requires code review)\n\n---\n\n### Risk Score Calculation\n\n**Formula:**\n```\nRisk Score = (Damage + Reproducibility + Exploitability + Affected Users + Discoverability) / 5\n```\n\n**Risk Levels:**\n- **Critical:** 8.0 - 10.0 (immediate action required)\n- **High:** 6.0 - 7.9 (urgent remediation)\n- **Medium:** 4.0 - 5.9 (plan remediation)\n- **Low:** 1.0 - 3.9 (monitor, low priority)\n\n---\n\n### DREAD Scoring Examples\n\n**Example 1: SQL Injection in Login Form**\n\n- **Damage:** 9 (Database compromise, all user data exposed)\n- **Reproducibility:** 10 (Works every time)\n- **Exploitability:** 8 (Automated tools available, moderate skill)\n- **Affected Users:** 10 (All users' data at risk)\n- **Discoverability:** 9 (Common vulnerability, scanners detect)\n\n**Risk Score:** (9 + 10 + 8 + 10 + 9) / 5 = **9.2 (Critical)**\n\n---\n\n**Example 2: Stored XSS on Admin Panel**\n\n- **Damage:** 6 (Admin session hijacking, limited to admin accounts)\n- **Reproducibility:** 10 (Works every time)\n- **Exploitability:** 7 (Requires authentication, manual exploit)\n- **Affected Users:** 2 (Admin users only)\n- **Discoverability:** 6 (Requires security testing to find)\n\n**Risk Score:** (6 + 10 + 7 + 2 + 6) / 5 = **6.2 (High)**\n\n---\n\n**Example 3: Information Disclosure in Error Messages**\n\n- **Damage:** 4 (Reveals internal paths, versions; aids reconnaissance)\n- **Reproducibility:** 10 (Consistent error messages)\n- **Exploitability:** 10 (No authentication required, trivial to trigger)\n- **Affected Users:** 10 (All users can trigger)\n- **Discoverability:** 8 (Easy to find with basic testing)\n\n**Risk Score:** (4 + 10 + 10 + 10 + 8) / 5 = **8.4 (Critical)**\n\n*Note: Despite low damage, high exploitability and discoverability make this critical for remediation.*\n\n---\n\n## Attack Trees\n\n**Visual threat modeling technique showing hierarchical attack paths**\n\n### Attack Tree Structure\n\n- **Goal (Root Node):** Attacker's objective (e.g., \"Compromise Web Application\")\n- **Attack Paths (Branches):** Different ways to achieve goal\n- **Attack Steps (Leaf Nodes):** Atomic actions required\n\n**Gates:**\n- **OR Gate:** Any child node success achieves parent goal\n- **AND Gate:** All child nodes must succeed for parent goal\n\n---\n\n### Attack Tree Example: Compromise Web Application\n\n```\n Compromise Web Application (GOAL)\n │\n ┌─────────────────────┼─────────────────────┐\n │ [OR] │ [OR] │ [OR]\n Exploit SQLi Steal Credentials Exploit Vuln Lib\n │ │ │\n ┌───┴───┐ ┌─────┴─────┐ ┌────┴────┐\n │ [AND] │ │ [OR] │ [OR] │ [AND] │\nFind Input Bypass Phishing Credential Find Vuln Exploit\nValidation WAF Email Stuffing in SBOM CVE\n │ │ │ │ │ │\n ▼ ▼ ▼ ▼ ▼ ▼\n [TEST] [TEST] [SEND] [RUN] [SCAN] [RUN]\n [SCRIPT] [EXPLOIT]\n\nLeaf Nodes (Actions):\n- TEST: Automated scanning (sqlmap, Burp Suite)\n- SEND: Phishing campaign\n- RUN SCRIPT: Credential stuffing attack\n- SCAN: SBOM analysis, vulnerability scanning\n- RUN EXPLOIT: Execute public exploit (Metasploit)\n```\n\n---\n\n### Attack Tree Analysis\n\n**Assign Values to Leaf Nodes:**\n\n- **Cost:** Time, resources, skills required\n- **Likelihood:** Probability of success\n- **Detection Risk:** Probability of detection\n\n**Example:**\n\n| Attack Step | Cost | Likelihood | Detection Risk |\n|-------------|------|------------|----------------|\n| Find Input Validation (SQLi) | Low (automated) | High (common) | Medium (WAF logs) |\n| Bypass WAF | Medium (manual) | Medium (depends on WAF) | High (alerts) |\n| Phishing Email | Low (templates) | Medium (user training) | High (email filters) |\n| Credential Stuffing | Low (automated) | Medium (depends on passwords) | Medium (rate limiting) |\n| Find Vuln in SBOM | Low (scanners) | High (if outdated libs) | Low (passive) |\n| Exploit CVE | Low (public exploits) | High (if unpatched) | High (IDS/IPS) |\n\n**Risk Calculation:**\n\nMost likely path: **Find Vuln in SBOM → Exploit CVE**\n- Low cost, high likelihood, low detection risk (until exploit runs)\n\n**Mitigation Priority:**\n1. Dependency scanning and patching (blocks \"Find Vuln in SBOM\")\n2. WAF with virtual patching (blocks \"Exploit CVE\")\n3. Input validation and parameterized queries (blocks \"Find Input Validation\")\n\n---\n\n## Methodology Selection Guide\n\n### Decision Matrix\n\n| Criterion | STRIDE | PASTA | DREAD | Attack Trees |\n|-----------|--------|-------|-------|--------------|\n| **Ease of Use** | High | Low | High | Medium |\n| **Time Required** | Low (days) | High (weeks) | Low (hours) | Medium (days) |\n| **Business Alignment** | Low | High | Medium | Low |\n| **Comprehensive Coverage** | High | Very High | N/A (scoring only) | Medium |\n| **Quantitative Risk** | No | Yes | Yes | Yes (if values assigned) |\n| **Best For** | Dev teams | Enterprise | Prioritization | Visualization |\n\n---\n\n### Recommendation by Use Case\n\n**Use Case: Agile Development Team Threat Modeling**\n- **Primary:** STRIDE (quick, comprehensive threat identification)\n- **Secondary:** DREAD (prioritize threats for sprint planning)\n- **Cadence:** Every major feature, architecture change\n\n**Use Case: Enterprise Risk Assessment**\n- **Primary:** PASTA (business-aligned, comprehensive)\n- **Secondary:** Attack Trees (visualize complex attack scenarios)\n- **Cadence:** Annually, or for critical systems\n\n**Use Case: Prioritizing Vulnerability Remediation**\n- **Primary:** DREAD (quantitative risk scoring)\n- **Secondary:** CVSS scores (industry standard for CVEs)\n- **Cadence:** Continuous (as vulnerabilities discovered)\n\n**Use Case: Security Architecture Review**\n- **Primary:** Attack Trees (visualize attack paths)\n- **Secondary:** STRIDE (comprehensive threat coverage)\n- **Cadence:** During architecture design, major changes\n\n---\n\n## Summary\n\n**Threat Modeling Methodologies:**\n- **STRIDE:** Systematic threat identification using 6 categories (Spoofing, Tampering, Repudiation, Info Disclosure, DoS, Elevation of Privilege)\n- **PASTA:** 7-stage risk-centric analysis aligned with business objectives\n- **DREAD:** Numeric risk scoring (Damage, Reproducibility, Exploitability, Affected Users, Discoverability)\n- **Attack Trees:** Visual representation of attack paths and scenarios\n\n**Recommended Approach:**\n1. Use STRIDE for comprehensive threat identification\n2. Use DREAD to prioritize threats by risk\n3. Use Attack Trees to visualize complex attack scenarios\n4. Use PASTA for enterprise-level risk assessments with business impact analysis\n\nIntegrate threat modeling into SDLC: Design phase (architecture threat modeling), Development (code-level STRIDE), Pre-deployment (comprehensive PASTA for critical systems).\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":21371,"content_sha256":"ac4512b32b4070e0f7f559952f302f32f4d1171a0508d3dc8ac1825f23dd2c4d"},{"filename":"references/zero-trust-architecture.md","content":"# Zero Trust Architecture Reference\n\n## Table of Contents\n\n1. [Overview](#overview)\n2. [Core Principles](#core-principles)\n3. [Reference Architecture](#reference-architecture)\n4. [Implementation Roadmap](#implementation-roadmap)\n5. [Technology Components](#technology-components)\n6. [Common Patterns](#common-patterns)\n\n## Overview\n\nZero Trust Architecture (ZTA) implements the principle \"never trust, always verify\" where every access request is authenticated, authorized, and continuously validated regardless of network location.\n\n**Key Shift:** Traditional security assumes trust inside the network perimeter. Zero Trust assumes breach and verifies explicitly at every access request.\n\n**Primary Standard:** NIST Special Publication 800-207 - Zero Trust Architecture\n\n## Core Principles\n\n### 1. Never Trust, Always Verify\n\n**Traditional Model:**\n- Trust based on network location (inside corporate network = trusted)\n- VPN grants broad network access\n\n**Zero Trust Model:**\n- No implicit trust based on location\n- Every access request authenticated and authorized\n- Continuous verification throughout session\n\n**Implementation:**\n- Authenticate users with MFA at every access request\n- Validate device posture before granting access\n- Re-authenticate periodically during session\n- Monitor session for anomalies\n\n---\n\n### 2. Assume Breach\n\n**Design Philosophy:**\n- Assume attackers are already inside the network\n- Limit blast radius of any compromise\n- Detect and contain breaches quickly\n\n**Implementation:**\n- Micro-segmentation: Isolate workloads to prevent lateral movement\n- Least privilege: Minimize permissions granted\n- Continuous monitoring: Detect anomalous behavior\n- Automated response: Contain threats immediately\n\n---\n\n### 3. Explicit Verification\n\nVerify multiple signals before granting access:\n\n**User Identity:**\n- Multi-factor authentication (MFA)\n- Biometric verification\n- Risk-based authentication\n\n**Device Health:**\n- Operating system version and patch level\n- Endpoint protection status (EDR running, up-to-date)\n- Encryption status (disk encryption enabled)\n- Compliance with security policies\n\n**Application Integrity:**\n- Code signing verification\n- Runtime integrity checks\n- Vulnerability status\n\n**Context:**\n- Location (geolocation, IP address)\n- Time of access (business hours vs. unusual times)\n- Behavior (normal vs. anomalous patterns)\n- Threat intelligence (known malicious IPs, IOCs)\n\n---\n\n### 4. Least Privilege Access\n\nGrant minimum permissions required to complete tasks.\n\n**Just-in-Time (JIT) Access:**\n- Elevate privileges only when needed\n- Time-bound access (e.g., 4 hours)\n- Automated de-provisioning after time expires\n\n**Just-Enough-Access (JEA):**\n- Minimal permissions for specific tasks\n- No standing admin privileges\n- Role-based or attribute-based access control\n\n**Access Recertification:**\n- Periodic review of user permissions\n- Automated removal of unused permissions\n- Manager attestation for critical access\n\n---\n\n### 5. Micro-Segmentation\n\nDivide network into small, isolated zones with granular access controls.\n\n**Traditional Segmentation:**\n- Coarse-grained: DMZ, internal network, database tier\n- Network-based: VLANs, subnets\n\n**Micro-Segmentation:**\n- Fine-grained: Per-application, per-workload isolation\n- Identity-based: Access based on user/service identity, not network location\n- Dynamic: Policies follow workloads (cloud-native, containers)\n\n**Technologies:**\n- Zero Trust Network Access (ZTNA)\n- Service mesh (Istio, Linkerd)\n- Cloud security groups with identity-based rules\n- Software-defined perimeter (SDP)\n\n---\n\n## Reference Architecture\n\n```\n┌──────────────────────────────────────────────────────────────────┐\n│ POLICY DECISION POINT │\n│ (Policy Engine + Policy Administrator) │\n│ │\n│ Input: User ID, Device Health, Resource, Context │\n│ Output: ALLOW / DENY access decision │\n└──────────────────────┬───────────────────────────────────────────┘\n │ Policy Decision\n │\n ┌─────────────┼─────────────┐\n │ │ │\n ┌────▼────┐ ┌────▼────┐ ┌───▼────┐\n │ Identity│ │ Device │ │Context │\n │ Provider│ │ Posture │ │ & Risk │\n │ (IdP) │ │ Service │ │ Engine │\n │ │ │ │ │ │\n │ - Users │ │ - OS │ │ - Geo │\n │ - MFA │ │ - EDR │ │ - Time │\n │ - SSO │ │ - Patch │ │ - UEBA │\n └─────────┘ └─────────┘ └────────┘\n │ │ │\n └─────────────┼─────────────┘\n │ Trust Signals\n ┌─────────────▼─────────────┐\n │ POLICY ENFORCEMENT POINT │\n │ (PEP - Gateways) │\n │ │\n │ - ZTNA Gateway │\n │ - API Gateway │\n │ - Reverse Proxy │\n └─────────────┬─────────────┘\n │ Enforced Access\n ┌──────────────────┼──────────────────┐\n │ │ │\n┌───▼───┐ ┌────▼────┐ ┌───▼────┐\n│ User │ │ App │ │ Data │\n│Access │ │ Access │ │ Access │\n│(SaaS, │ │ (APIs, │ │ (DBs, │\n│ Apps) │ │ Services)│ │ S3) │\n└───┬───┘ └────┬────┘ └───┬────┘\n │ │ │\n┌───▼────────┐ ┌────▼─────────┐ ┌───▼─────────┐\n│ End Users │ │ Applications │ │ Data Stores│\n│ (Humans) │ │ (Workloads) │ │ (Storage) │\n└────────────┘ └──────────────┘ └─────────────┘\n```\n\n### Architecture Components\n\n**1. Policy Decision Point (PDP):**\n- **Policy Engine:** Makes access decisions (allow/deny) based on policies and trust signals\n- **Policy Administrator:** Establishes/shuts down communication paths between subjects and resources\n\n**2. Trust Signal Sources:**\n- **Identity Provider (IdP):** Azure AD, Okta, Auth0, Ping Identity\n - User/service identity