Senior SecOps Engineer
Complete toolkit for Security Operations including vulnerability management, compliance verification, secure coding practices, and security automation.
Table of Contents
Core Capabilities
1. Security Scanner
Scan source code for security vulnerabilities including hardcoded secrets, SQL injection, XSS, command injection, and path traversal.
# Scan project for security issues
python scripts/security_scanner.py /path/to/project
# Filter by severity
python scripts/security_scanner.py /path/to/project --severity high
# JSON output for CI/CD
python scripts/security_scanner.py /path/to/project --json --output report.json
Detects:
- Hardcoded secrets (API keys, passwords, AWS credentials, GitHub tokens, private keys)
- SQL injection patterns (string concatenation, f-strings, template literals)
- XSS vulnerabilities (innerHTML assignment, unsafe DOM manipulation, React unsafe patterns)
- Command injection (shell=True, exec, eval with user input)
- Path traversal (file operations with user input)
2. Vulnerability Assessor
Scan dependencies for known CVEs across npm, Python, and Go ecosystems.
# Assess project dependencies
python scripts/vulnerability_assessor.py /path/to/project
# Critical/high only
python scripts/vulnerability_assessor.py /path/to/project --severity high
# Export vulnerability report
python scripts/vulnerability_assessor.py /path/to/project --json --output vulns.json
Scans:
package.jsonandpackage-lock.json(npm)requirements.txtandpyproject.toml(Python)go.mod(Go)
Output:
- CVE IDs with CVSS scores
- Affected package versions
- Fixed versions for remediation
- Overall risk score (0-100)
3. Compliance Checker
Verify security compliance against SOC 2, PCI-DSS, HIPAA, and GDPR frameworks.
# Check all frameworks
python scripts/compliance_checker.py /path/to/project
# Specific framework
python scripts/compliance_checker.py /path/to/project --framework soc2
python scripts/compliance_checker.py /path/to/project --framework pci-dss
python scripts/compliance_checker.py /path/to/project --framework hipaa
python scripts/compliance_checker.py /path/to/project --framework gdpr
# Export compliance report
python scripts/compliance_checker.py /path/to/project --json --output compliance.json
Verifies:
- Access control implementation
- Encryption at rest and in transit
- Audit logging
- Authentication strength (MFA, password hashing)
- Security documentation
- CI/CD security controls
Workflows
Workflow 1: Security Audit
Complete security assessment of a codebase.
# Step 1: Scan for code vulnerabilities
python scripts/security_scanner.py . --severity medium
# STOP if exit code 2 — resolve critical findings before continuing
# Step 2: Check dependency vulnerabilities
python scripts/vulnerability_assessor.py . --severity high
# STOP if exit code 2 — patch critical CVEs before continuing
# Step 3: Verify compliance controls
python scripts/compliance_checker.py . --framework all
# STOP if exit code 2 — address critical gaps before proceeding
# Step 4: Generate combined reports
python scripts/security_scanner.py . --json --output security.json
python scripts/vulnerability_assessor.py . --json --output vulns.json
python scripts/compliance_checker.py . --json --output compliance.json
Workflow 2: CI/CD Security Gate
Integrate security checks into deployment pipeline.
# .github/workflows/security.yml
name: "security-scan"
on:
pull_request:
branches: [main, develop]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: "set-up-python"
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: "security-scanner"
run: python scripts/security_scanner.py . --severity high
- name: "vulnerability-assessment"
run: python scripts/vulnerability_assessor.py . --severity critical
- name: "compliance-check"
run: python scripts/compliance_checker.py . --framework soc2
Each step fails the pipeline on its respective exit code — no deployment proceeds past a critical finding.
Workflow 3: CVE Triage
Respond to a new CVE affecting your application.
1. ASSESS (0-2 hours)
- Identify affected systems using vulnerability_assessor.py
- Check if CVE is being actively exploited
- Determine CVSS environmental score for your context
- STOP if CVSS 9.0+ on internet-facing system — escalate immediately
2. PRIORITIZE
- Critical (CVSS 9.0+, internet-facing): 24 hours
- High (CVSS 7.0-8.9): 7 days
- Medium (CVSS 4.0-6.9): 30 days
- Low (CVSS < 4.0): 90 days
3. REMEDIATE
- Update affected dependency to fixed version
- Run security_scanner.py to verify fix (must return exit code 0)
- STOP if scanner still flags the CVE — do not deploy
- Test for regressions
- Deploy with enhanced monitoring
4. VERIFY
- Re-run vulnerability_assessor.py
- Confirm CVE no longer reported
- Document remediation actions
Workflow 4: Incident Response
Security incident handling procedure.
PHASE 1: DETECT & IDENTIFY (0-15 min)
- Alert received and acknowledged
- Initial severity assessment (SEV-1 to SEV-4)
- Incident commander assigned
- Communication channel established
PHASE 2: CONTAIN (15-60 min)
- Affected systems identified
- Network isolation if needed
- Credentials rotated if compromised
- Preserve evidence (logs, memory dumps)
PHASE 3: ERADICATE (1-4 hours)
- Root cause identified
- Malware/backdoors removed
- Vulnerabilities patched (run security_scanner.py; must return exit code 0)
- Systems hardened
PHASE 4: RECOVER (4-24 hours)
- Systems restored from clean backup
- Services brought back online
- Enhanced monitoring enabled
- User access restored
PHASE 5: POST-INCIDENT (24-72 hours)
- Incident timeline documented
- Root cause analysis complete
- Lessons learned documented
- Preventive measures implemented
- Stakeholder report delivered
Tool Reference
security_scanner.py
| Option | Description |
|---|---|
target | Directory or file to scan |
--severity, -s | Minimum severity: critical, high, medium, low |
--verbose, -v | Show files as they're scanned |
--json | Output results as JSON |
--output, -o | Write results to file |
Exit Codes: 0 = no critical/high findings · 1 = high severity findings · 2 = critical severity findings
vulnerability_assessor.py
| Option | Description |
|---|---|
target | Directory containing dependency files |
--severity, -s | Minimum severity: critical, high, medium, low |
--verbose, -v | Show files as they're scanned |
--json | Output results as JSON |
--output, -o | Write results to file |
Exit Codes: 0 = no critical/high vulnerabilities · 1 = high severity vulnerabilities · 2 = critical severity