verification\n - MFA enforcement\n - SSO integration\n- **Device Posture Service:** Microsoft Intune, Jamf, VMware Workspace ONE\n - Device inventory and health checks\n - Compliance verification\n - Integration with MDM/UEM platforms\n- **Context & Risk Engine:** Microsoft Sentinel, Splunk, UEBA platforms\n - Behavioral analytics\n - Geolocation and time-based risk\n - Threat intelligence integration\n - Adaptive risk scoring\n\n**3. Policy Enforcement Point (PEP):**\n- **ZTNA Gateways:** Zscaler Private Access, Palo Alto Prisma Access, Cloudflare Access\n - Enforce policy decisions\n - Terminate connections if trust changes\n - No direct network access granted\n- **API Gateways:** Kong, Apigee, AWS API Gateway\n - Enforce API-level policies\n - Rate limiting and throttling\n - JWT validation\n- **Reverse Proxies:** NGINX, Envoy, Traefik\n - Application-level access control\n - TLS termination\n - Request filtering\n\n---\n\n## Implementation Roadmap\n\n### Phase 1: Foundation (Months 1-3)\n\n**Objective:** Establish identity and visibility foundation\n\n**Tasks:**\n1. **Asset Inventory:**\n - Inventory all users (employees, contractors, partners)\n - Inventory all devices (workstations, mobile, servers, IoT)\n - Inventory all applications (SaaS, on-premises, cloud)\n - Inventory all data stores and classification\n\n2. **Identity Provider Deployment:**\n - Deploy centralized IdP (Azure AD, Okta)\n - Implement SSO for all applications\n - Enforce MFA for all users (prioritize privileged accounts)\n - Integrate on-premises AD with cloud IdP (hybrid identity)\n\n3. **Device Management:**\n - Deploy MDM/UEM platform (Intune, Jamf, Workspace ONE)\n - Enroll all devices\n - Establish device compliance policies (encryption, patch level, EDR)\n - Enable device posture checks\n\n4. **Visibility:**\n - Deploy SIEM for centralized logging\n - Enable cloud audit logs (CloudTrail, Azure Monitor, GCP Cloud Logging)\n - Establish baseline network traffic patterns\n - Map data flows between applications\n\n**Success Metrics:**\n- 100% user MFA enrollment\n- 95%+ device enrollment in MDM\n- Centralized logging operational\n- Asset inventory complete\n\n---\n\n### Phase 2: Access Controls (Months 4-6)\n\n**Objective:** Implement least privilege access and strong authentication\n\n**Tasks:**\n1. **Least Privilege Access:**\n - Review and document all user roles and permissions\n - Implement RBAC (role-based access control)\n - Remove excessive permissions (principle of least privilege)\n - Document and approve all privileged access\n\n2. **Privileged Access Management (PAM):**\n - Deploy PAM solution (CyberArk, BeyondTrust, HashiCorp Vault)\n - Implement JIT (just-in-time) access for admins\n - Remove standing privileged credentials\n - Enable session recording for all privileged access\n\n3. **Conditional Access Policies:**\n - Implement risk-based authentication\n - Require MFA for high-risk scenarios (new device, unusual location)\n - Block access from known malicious IPs\n - Enforce device compliance before granting access\n\n4. **Identity Governance:**\n - Establish user lifecycle processes (joiner/mover/leaver)\n - Implement access certification (quarterly reviews)\n - Automate access revocation on termination\n - Segregation of duties (SoD) enforcement\n\n**Success Metrics:**\n- 0 standing admin credentials\n- 100% privileged access via JIT\n- Conditional access policies active\n- Access certification process operational\n\n---\n\n### Phase 3: Micro-Segmentation (Months 7-9)\n\n**Objective:** Limit lateral movement through network segmentation\n\n**Tasks:**\n1. **Application Dependency Mapping:**\n - Map all application dependencies and data flows\n - Document north-south traffic (user → application)\n - Document east-west traffic (application → application)\n - Identify critical assets requiring isolation\n\n2. **Design Segmentation Zones:**\n - Define micro-segmentation zones (per-application, per-tier)\n - Create security policies for each zone\n - Plan migration sequence (critical apps first)\n\n3. **ZTNA Deployment:**\n - Deploy ZTNA solution for remote access (replace VPN)\n - Configure application connectors/gateways\n - Migrate users from VPN to ZTNA (phased rollout)\n - Decommission VPN infrastructure\n\n4. **Service Mesh (Cloud-Native):**\n - Deploy service mesh (Istio, Linkerd) for Kubernetes\n - Implement mutual TLS (mTLS) between services\n - Define service-to-service authorization policies\n - Monitor east-west traffic\n\n5. **Network Policy Enforcement:**\n - Implement network policies (Kubernetes Network Policies, security groups)\n - Default deny all traffic, allow explicitly\n - Log all blocked traffic for tuning\n\n**Success Metrics:**\n- ZTNA replaces VPN for remote access\n- Critical applications micro-segmented\n- East-west traffic controlled by policies\n- Lateral movement significantly reduced\n\n---\n\n### Phase 4: Monitoring & Automation (Months 10-12)\n\n**Objective:** Continuous verification and automated response\n\n**Tasks:**\n1. **Behavioral Analytics (UEBA):**\n - Deploy UEBA platform (Microsoft Sentinel, Splunk)\n - Establish baseline behavior for users and entities\n - Configure anomaly detection rules\n - Integrate with SIEM for correlation\n\n2. **Continuous Compliance Monitoring:**\n - Deploy CSPM for cloud security posture (Wiz, Orca, Prisma Cloud)\n - Monitor configuration drift from security baselines\n - Automate remediation of common misconfigurations\n - Track compliance against frameworks (CIS, NIST)\n\n3. **Automated Incident Response (SOAR):**\n - Deploy SOAR platform (Splunk SOAR, Cortex XSOAR)\n - Create playbooks for common incidents:\n - Compromised credential → Revoke tokens, force re-auth\n - Malware detection → Isolate endpoint, block IOCs\n - Unusual data access → Alert SOC, increase monitoring\n - Test and refine playbooks\n\n4. **Continuous Verification:**\n - Implement continuous device posture checks\n - Re-authenticate users periodically during long sessions\n - Adjust access based on real-time risk scores\n - Terminate sessions on trust degradation\n\n**Success Metrics:**\n- UEBA operational with baseline established\n- 80%+ incidents automated response\n- Mean time to respond (MTTR) reduced by 50%\n- Continuous compliance monitoring active\n\n---\n\n## Technology Components\n\n### Identity Providers (IdP)\n\n| Provider | Strengths | Use Case |\n|----------|-----------|----------|\n| **Azure AD (Entra ID)** | Microsoft ecosystem integration, Conditional Access | Microsoft-centric organizations |\n| **Okta** | Broad SaaS integration, strong MFA | Multi-cloud, SaaS-heavy |\n| **Auth0** | Developer-friendly, CIAM focus | Customer identity (B2C) |\n| **Ping Identity** | Enterprise scale, legacy integration | Large enterprises, hybrid |\n\n**Key Features:**\n- SSO (SAML, OAuth 2.0, OpenID Connect)\n- MFA (TOTP, push, biometric, FIDO2)\n- Conditional access policies\n- User lifecycle management\n- API access management\n\n---\n\n### Zero Trust Network Access (ZTNA)\n\n| Provider | Approach | Strengths |\n|----------|----------|-----------|\n| **Zscaler Private Access** | Cloud-native proxy | Global PoPs, scalability |\n| **Palo Alto Prisma Access** | SASE (converged ZTNA + CASB + FWaaS) | Comprehensive security |\n| **Cloudflare Access** | Cloudflare network integration | Performance, global reach |\n| **Perimeter 81** | Simplified deployment | SMB-friendly, easy setup |\n\n**ZTNA vs. VPN:**\n\n| Aspect | VPN | ZTNA |\n|--------|-----|------|\n| **Access Model** | Network-level (broad access) | Application-level (granular) |\n| **Trust Model** | Implicit (inside = trusted) | Explicit (verify every request) |\n| **Lateral Movement** | Easy (full network access) | Difficult (app-specific access) |\n| **Device Posture** | Rarely checked | Continuously verified |\n| **User Experience** | VPN client, latency | Transparent, faster |\n\n---\n\n### Micro-Segmentation Tools\n\n**Cloud-Native:**\n- **AWS Security Groups:** Stateful firewall rules for EC2 instances\n- **GCP Firewall Rules:** VPC-level network policies\n- **Azure Network Security Groups:** Subnet and NIC-level firewalls\n- **Kubernetes Network Policies:** Pod-to-pod communication control\n\n**Service Mesh:**\n- **Istio:** Full-featured, complex, sidecar-based\n- **Linkerd:** Lightweight, simple, sidecar-based\n- **Consul Connect:** HashiCorp ecosystem, service registry integration\n\n**Software-Defined Perimeter (SDP):**\n- **Appgate SDP:** Enterprise SDP solution\n- **Cyxtera AppGate:** Cloud and on-premises SDP\n- **Google BeyondCorp:** Google's zero trust implementation\n\n---\n\n### UEBA & Risk Engines\n\n| Platform | Strengths | Integration |\n|----------|-----------|-------------|\n| **Microsoft Sentinel** | Azure ecosystem, AI-driven | Azure AD, Microsoft 365 |\n| **Splunk UEBA** | Advanced ML, customizable | Splunk SIEM |\n| **Exabeam** | Automated threat detection | Multi-SIEM integration |\n| **Securonix** | Big data analytics | Large-scale environments |\n\n**UEBA Use Cases:**\n- Account compromise detection (unusual login patterns)\n- Insider threat detection (data exfiltration, privilege abuse)\n- Lateral movement detection (unusual network connections)\n- Risk scoring for adaptive authentication\n\n---\n\n## Common Patterns\n\n### Pattern 1: ZTNA for Remote Workforce\n\n**Problem:** VPN provides broad network access, enabling lateral movement if compromised.\n\n**Solution:** Replace VPN with ZTNA for application-specific access.\n\n**Implementation:**\n1. Deploy ZTNA gateway (Zscaler, Palo Alto, Cloudflare)\n2. Configure application connectors for each internal application\n3. Define access policies (user roles → specific applications)\n4. Enforce device posture checks before access\n5. Migrate users from VPN to ZTNA (pilot → full rollout)\n6. Decommission VPN\n\n**Benefits:**\n- No network-level access granted\n- Per-application access control\n- Device posture verification\n- Improved user experience (no VPN client)\n\n---\n\n### Pattern 2: Zero Trust for Cloud Workloads\n\n**Problem:** Cloud workloads communicate over network, enabling lateral movement.\n\n**Solution:** Implement service mesh with mutual TLS and policy-based authorization.\n\n**Implementation (Kubernetes + Istio):**\n1. Deploy Istio service mesh to Kubernetes cluster\n2. Enable automatic sidecar injection for all pods\n3. Configure mTLS for all service-to-service communication\n4. Define authorization policies using Istio AuthorizationPolicy:\n ```yaml\n apiVersion: security.istio.io/v1beta1\n kind: AuthorizationPolicy\n metadata:\n name: frontend-to-backend\n spec:\n selector:\n matchLabels:\n app: backend\n action: ALLOW\n rules:\n - from:\n - source:\n principals: [\"cluster.local/ns/default/sa/frontend\"]\n to:\n - operation:\n methods: [\"GET\", \"POST\"]\n ```\n5. Monitor service mesh traffic with Kiali or Grafana\n\n**Benefits:**\n- Encrypted service-to-service communication\n- Identity-based authorization (service accounts)\n- Zero trust between microservices\n- Visibility into east-west traffic\n\n---\n\n### Pattern 3: Adaptive Authentication Based on Risk\n\n**Problem:** Static MFA requirements frustrate users in low-risk scenarios, but weak authentication enables breaches.\n\n**Solution:** Adaptive authentication with risk-based MFA requirements.\n\n**Implementation (Azure AD Conditional Access):**\n1. Define risk signals:\n - High risk: New device, unusual location, known malicious IP\n - Medium risk: After-hours access, risky sign-in\n - Low risk: Known device, typical location, business hours\n\n2. Configure Conditional Access policies:\n - **High risk:** Require MFA + compliant device + block if very high risk\n - **Medium risk:** Require MFA\n - **Low risk:** Allow access (SSO only)\n\n3. Integrate UEBA for behavioral risk scoring\n\n4. Continuously adjust risk scores based on session behavior\n\n**Benefits:**\n- Strong authentication when needed\n- Minimal friction for low-risk access\n- Dynamic security posture\n- Reduced successful attacks\n\n---\n\n### Pattern 4: Just-in-Time (JIT) Privileged Access\n\n**Problem:** Standing admin credentials are high-value targets and increase breach risk.\n\n**Solution:** JIT access with time-bound privilege elevation.\n\n**Implementation (Azure AD Privileged Identity Management):**\n1. Remove all standing admin role assignments\n2. Configure eligible roles (users can activate when needed)\n3. Define activation requirements:\n - MFA required\n - Justification required (ticket number)\n - Approval required for critical roles\n - Time-bound (e.g., 4 hours)\n\n4. Enable session recording for all privileged sessions\n\n5. Alert on all privilege activations\n\n6. Review and audit activation logs regularly\n\n**Benefits:**\n- Reduced attack surface (no standing admin creds)\n- Audit trail of all privileged access\n- Time-limited exposure\n- Justification for compliance\n\n---\n\n## Benefits of Zero Trust Architecture\n\n**Security Benefits:**\n- **Reduced Attack Surface:** No broad network access, application-specific only\n- **Limited Lateral Movement:** Micro-segmentation prevents attackers from spreading\n- **Breach Detection:** Continuous monitoring detects anomalies quickly\n- **Compliance:** Strong access controls and audit trails for regulatory requirements\n\n**Cost Benefits (IBM 2024 Cost of Data Breach Report):**\n- Average savings: $1.76M per breach for organizations with mature Zero Trust\n- Reduced breach detection time (27% faster detection)\n- Reduced breach containment time (33% faster containment)\n\n**Operational Benefits:**\n- **Improved User Experience:** ZTNA eliminates VPN latency and client issues\n- **Cloud-Native:** Aligns with cloud and container architectures\n- **Automation:** Policy-based access reduces manual administration\n- **Visibility:** Comprehensive logging and monitoring across all access\n\n---\n\n## Challenges and Mitigations\n\n### Challenge 1: Complexity of Implementation\n\n**Issue:** Zero Trust requires integrating multiple technologies (IdP, ZTNA, UEBA, SIEM, PAM).\n\n**Mitigation:**\n- Phased approach (12-month roadmap, not \"big bang\")\n- Start with identity foundation (Phase 1)\n- Use cloud-native solutions where possible (reduce on-premises complexity)\n- Consider SASE platforms for converged security (Zscaler, Palo Alto Prisma)\n\n---\n\n### Challenge 2: Legacy System Integration\n\n**Issue:** Legacy applications may not support modern authentication (SAML, OAuth).\n\n**Mitigation:**\n- Use reverse proxies with authentication injection (NGINX, Envoy)\n- Deploy privileged access gateways for legacy protocols (RDP, SSH)\n- Plan modernization or replacement of unsupportable legacy systems\n- Segment legacy systems with strict network policies\n\n---\n\n### Challenge 3: User Experience Impact\n\n**Issue:** Frequent authentication and access checks can frustrate users.\n\n**Mitigation:**\n- Implement adaptive authentication (MFA only when risk warrants)\n- Use SSO to minimize authentication prompts\n- Deploy passwordless authentication (FIDO2, biometrics)\n- Transparent ZTNA (no VPN client, seamless access)\n\n---\n\n### Challenge 4: Cultural Resistance\n\n**Issue:** Users and IT staff may resist change from traditional VPN/perimeter model.\n\n**Mitigation:**\n- Executive sponsorship and communication of security benefits\n- Pilot programs with early adopters\n- Training and documentation for IT staff and users\n- Demonstrate improved user experience (faster access, no VPN)\n\n---\n\n## Summary\n\nZero Trust Architecture shifts from perimeter-based security to identity-based continuous verification. Implement in phases over 12 months: Foundation (identity, visibility) → Access Controls (least privilege, PAM) → Micro-Segmentation (ZTNA, service mesh) → Monitoring & Automation (UEBA, SOAR).\n\nKey technologies: IdP (Azure AD, Okta), ZTNA (Zscaler, Palo Alto, Cloudflare), Service Mesh (Istio, Linkerd), UEBA (Microsoft Sentinel, Splunk), PAM (CyberArk, HashiCorp Vault).\n\nPrimary benefit: Reduced breach impact through limited lateral movement, continuous verification, and rapid detection.\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":23355,"content_sha256":"be77060fddd60a595e358c8da45ecc5c50b5b15a499cdf99a7e9dfac8365b8fd"},{"filename":"scripts/security-checklist.sh","content":"#!/bin/bash\n\n# Security Architecture Checklist\n# Automated checklist for security architecture review\n\nset -euo pipefail\n\nRED='\\033[0;31m'\nGREEN='\\033[0;32m'\nYELLOW='\\033[1;33m'\nNC='\\033[0m' # No Color\n\necho \"=========================================\"\necho \"Security Architecture Checklist\"\necho \"=========================================\"\necho \"\"\n\n# Function to check with user\ncheck_item() {\n local category=\"$1\"\n local item=\"$2\"\n echo -e \"${YELLOW}[$category]${NC} $item\"\n read -p \" Implemented? (y/n): \" response\n if [[ \"$response\" =~ ^[Yy]$ ]]; then\n echo -e \" ${GREEN}✓ Complete${NC}\"\n return 0\n else\n echo -e \" ${RED}✗ Not Implemented${NC}\"\n return 1\n fi\n}\n\ntotal=0\ncomplete=0\n\necho \"=== DEFENSE IN DEPTH LAYERS ===\"\necho \"\"\n\n# Layer 2: Network Perimeter\n((total++))\nif check_item \"Layer 2\" \"Next-gen firewall (NGFW) deployed?\"; then ((complete++)); fi\n((total++))\nif check_item \"Layer 2\" \"Web Application Firewall (WAF) configured?\"; then ((complete++)); fi\n((total++))\nif check_item \"Layer 2\" \"DDoS protection enabled?\"; then ((complete++)); fi\n\necho \"\"\n\n# Layer 3: Network Segmentation\n((total++))\nif check_item \"Layer 3\" \"Network segmented into zones (DMZ, Web, App, Data)?\"; then ((complete++)); fi\n((total++))\nif check_item \"Layer 3\" \"Security groups/NACLs configured with least privilege?\"; then ((complete++)); fi\n\necho \"\"\n\n# Layer 4: Endpoint Protection\n((total++))\nif check_item \"Layer 4\" \"Endpoint Detection & Response (EDR) deployed?\"; then ((complete++)); fi\n((total++))\nif check_item \"Layer 4\" \"Patch management automated?\"; then ((complete++)); fi\n((total++))\nif check_item \"Layer 4\" \"Full-disk encryption enabled on endpoints?\"; then ((complete++)); fi\n\necho \"\"\n\n# Layer 5: Application Security\n((total++))\nif check_item \"Layer 5\" \"SAST/DAST integrated in CI/CD?\"; then ((complete++)); fi\n((total++))\nif check_item \"Layer 5\" \"Input validation on all user inputs?\"; then ((complete++)); fi\n((total++))\nif check_item \"Layer 5\" \"Parameterized queries used (no raw SQL)?\"; then ((complete++)); fi\n((total++))\nif check_item \"Layer 5\" \"Dependency scanning enabled (SCA)?\"; then ((complete++)); fi\n\necho \"\"\n\n# Layer 6: Data Security\n((total++))\nif check_item \"Layer 6\" \"Data encrypted at rest (AES-256)?\"; then ((complete++)); fi\n((total++))\nif check_item \"Layer 6\" \"Data encrypted in transit (TLS 1.3)?\"; then ((complete++)); fi\n((total++))\nif check_item \"Layer 6\" \"Key management system deployed (KMS/HSM)?\"; then ((complete++)); fi\n((total++))\nif check_item \"Layer 6\" \"Backup and recovery tested (3-2-1 rule)?\"; then ((complete++)); fi\n\necho \"\"\n\n# Layer 7: Identity & Access Management\n((total++))\nif check_item \"Layer 7\" \"Multi-factor authentication (MFA) enforced for all users?\"; then ((complete++)); fi\n((total++))\nif check_item \"Layer 7\" \"Single Sign-On (SSO) deployed?\"; then ((complete++)); fi\n((total++))\nif check_item \"Layer 7\" \"Role-based access control (RBAC) implemented?\"; then ((complete++)); fi\n((total++))\nif check_item \"Layer 7\" \"Privileged access management (PAM) with JIT access?\"; then ((complete++)); fi\n((total++))\nif check_item \"Layer 7\" \"Standing admin credentials removed?\"; then ((complete++)); fi\n\necho \"\"\n\n# Layer 8: Behavioral Analytics\n((total++))\nif check_item \"Layer 8\" \"User & Entity Behavior Analytics (UEBA) deployed?\"; then ((complete++)); fi\n((total++))\nif check_item \"Layer 8\" \"Anomaly detection configured?\"; then ((complete++)); fi\n\necho \"\"\n\n# Layer 9: Security Operations\n((total++))\nif check_item \"Layer 9\" \"SIEM deployed and collecting logs?\"; then ((complete++)); fi\n((total++))\nif check_item \"Layer 9\" \"Incident response plan documented and tested?\"; then ((complete++)); fi\n((total++))\nif check_item \"Layer 9\" \"Security monitoring 24/7 or managed SOC?\"; then ((complete++)); fi\n\necho \"\"\necho \"=== ZERO TRUST ARCHITECTURE ===\"\necho \"\"\n\n((total++))\nif check_item \"ZTA\" \"Identity provider (IdP) with SSO deployed?\"; then ((complete++)); fi\n((total++))\nif check_item \"ZTA\" \"Device posture checks before access?\"; then ((complete++)); fi\n((total++))\nif check_item \"ZTA\" \"Micro-segmentation implemented for critical assets?\"; then ((complete++)); fi\n((total++))\nif check_item \"ZTA\" \"ZTNA deployed (replacing VPN)?\"; then ((complete++)); fi\n((total++))\nif check_item \"ZTA\" \"Continuous verification and monitoring?\"; then ((complete++)); fi\n\necho \"\"\necho \"=== THREAT MODELING ===\"\necho \"\"\n\n((total++))\nif check_item \"Threat Model\" \"Threat model created for critical applications?\"; then ((complete++)); fi\n((total++))\nif check_item \"Threat Model\" \"STRIDE or PASTA methodology used?\"; then ((complete++)); fi\n((total++))\nif check_item \"Threat Model\" \"Threats prioritized by risk (DREAD scoring)?\"; then ((complete++)); fi\n((total++))\nif check_item \"Threat Model\" \"Mitigations designed and implemented?\"; then ((complete++)); fi\n\necho \"\"\necho \"=== SUPPLY CHAIN SECURITY ===\"\necho \"\"\n\n((total++))\nif check_item \"Supply Chain\" \"SBOM generated for all applications?\"; then ((complete++)); fi\n((total++))\nif check_item \"Supply Chain\" \"Dependency scanning in CI/CD?\"; then ((complete++)); fi\n((total++))\nif check_item \"Supply Chain\" \"SLSA Level 2+ achieved (hosted build platform)?\"; then ((complete++)); fi\n((total++))\nif check_item \"Supply Chain\" \"Automated dependency updates (security patches)?\"; then ((complete++)); fi\n\necho \"\"\necho \"=== COMPLIANCE FRAMEWORKS ===\"\necho \"\"\n\n((total++))\nif check_item \"Compliance\" \"Controls mapped to framework (NIST CSF, CIS Controls, ISO 27001)?\"; then ((complete++)); fi\n((total++))\nif check_item \"Compliance\" \"Security policies documented and approved?\"; then ((complete++)); fi\n((total++))\nif check_item \"Compliance\" \"Regular security audits conducted?\"; then ((complete++)); fi\n\necho \"\"\necho \"=========================================\"\necho \"RESULTS\"\necho \"=========================================\"\n\npercentage=$((complete * 100 / total))\n\necho \"\"\necho \"Total Items: $total\"\necho \"Completed: $complete\"\necho \"Percentage: ${percentage}%\"\necho \"\"\n\nif [ $percentage -ge 90 ]; then\n echo -e \"${GREEN}✓ Excellent security posture!${NC}\"\nelif [ $percentage -ge 70 ]; then\n echo -e \"${YELLOW}⚠ Good security posture, some improvements needed.${NC}\"\nelif [ $percentage -ge 50 ]; then\n echo -e \"${YELLOW}⚠ Moderate security posture, significant gaps exist.${NC}\"\nelse\n echo -e \"${RED}✗ Poor security posture, immediate action required!${NC}\"\nfi\n\necho \"\"\necho \"=========================================\"\n","content_type":"application/x-sh; charset=utf-8","language":"bash","size":6465,"content_sha256":"e8a086fc7a4d5c398e83062db095de4e2a2e2836eadeaef0bb10ecdf61a2991a"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"Security Architecture","type":"text"}]},{"type":"paragraph","content":[{"text":"Design and implement comprehensive security architectures that protect systems, data, and users through layered defense strategies, zero trust principles, and risk-based security controls.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Purpose","type":"text"}]},{"type":"paragraph","content":[{"text":"Security architecture provides the strategic foundation for building resilient, compliant, and trustworthy systems. This skill guides the design of defense-in-depth layers, zero trust implementations, threat modeling methodologies, and mapping to control frameworks (NIST CSF, CIS Controls, ISO 27001).","type":"text"}]},{"type":"paragraph","content":[{"text":"Unlike tactical security skills (configuring firewalls, implementing authentication, scanning vulnerabilities), security architecture focuses on strategic planning, comprehensive defense strategies, and governance frameworks.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"When to Use This Skill","type":"text"}]},{"type":"paragraph","content":[{"text":"Use security architecture when:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Designing security for greenfield systems (new applications, cloud migrations)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Conducting security audits or risk assessments of existing systems","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Implementing zero trust architecture across enterprise environments","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Establishing security governance programs and compliance frameworks","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Threat modeling applications, APIs, or microservices architectures","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Selecting and mapping security controls to regulatory requirements (SOC 2, HIPAA, PCI DSS)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Designing cloud security architectures (AWS, GCP, Azure multi-account strategies)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Addressing supply chain security (SLSA framework, SBOM implementation)","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Core Security Architecture Principles","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"1. Defense in Depth","type":"text"}]},{"type":"paragraph","content":[{"text":"Implement multiple independent layers of security controls so that if one layer fails, others continue to protect critical assets.","type":"text"}]},{"type":"paragraph","content":[{"text":"9 Defense Layers (2025 Model):","type":"text","marks":[{"type":"strong"}]}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Physical Security:","type":"text","marks":[{"type":"strong"}]},{"text":" Data center access, environmental controls, hardware security modules (HSMs)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Network Perimeter:","type":"text","marks":[{"type":"strong"}]},{"text":" Next-gen firewalls (NGFW), DDoS protection, web application firewalls (WAF)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Network Segmentation:","type":"text","marks":[{"type":"strong"}]},{"text":" VLANs, VPCs, security groups, micro-segmentation","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Endpoint Protection:","type":"text","marks":[{"type":"strong"}]},{"text":" EDR, antivirus, device encryption, patch management","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Application Layer:","type":"text","marks":[{"type":"strong"}]},{"text":" Secure coding, WAF, API security, SAST/DAST scanning","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Data Layer:","type":"text","marks":[{"type":"strong"}]},{"text":" Encryption (at-rest, in-transit, in-use), DLP, backup/recovery","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Identity & Access Management:","type":"text","marks":[{"type":"strong"}]},{"text":" MFA, SSO, RBAC/ABAC, privileged access management (PAM)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Behavioral Analytics:","type":"text","marks":[{"type":"strong"}]},{"text":" UEBA, ML-based anomaly detection, threat intelligence","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Security Operations:","type":"text","marks":[{"type":"strong"}]},{"text":" SIEM, SOAR, incident response, continuous monitoring","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Key Principle:","type":"text","marks":[{"type":"strong"}]},{"text":" Each layer provides independent protection. Failure of one layer does not compromise the entire system.","type":"text"}]},{"type":"paragraph","content":[{"text":"For detailed layer-by-layer implementation patterns, see ","type":"text"},{"text":"references/defense-in-depth.md","type":"text","marks":[{"type":"code_inline"}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"2. Zero Trust Architecture","type":"text"}]},{"type":"paragraph","content":[{"text":"Implement \"never trust, always verify\" principles where every access request is authenticated, authorized, and continuously validated.","type":"text"}]},{"type":"paragraph","content":[{"text":"Core Zero Trust Principles:","type":"text","marks":[{"type":"strong"}]}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Continuous Verification:","type":"text","marks":[{"type":"strong"}]},{"text":" Authenticate and authorize every access request (no implicit trust)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Least Privilege Access:","type":"text","marks":[{"type":"strong"}]},{"text":" Grant minimal permissions required, use just-in-time (JIT) access","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Assume Breach:","type":"text","marks":[{"type":"strong"}]},{"text":" Design systems expecting compromise, limit blast radius","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Explicit Verification:","type":"text","marks":[{"type":"strong"}]},{"text":" Verify user identity (MFA), device health, application integrity, context (location, time, behavior)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Micro-Segmentation:","type":"text","marks":[{"type":"strong"}]},{"text":" Divide networks into small isolated zones, control east-west traffic","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Zero Trust Architecture Components:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Policy Engine:","type":"text","marks":[{"type":"strong"}]},{"text":" Centralized authorization decision point (allow/deny)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Identity Provider (IdP):","type":"text","marks":[{"type":"strong"}]},{"text":" User/machine identity verification (Azure AD, Okta)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Device Posture Service:","type":"text","marks":[{"type":"strong"}]},{"text":" Device health checks (MDM, EDR integration)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Context/Risk Engine:","type":"text","marks":[{"type":"strong"}]},{"text":" Behavioral analytics, location, time, threat intelligence","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Policy Enforcement Points:","type":"text","marks":[{"type":"strong"}]},{"text":" Gateways enforcing decisions (ZTNA, API gateways)","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"For zero trust implementation roadmap and reference architecture, see ","type":"text"},{"text":"references/zero-trust-architecture.md","type":"text","marks":[{"type":"code_inline"}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"3. Threat Modeling","type":"text"}]},{"type":"paragraph","content":[{"text":"Systematically identify, prioritize, and mitigate security threats through structured methodologies.","type":"text"}]},{"type":"paragraph","content":[{"text":"Primary Methodologies:","type":"text","marks":[{"type":"strong"}]}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Methodology","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Purpose","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Complexity","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Best For","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"STRIDE","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Threat identification","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Low","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Development teams, quick threat analysis","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"PASTA","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Risk-centric analysis","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"High","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Enterprise risk management","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"DREAD","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Risk scoring","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Low","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Prioritizing existing threats","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Attack Trees","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Visual threat analysis","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Medium","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Security architecture reviews","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"text":"STRIDE Threat Categories:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"S","type":"text","marks":[{"type":"strong"}]},{"text":"poofing: Attacker impersonates another user/system (Mitigation: MFA, certificate validation)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"T","type":"text","marks":[{"type":"strong"}]},{"text":"ampering: Unauthorized data modification (Mitigation: Encryption, digital signatures)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"R","type":"text","marks":[{"type":"strong"}]},{"text":"epudiation: User denies action without proof (Mitigation: Audit logs, non-repudiation)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"I","type":"text","marks":[{"type":"strong"}]},{"text":"nformation Disclosure: Confidential data exposure (Mitigation: Encryption, access controls, DLP)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"D","type":"text","marks":[{"type":"strong"}]},{"text":"enial of Service: System unavailability (Mitigation: Rate limiting, DDoS protection, redundancy)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"E","type":"text","marks":[{"type":"strong"}]},{"text":"levation of Privilege: Gaining higher privileges (Mitigation: Least privilege, input validation, patching)","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"STRIDE Application Process:","type":"text","marks":[{"type":"strong"}]}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Model the system using data flow diagrams (DFDs)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Identify threats by applying STRIDE to each component/data flow","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Document threats with STRIDE categories","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Prioritize threats using DREAD scoring or business impact","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Design mitigation controls","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"For detailed threat modeling methodologies, PASTA process, DREAD scoring, and attack trees, see ","type":"text"},{"text":"references/threat-modeling.md","type":"text","marks":[{"type":"code_inline"}]},{"text":". For threat modeling examples, see ","type":"text"},{"text":"examples/threat-models/","type":"text","marks":[{"type":"code_inline"}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Security Control Frameworks","type":"text"}]},{"type":"paragraph","content":[{"text":"Map security controls to industry frameworks to ensure comprehensive coverage and compliance.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"NIST Cybersecurity Framework (CSF) 2.0","type":"text"}]},{"type":"paragraph","content":[{"text":"6 Core Functions:","type":"text","marks":[{"type":"strong"}]}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"GOVERN (GV):","type":"text","marks":[{"type":"strong"}]},{"text":" Risk management strategy, policies, supply chain risk management","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"IDENTIFY (ID):","type":"text","marks":[{"type":"strong"}]},{"text":" Asset inventory, risk assessment, continuous improvement","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"PROTECT (PR):","type":"text","marks":[{"type":"strong"}]},{"text":" Access control, data security, platform security, infrastructure resilience","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"DETECT (DE):","type":"text","marks":[{"type":"strong"}]},{"text":" Continuous monitoring, anomaly detection, security event analysis","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"RESPOND (RS):","type":"text","marks":[{"type":"strong"}]},{"text":" Incident management, analysis, communication, mitigation","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"RECOVER (RC):","type":"text","marks":[{"type":"strong"}]},{"text":" Recovery planning, execution, post-incident improvement","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Usage:","type":"text","marks":[{"type":"strong"}]},{"text":" Map security controls to NIST CSF categories to ensure coverage of all security functions. Provides risk-based, flexible framework for security programs.","type":"text"}]},{"type":"paragraph","content":[{"text":"For detailed NIST CSF category mapping and subcategories, see ","type":"text"},{"text":"references/nist-csf-mapping.md","type":"text","marks":[{"type":"code_inline"}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"CIS Critical Security Controls v8","type":"text"}]},{"type":"paragraph","content":[{"text":"18 Controls organized in 3 Implementation Groups:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"IG1 (Basic):","type":"text","marks":[{"type":"strong"}]},{"text":" 56 safeguards for small organizations (asset inventory, access control, logging, backups)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"IG2 (Intermediate):","type":"text","marks":[{"type":"strong"}]},{"text":" +74 safeguards for mid-sized organizations with IT security staff","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"IG3 (Advanced):","type":"text","marks":[{"type":"strong"}]},{"text":" +23 safeguards for large enterprises with dedicated security teams","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Top Priority Controls (IG1):","type":"text","marks":[{"type":"strong"}]}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Inventory and Control of Enterprise Assets","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Inventory and Control of Software Assets","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Data Protection","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Secure Configuration of Enterprise Assets","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Account Management","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Access Control Management","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Continuous Vulnerability Management","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Audit Log Management","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Usage:","type":"text","marks":[{"type":"strong"}]},{"text":" CIS Controls provide prescriptive, measurable security baseline. Start with IG1, progress to IG2/IG3 as security maturity increases.","type":"text"}]},{"type":"paragraph","content":[{"text":"For detailed CIS Controls implementation guidance, see ","type":"text"},{"text":"references/cis-controls.md","type":"text","marks":[{"type":"code_inline"}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"OWASP Top 10 Risk Mitigation","type":"text"}]},{"type":"paragraph","content":[{"text":"Map OWASP Top 10 application security risks to architectural controls:","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"OWASP Risk","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Primary Control","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Framework Mapping","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Injection","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Parameterized queries, input validation","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"NIST PR.DS, CIS 16","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Broken Authentication","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"MFA, secure session management","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"NIST PR.AC, CIS 5, 6","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Sensitive Data Exposure","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Encryption, key management","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"NIST PR.DS, CIS 3","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"XXE","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Disable external entities, use JSON","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"NIST PR.DS, CIS 16","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Broken Access Control","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Authorization checks, RBAC","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"NIST PR.AC, CIS 6","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Security Misconfiguration","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Hardening, minimal configs","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"NIST PR.IP, CIS 4","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"XSS","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Output encoding, CSP","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"NIST PR.DS, CIS 16","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Insecure Deserialization","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Validate objects, safe formats","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"NIST PR.DS, CIS 16","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Known Vulnerabilities","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Patch management, SBOM","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"NIST ID.RA, CIS 7","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Logging & Monitoring","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SIEM, centralized logging","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"NIST DE.CM, CIS 8","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"text":"For detailed OWASP Top 10 mitigation strategies and code examples, see ","type":"text"},{"text":"references/owasp-top10-mitigation.md","type":"text","marks":[{"type":"code_inline"}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Architecture Selection Decision Framework","type":"text"}]},{"type":"paragraph","content":[{"text":"Select appropriate security architecture approach based on system characteristics:","type":"text"}]},{"type":"paragraph","content":[{"text":"Greenfield (New System):","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Implement Zero Trust from Day 1","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Identity-first architecture (MFA, SSO, RBAC/ABAC)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Micro-segmentation by default","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Assume breach mentality (limit blast radius)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Continuous verification and monitoring","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Brownfield (Existing System):","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Hybrid: Maintain Defense in Depth + Zero Trust overlay","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Keep existing perimeter controls (firewalls, VPN)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Layer Zero Trust controls progressively","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Segment critical assets first (data, admin access)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Modernize identity and access management","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Compliance-Driven:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Map to control frameworks based on requirements:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"General Security:","type":"text","marks":[{"type":"strong"}]},{"text":" NIST CSF for risk-based approach","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Baseline Hardening:","type":"text","marks":[{"type":"strong"}]},{"text":" CIS Controls for prescriptive guidance","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Comprehensive ISMS:","type":"text","marks":[{"type":"strong"}]},{"text":" ISO 27001 for certification","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Industry-Specific:","type":"text","marks":[{"type":"strong"}]},{"text":" PCI DSS (payments), HIPAA Security Rule (healthcare), FedRAMP (government)","type":"text"}]}]}]}]}]},{"type":"paragraph","content":[{"text":"Cloud-Native:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Use cloud provider reference architectures:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"AWS:","type":"text","marks":[{"type":"strong"}]},{"text":" Well-Architected Framework (Security Pillar)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"GCP:","type":"text","marks":[{"type":"strong"}]},{"text":" Security Best Practices, Security Command Center","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Azure:","type":"text","marks":[{"type":"strong"}]},{"text":" Security Benchmark, Defender for Cloud","type":"text"}]}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Implement cloud-native security services (CSPM, CWPP)","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Hybrid/Multi-Cloud:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Cloud Security Posture Management (CSPM) for unified policy enforcement","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Cross-cloud visibility and monitoring","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Cloud-agnostic IAM (Okta, Azure AD)","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"For detailed architecture selection decision trees, see ","type":"text"},{"text":"references/defense-in-depth.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" and ","type":"text"},{"text":"references/zero-trust-architecture.md","type":"text","marks":[{"type":"code_inline"}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Supply Chain Security","type":"text"}]},{"type":"paragraph","content":[{"text":"Protect software supply chain from tampering, backdoors, and compromised dependencies.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"SLSA Framework","type":"text"}]},{"type":"paragraph","content":[{"text":"Supply-chain Levels for Software Artifacts (4 levels):","type":"text","marks":[{"type":"strong"}]}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SLSA Level 1 - Provenance:","type":"text","marks":[{"type":"strong"}]},{"text":" Build process generates provenance metadata (not tamper-proof)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SLSA Level 2 - Hosted Build:","type":"text","marks":[{"type":"strong"}]},{"text":" Build on trusted platform (GitHub Actions, Cloud Build)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SLSA Level 3 - Hardened Build:","type":"text","marks":[{"type":"strong"}]},{"text":" Build platform prevents tampering, audit logs","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SLSA Level 4 - Hermetic, Reproducible:","type":"text","marks":[{"type":"strong"}]},{"text":" Fully hermetic builds, reproducible, two-party review","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Implementation:","type":"text","marks":[{"type":"strong"}]},{"text":" Start with Level 1 provenance generation, progress to Level 2 (GitHub Actions), then Level 3 (hardened CI/CD with audit logs).","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"SBOM (Software Bill of Materials)","type":"text"}]},{"type":"paragraph","content":[{"text":"Generate and maintain inventory of software components and dependencies.","type":"text"}]},{"type":"paragraph","content":[{"text":"SBOM Standards:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"CycloneDX:","type":"text","marks":[{"type":"strong"}]},{"text":" OWASP standard (JSON/XML format)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SPDX:","type":"text","marks":[{"type":"strong"}]},{"text":" Linux Foundation standard","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SWID:","type":"text","marks":[{"type":"strong"}]},{"text":" ISO/IEC 19770-2 standard","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"SBOM Use Cases:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Vulnerability Management: Quickly identify affected components during CVE disclosures","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"License Compliance: Track open-source licenses for legal compliance","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Supply Chain Risk: Visibility into third-party code and dependencies","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Incident Response: Rapid assessment of Log4Shell-type incidents","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Dependency Management Best Practices:","type":"text","marks":[{"type":"strong"}]}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Generate SBOM automatically in CI/CD pipeline","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Continuous scanning with tools (Dependabot, Snyk, Trivy, Grype)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Automated security patch updates","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"License compliance tracking and approval workflows","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Pin dependency versions using lock files","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Minimize dependencies to reduce attack surface","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"For SLSA implementation guide, SBOM generation examples, and dependency scanning automation, see ","type":"text"},{"text":"references/supply-chain-security.md","type":"text","marks":[{"type":"code_inline"}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Cloud Security Architecture Patterns","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"AWS Security Architecture","type":"text"}]},{"type":"paragraph","content":[{"text":"Well-Architected Framework - Security Pillar Principles:","type":"text","marks":[{"type":"strong"}]}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Strong identity foundation:","type":"text","marks":[{"type":"strong"}]},{"text":" Centralize IAM, least privilege, IAM Identity Center (SSO)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Enable traceability:","type":"text","marks":[{"type":"strong"}]},{"text":" CloudTrail, GuardDuty, Security Hub for comprehensive logging","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Apply security at all layers:","type":"text","marks":[{"type":"strong"}]},{"text":" Defense in depth across VPC, instances, applications, data","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Automate security best practices:","type":"text","marks":[{"type":"strong"}]},{"text":" Infrastructure as Code (Terraform, CloudFormation)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Protect data in transit and at rest:","type":"text","marks":[{"type":"strong"}]},{"text":" TLS 1.3, AWS KMS, encryption everywhere","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Key AWS Security Services:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"IAM:","type":"text","marks":[{"type":"strong"}]},{"text":" AWS IAM, IAM Identity Center (SSO), Cognito (customer identity)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Detection:","type":"text","marks":[{"type":"strong"}]},{"text":" GuardDuty (threat detection), Security Hub (centralized findings), Detective (investigation)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Network:","type":"text","marks":[{"type":"strong"}]},{"text":" AWS WAF, Shield (DDoS), Network Firewall","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Data:","type":"text","marks":[{"type":"strong"}]},{"text":" KMS (key management), Secrets Manager, Macie (data classification)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Compute:","type":"text","marks":[{"type":"strong"}]},{"text":" Systems Manager (patch management), Inspector (vulnerability scanning)","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Multi-Account Strategy:","type":"text","marks":[{"type":"strong"}]},{"text":" Use AWS Organizations with Security OU (Security Account, Logging Account, Audit Account) and Workload OUs (Production, Non-Production). Apply Service Control Policies (SCPs) for guardrails.","type":"text"}]},{"type":"paragraph","content":[{"text":"For AWS reference architectures and multi-account security setup, see ","type":"text"},{"text":"references/aws-security-architecture.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" and ","type":"text"},{"text":"examples/architectures/aws-multi-account-security.md","type":"text","marks":[{"type":"code_inline"}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"GCP Security Architecture","type":"text"}]},{"type":"paragraph","content":[{"text":"Key GCP Security Services:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"IAM:","type":"text","marks":[{"type":"strong"}]},{"text":" Cloud IAM, Identity Platform (customer identity), Cloud Identity (workforce)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Detection:","type":"text","marks":[{"type":"strong"}]},{"text":" Security Command Center (unified dashboard), Chronicle (SIEM), Event Threat Detection","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Network:","type":"text","marks":[{"type":"strong"}]},{"text":" Cloud Armor (DDoS/WAF), VPC Service Controls (data exfiltration prevention), Cloud Firewall","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Data:","type":"text","marks":[{"type":"strong"}]},{"text":" Cloud KMS, Secret Manager, Cloud DLP (data loss prevention)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Compute:","type":"text","marks":[{"type":"strong"}]},{"text":" Binary Authorization (image signing), Confidential Computing (encryption in use)","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Organization Hierarchy:","type":"text","marks":[{"type":"strong"}]},{"text":" Structure with Organization → Folders (Production, Non-Production, Security) → Projects. Apply IAM policies at folder level for inheritance.","type":"text"}]},{"type":"paragraph","content":[{"text":"For GCP security architecture patterns and organization setup, see ","type":"text"},{"text":"references/gcp-security-architecture.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" and ","type":"text"},{"text":"examples/architectures/gcp-security-hierarchy.md","type":"text","marks":[{"type":"code_inline"}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Azure Security Architecture","type":"text"}]},{"type":"paragraph","content":[{"text":"Key Azure Security Services:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"IAM:","type":"text","marks":[{"type":"strong"}]},{"text":" Azure AD (Entra ID), Privileged Identity Management (JIT access), Conditional Access","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Detection:","type":"text","marks":[{"type":"strong"}]},{"text":" Microsoft Defender for Cloud (CSPM/CWPP), Sentinel (SIEM/SOAR), Azure Monitor","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Network:","type":"text","marks":[{"type":"strong"}]},{"text":" Azure Firewall, Front Door + WAF, DDoS Protection","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Data:","type":"text","marks":[{"type":"strong"}]},{"text":" Key Vault (secrets, keys, certificates), Information Protection (DLP), Storage encryption","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Compute:","type":"text","marks":[{"type":"strong"}]},{"text":" Just-in-Time VM Access, Azure Policy (compliance enforcement)","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Hub-Spoke Landing Zone:","type":"text","marks":[{"type":"strong"}]},{"text":" Implement hub VNet (shared services: firewall, VPN, Azure Bastion) with spoke VNets (workloads). Use Management Groups for policy hierarchy.","type":"text"}]},{"type":"paragraph","content":[{"text":"For Azure security architecture and hub-spoke design, see ","type":"text"},{"text":"references/azure-security-architecture.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" and ","type":"text"},{"text":"examples/architectures/azure-landing-zone.md","type":"text","marks":[{"type":"code_inline"}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Identity & Access Management Patterns","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Authentication Controls","type":"text"}]},{"type":"paragraph","content":[{"text":"Multi-Factor Authentication (MFA):","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Types:","type":"text","marks":[{"type":"strong"}]},{"text":" TOTP (time-based one-time passwords), push notifications, biometrics, hardware tokens (YubiKey, FIDO2)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Enforcement:","type":"text","marks":[{"type":"strong"}]},{"text":" Require MFA for all users (workforce and customers), especially privileged accounts","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Passwordless:","type":"text","marks":[{"type":"strong"}]},{"text":" Transition to WebAuthn, FIDO2, passkeys to eliminate password-based attacks","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Single Sign-On (SSO):","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Protocols:","type":"text","marks":[{"type":"strong"}]},{"text":" SAML 2.0, OAuth 2.0, OpenID Connect (OIDC)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Benefits:","type":"text","marks":[{"type":"strong"}]},{"text":" Centralized authentication, reduced password fatigue, improved security posture","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Implementation:","type":"text","marks":[{"type":"strong"}]},{"text":" Azure AD, Okta, Auth0, Ping Identity","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Authorization Controls","type":"text"}]},{"type":"paragraph","content":[{"text":"Role-Based Access Control (RBAC):","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Users assigned to roles, roles have permissions","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Coarse-grained, simple to implement","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Best for: Organizations with stable role structures","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Attribute-Based Access Control (ABAC):","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Fine-grained access based on attributes (user department, resource classification, time, location)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"More flexible than RBAC","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Best for: Complex, dynamic access requirements","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Policy-Based Access Control (PBAC):","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Centralized policy engines (Open Policy Agent - OPA, AWS Cedar)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Policies defined declaratively and versioned","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Best for: Microservices, API gateways, cloud-native architectures","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Privileged Access Management (PAM)","type":"text"}]},{"type":"paragraph","content":[{"text":"Just-in-Time (JIT) Access:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Temporary elevated privileges for specific tasks","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Time-bound access grants (e.g., 4 hours)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Reduces standing privileged access","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Credential Vaulting:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Centralized storage of privileged credentials (CyberArk, HashiCorp Vault, Azure Key Vault)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Automatic password rotation","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Session recording and auditing","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"For detailed IAM implementation patterns, MFA configuration, and PAM setup, see ","type":"text"},{"text":"references/iam-patterns.md","type":"text","marks":[{"type":"code_inline"}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Security Monitoring & Operations","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"SIEM (Security Information & Event Management)","type":"text"}]},{"type":"paragraph","content":[{"text":"Centralize log aggregation, correlation, and alerting for security events.","type":"text"}]},{"type":"paragraph","content":[{"text":"Leading SIEM Platforms:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Splunk, Elastic Security, Microsoft Sentinel, Chronicle","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"SIEM Architecture:","type":"text","marks":[{"type":"strong"}]}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Log Collection:","type":"text","marks":[{"type":"strong"}]},{"text":" Ingest logs from all layers (network, endpoints, applications, cloud)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Normalization:","type":"text","marks":[{"type":"strong"}]},{"text":" Standardize log formats for correlation","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Correlation:","type":"text","marks":[{"type":"strong"}]},{"text":" Apply rules to detect patterns (failed logins → brute force attack)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Alerting:","type":"text","marks":[{"type":"strong"}]},{"text":" Notify SOC team of high-priority events","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Investigation:","type":"text","marks":[{"type":"strong"}]},{"text":" Provide search and visualization for incident analysis","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"SOAR (Security Orchestration, Automation & Response)","type":"text"}]},{"type":"paragraph","content":[{"text":"Automate incident response workflows to reduce mean time to respond (MTTR).","type":"text"}]},{"type":"paragraph","content":[{"text":"SOAR Capabilities:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Playbooks:","type":"text","marks":[{"type":"strong"}]},{"text":" Automated response workflows (block IP, quarantine endpoint, revoke credentials)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Orchestration:","type":"text","marks":[{"type":"strong"}]},{"text":" Integrate with security tools (SIEM, EDR, firewall, IAM)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Case Management:","type":"text","marks":[{"type":"strong"}]},{"text":" Track incidents, assign to analysts, document resolution","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Leading SOAR Platforms:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Splunk SOAR, Palo Alto Cortex XSOAR, IBM Resilient","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Detection Strategies","type":"text"}]},{"type":"paragraph","content":[{"text":"UEBA (User & Entity Behavior Analytics):","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Machine learning-based anomaly detection","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Detects: Account compromise, insider threats, data exfiltration","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Baseline normal behavior, alert on deviations","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Threat Intelligence:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Integrate threat feeds (MISP, ThreatConnect, ISACs)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Enrich alerts with threat context (known malicious IPs, IOCs)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Proactive threat hunting using TTPs (MITRE ATT&CK framework)","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"For SIEM architecture, SOAR playbook examples, and detection strategies, see ","type":"text"},{"text":"references/security-operations.md","type":"text","marks":[{"type":"code_inline"}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Quick Reference: Control Framework Mapping","type":"text"}]},{"type":"paragraph","content":[{"text":"Use this table to map risks to appropriate control frameworks:","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Risk/Requirement","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Framework","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Key Controls","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"General security program","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"NIST CSF 2.0","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"All 6 functions (GV, ID, PR, DE, RS, RC)","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Compliance baseline","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"CIS Controls v8","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"IG1: Controls 1-18 (56 safeguards)","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ISO certification","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ISO 27001/27002","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"114 controls across 14 domains","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Application security","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"OWASP ASVS","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"286 security requirements (3 levels)","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Cloud security (AWS)","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"AWS Well-Architected","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Security Pillar: 10 design principles","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Cloud security (GCP)","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"GCP Security Best Practices","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Security Command Center architecture","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Cloud security (Azure)","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Azure Security Benchmark","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Defender for Cloud controls","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Supply chain security","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SLSA + SBOM","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Level 2+ SLSA, CycloneDX SBOM","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Zero trust architecture","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"NIST SP 800-207","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ZTA tenets, deployment models","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Privacy/GDPR","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"NIST Privacy Framework","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Privacy engineering objectives","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Integration with Related Skills","type":"text"}]},{"type":"paragraph","content":[{"text":"Security architecture provides the strategic foundation for tactical security implementations:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"infrastructure-as-code","type":"text","marks":[{"type":"code_inline"},{"type":"strong"}]},{"text":":","type":"text","marks":[{"type":"strong"}]},{"text":" Implement security architecture as code (secure defaults, hardening)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"kubernetes-operations","type":"text","marks":[{"type":"code_inline"},{"type":"strong"}]},{"text":":","type":"text","marks":[{"type":"strong"}]},{"text":" Apply K8s security architecture (RBAC, Pod Security, Network Policies)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"secret-management","type":"text","marks":[{"type":"code_inline"},{"type":"strong"}]},{"text":":","type":"text","marks":[{"type":"strong"}]},{"text":" Architect secrets management (KMS, Vault, rotation strategies)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"building-ci-pipelines","type":"text","marks":[{"type":"code_inline"},{"type":"strong"}]},{"text":":","type":"text","marks":[{"type":"strong"}]},{"text":" Secure CI/CD architecture (SAST/DAST integration, artifact signing)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"configuring-firewalls","type":"text","marks":[{"type":"code_inline"},{"type":"strong"}]},{"text":":","type":"text","marks":[{"type":"strong"}]},{"text":" Implement network perimeter layer of defense-in-depth","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"vulnerability-management","type":"text","marks":[{"type":"code_inline"},{"type":"strong"}]},{"text":":","type":"text","marks":[{"type":"strong"}]},{"text":" Integrate vulnerability scanning into security architecture","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"auth-security","type":"text","marks":[{"type":"code_inline"},{"type":"strong"}]},{"text":":","type":"text","marks":[{"type":"strong"}]},{"text":" Implement IAM layer details (MFA, RBAC/ABAC, session management)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"siem-logging","type":"text","marks":[{"type":"code_inline"},{"type":"strong"}]},{"text":":","type":"text","marks":[{"type":"strong"}]},{"text":" Implement security monitoring architecture (SIEM, log aggregation)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"compliance-frameworks","type":"text","marks":[{"type":"code_inline"},{"type":"strong"}]},{"text":":","type":"text","marks":[{"type":"strong"}]},{"text":" Map security architecture to compliance requirements","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Common Security Architecture Patterns","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern 1: Zero Trust Network Access (ZTNA)","type":"text"}]},{"type":"paragraph","content":[{"text":"Replace VPN with identity-based access to applications.","type":"text"}]},{"type":"paragraph","content":[{"text":"Architecture:","type":"text","marks":[{"type":"strong"}]}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"User authenticates to identity provider (Azure AD, Okta)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Device posture check validates device health","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Policy engine evaluates access request (user, device, context)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Access granted through secure connector (no network access)","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Benefits:","type":"text","marks":[{"type":"strong"}]},{"text":" Eliminates lateral movement, reduces attack surface, improves user experience","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern 2: Defense in Depth for Web Applications","type":"text"}]},{"type":"paragraph","content":[{"text":"Layer multiple security controls for web application protection.","type":"text"}]},{"type":"paragraph","content":[{"text":"Layers:","type":"text","marks":[{"type":"strong"}]}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"DDoS Protection (Cloudflare, AWS Shield)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"WAF (application firewall, OWASP Top 10 rules)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"API Gateway (authentication, rate limiting)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Application Security (SAST/DAST, secure coding)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Database Security (encryption, least privilege)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Logging & Monitoring (SIEM, anomaly detection)","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern 3: Cloud Security Posture Management (CSPM)","type":"text"}]},{"type":"paragraph","content":[{"text":"Continuously monitor and enforce security configurations across cloud environments.","type":"text"}]},{"type":"paragraph","content":[{"text":"Architecture:","type":"text","marks":[{"type":"strong"}]}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Asset Discovery: Inventory all cloud resources","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Configuration Assessment: Compare against security baselines (CIS Benchmarks)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Compliance Monitoring: Track regulatory compliance (SOC 2, ISO 27001)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Remediation: Automated fixes or guided workflows","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Drift Detection: Alert on configuration changes","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Leading CSPM Tools:","type":"text","marks":[{"type":"strong"}]},{"text":" Wiz, Orca Security, Prisma Cloud, Microsoft Defender for Cloud","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Resources and References","type":"text"}]},{"type":"paragraph","content":[{"text":"Defense in Depth:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"references/defense-in-depth.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" - 9-layer defense model, implementation patterns, failure impact analysis","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Zero Trust Architecture:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"references/zero-trust-architecture.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" - ZTA principles, reference architecture, implementation roadmap","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Threat Modeling:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"references/threat-modeling.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" - STRIDE, PASTA, DREAD, Attack Trees methodologies","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"examples/threat-models/web-app-stride.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Web application STRIDE analysis example","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"examples/threat-models/api-threat-model.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" - REST API threat model example","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"examples/threat-models/microservices-threat-model.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Microservices threat model example","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Control Frameworks:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"references/nist-csf-mapping.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" - NIST CSF 2.0 functions, categories, subcategories","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"references/cis-controls.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" - CIS Controls v8, implementation groups, safeguards","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"references/owasp-top10-mitigation.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" - OWASP Top 10 risks and mitigation strategies","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Supply Chain Security:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"references/supply-chain-security.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" - SLSA framework, SBOM generation, dependency scanning","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Cloud Security:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"references/aws-security-architecture.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" - AWS Well-Architected Security Pillar, services, patterns","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"references/gcp-security-architecture.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" - GCP Security Best Practices, services, organization design","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"references/azure-security-architecture.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Azure Security Benchmark, Defender for Cloud, landing zones","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"IAM & Operations:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"references/iam-patterns.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Authentication, authorization, MFA, RBAC/ABAC, PAM","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"references/security-operations.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" - SIEM, SOAR, UEBA, threat intelligence, incident response","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Architecture Examples:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"examples/architectures/aws-multi-account-security.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" - AWS Organizations security setup","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"examples/architectures/gcp-security-hierarchy.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" - GCP folder/project security hierarchy","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"examples/architectures/azure-landing-zone.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Azure hub-spoke landing zone","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"examples/architectures/zero-trust-network.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Zero trust network design","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Scripts:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"scripts/threat-model-template.py","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Generate STRIDE threat model templates","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"scripts/control-gap-analysis.sh","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Compare current controls against frameworks","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"scripts/sbom-generate.sh","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Generate SBOM in CycloneDX format","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"scripts/security-checklist.sh","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Automated security architecture checklist","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Summary","type":"text"}]},{"type":"paragraph","content":[{"text":"Security architecture requires strategic planning across multiple layers, from physical security to security operations. Implement defense-in-depth for comprehensive protection, adopt zero trust principles for modern cloud environments, use threat modeling to identify risks proactively, and map controls to frameworks for compliance and completeness.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Start with risk assessment to understand threats, select appropriate architecture approach (zero trust for greenfield, hybrid for brownfield), implement layered controls, and continuously monitor and improve security posture.","type":"text"}]}]},"metadata":{"date":"2026-06-05","name":"architecting-security","author":"@skillopedia","source":{"stars":368,"repo_name":"ai-design-components","origin_url":"https://github.com/ancoleman/ai-design-components/blob/HEAD/skills/architecting-security/SKILL.md","repo_owner":"ancoleman","body_sha256":"e771b2fd4e9aed9b0f3f7df03df78114012526986b71ef62f5a69da8d5e1f268","cluster_key":"fd6d86b21b89aeffe948fdc41f7dfa5752d5e6f4a880bf1a506be3b4e0c7cbd3","clean_bundle":{"format":"clean-skill-bundle-v1","source":"ancoleman/ai-design-components/skills/architecting-security/SKILL.md","attachments":[{"id":"445bf0f4-b3e3-54eb-bef9-9b74291f77f9","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/445bf0f4-b3e3-54eb-bef9-9b74291f77f9/attachment.md","path":"examples/architectures/aws-multi-account-security.md","size":26543,"sha256":"461c723c463428983314fe93841019894aa4ef82af97871c5ba885159f52eda0","contentType":"text/markdown; charset=utf-8"},{"id":"e0bb0be9-b67a-5660-8c37-9c6036964d9a","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/e0bb0be9-b67a-5660-8c37-9c6036964d9a/attachment.md","path":"examples/architectures/azure-landing-zone.md","size":34696,"sha256":"20787136b64fafcbf7151677d37489aa9bc3326facca7e26308107107b74dbd5","contentType":"text/markdown; charset=utf-8"},{"id":"8f136e8f-307c-5fe1-af85-654084e2e7fe","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/8f136e8f-307c-5fe1-af85-654084e2e7fe/attachment.md","path":"examples/architectures/gcp-security-hierarchy.md","size":31531,"sha256":"47fbf30e370c780be699ae2408c780bc5da893fb49f27c8647216c6e3b7d5509","contentType":"text/markdown; charset=utf-8"},{"id":"4821a877-ea21-5713-a493-c7d54c0bfac8","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/4821a877-ea21-5713-a493-c7d54c0bfac8/attachment.md","path":"examples/architectures/zero-trust-network.md","size":36906,"sha256":"5f7b74cdd11b153ffaf59a99c44e3202c3c66cbf820f50debb8e8543c02f188c","contentType":"text/markdown; charset=utf-8"},{"id":"f4bb20dc-dce3-5b94-bf54-b35c51bfe9a2","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/f4bb20dc-dce3-5b94-bf54-b35c51bfe9a2/attachment.md","path":"examples/threat-models/api-threat-model.md","size":26561,"sha256":"3f459135c75a7a2055e2d20c33877ec7e1a72745d4c98910a90d1c76d4a26c06","contentType":"text/markdown; charset=utf-8"},{"id":"00797397-d4e7-5464-89b3-2f11cd304c42","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/00797397-d4e7-5464-89b3-2f11cd304c42/attachment.md","path":"examples/threat-models/microservices-threat-model.md","size":43595,"sha256":"03d75920efa06493b18caed3b7630b9354526f4690ce1e575775a64bb70286f6","contentType":"text/markdown; charset=utf-8"},{"id":"60e325d5-85f8-5887-b4af-401524b36bad","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/60e325d5-85f8-5887-b4af-401524b36bad/attachment.md","path":"examples/threat-models/web-app-stride.md","size":15596,"sha256":"5499349f94098e887059569b92bb925f58920afaf00bd58b6a5bffe430062897","contentType":"text/markdown; charset=utf-8"},{"id":"2614593b-6827-54d7-b307-bbc9d54a5b9c","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/2614593b-6827-54d7-b307-bbc9d54a5b9c/attachment.yaml","path":"outputs.yaml","size":11842,"sha256":"4c803141dd9ebd08660a658ee130dd244de5bd3739a042dceac90f18d885ce73","contentType":"application/yaml; charset=utf-8"},{"id":"afcf3b2c-b210-55a0-b353-55c84780996e","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/afcf3b2c-b210-55a0-b353-55c84780996e/attachment.md","path":"references/aws-security-architecture.md","size":4089,"sha256":"5dbffc3d163509537bb976a48383ad094d8a47f5966911ef39aaeaef9be18337","contentType":"text/markdown; charset=utf-8"},{"id":"f61f9ddc-9861-5d89-968c-2620da10f62a","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/f61f9ddc-9861-5d89-968c-2620da10f62a/attachment.md","path":"references/azure-security-architecture.md","size":2280,"sha256":"291cca4fc5a4133395bdcd325d34a2dbe8b908cdf17e6f52e8301b625765f65a","contentType":"text/markdown; charset=utf-8"},{"id":"e88fa609-72b3-5173-9323-1634c33b7853","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/e88fa609-72b3-5173-9323-1634c33b7853/attachment.md","path":"references/cis-controls.md","size":4756,"sha256":"758b72cbb7614694e43dd0138157dbdac69b5eab798c41558456e3ac7ed75e8a","contentType":"text/markdown; charset=utf-8"},{"id":"25ed5225-72b2-53a3-9931-ac76b70e5cce","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/25ed5225-72b2-53a3-9931-ac76b70e5cce/attachment.md","path":"references/defense-in-depth.md","size":23808,"sha256":"39ad30ff0ca52a25191ea080a9fa4d8aaab91cafcf2ca33438e57f2b5d99a064","contentType":"text/markdown; charset=utf-8"},{"id":"a64b21f1-b290-5f1b-9958-87151db11e78","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/a64b21f1-b290-5f1b-9958-87151db11e78/attachment.md","path":"references/gcp-security-architecture.md","size":1966,"sha256":"9f4defae94841e803ef3a0a4a5509f487fb48d30bcd64b9badd3b098179b8aea","contentType":"text/markdown; charset=utf-8"},{"id":"7f03c14d-d6cd-517f-bc05-40e8a7694a29","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/7f03c14d-d6cd-517f-bc05-40e8a7694a29/attachment.md","path":"references/iam-patterns.md","size":2089,"sha256":"0dcee3e7f4d1fc917ff196185b0fbf8876e0c62c6120c03017f8a04af4e5d395","contentType":"text/markdown; charset=utf-8"},{"id":"02af9a93-6975-557f-94e6-13f0a5b8c6e5","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/02af9a93-6975-557f-94e6-13f0a5b8c6e5/attachment.md","path":"references/nist-csf-mapping.md","size":13696,"sha256":"3b2d94cd5dd276601f830918045d63d5018c8d86069910dfae6888a756b5590f","contentType":"text/markdown; charset=utf-8"},{"id":"819ce319-72b7-5422-b28a-0065aaa66b21","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/819ce319-72b7-5422-b28a-0065aaa66b21/attachment.md","path":"references/owasp-top10-mitigation.md","size":6507,"sha256":"9c672620165a6785e909a48b67ab7a1ab7985a6de1a4244c687d9b75ef505e6f","contentType":"text/markdown; charset=utf-8"},{"id":"433c5d18-b140-5f1d-befc-a0ffeb7adbd6","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/433c5d18-b140-5f1d-befc-a0ffeb7adbd6/attachment.md","path":"references/security-operations.md","size":1329,"sha256":"a43413a5530bb86c83792cd4ace2f1b6c918cbbd7afce850ae1da3c718919b01","contentType":"text/markdown; charset=utf-8"},{"id":"3cdc889e-8a38-5337-a39a-c9050fbaa885","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/3cdc889e-8a38-5337-a39a-c9050fbaa885/attachment.md","path":"references/supply-chain-security.md","size":14972,"sha256":"c6d7bbb5a6d1b96f6e21cfea74e9126fe74a643176517d02b59e925fe468607e","contentType":"text/markdown; charset=utf-8"},{"id":"5e7353d7-1e23-5637-a32f-68cabecc5bc6","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/5e7353d7-1e23-5637-a32f-68cabecc5bc6/attachment.md","path":"references/threat-modeling.md","size":21371,"sha256":"ac4512b32b4070e0f7f559952f302f32f4d1171a0508d3dc8ac1825f23dd2c4d","contentType":"text/markdown; charset=utf-8"},{"id":"869abff2-fd63-53d1-b695-1000f9dedae8","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/869abff2-fd63-53d1-b695-1000f9dedae8/attachment.md","path":"references/zero-trust-architecture.md","size":23355,"sha256":"be77060fddd60a595e358c8da45ecc5c50b5b15a499cdf99a7e9dfac8365b8fd","contentType":"text/markdown; charset=utf-8"},{"id":"03634eb8-3f4b-58f7-a172-f46526c14882","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/03634eb8-3f4b-58f7-a172-f46526c14882/attachment.sh","path":"scripts/security-checklist.sh","size":6465,"sha256":"e8a086fc7a4d5c398e83062db095de4e2a2e2836eadeaef0bb10ecdf61a2991a","contentType":"application/x-sh; charset=utf-8"}],"bundle_sha256":"a07d86a4b8117f2ec05e1b2403129ddb0e27d67e6810164cc4de42a999d2cb9c","attachment_count":21,"text_attachments":21,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":1,"skill_md_path":"skills/architecting-security/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":0},"version":"v1","category":"security","import_tag":"clean-skills-v1","description":"Design comprehensive security architectures using defense-in-depth, zero trust principles, threat modeling (STRIDE, PASTA), and control frameworks (NIST CSF, CIS Controls, ISO 27001). Use when designing security for new systems, auditing existing architectures, or establishing security governance programs."}},"renderedAt":1782980079696}

Security Architecture Design and implement comprehensive security architectures that protect systems, data, and users through layered defense strategies, zero trust principles, and risk-based security controls. Purpose Security architecture provides the strategic foundation for building resilient, compliant, and trustworthy systems. This skill guides the design of defense-in-depth layers, zero trust implementations, threat modeling methodologies, and mapping to control frameworks (NIST CSF, CIS Controls, ISO 27001). Unlike tactical security skills (configuring firewalls, implementing authenti…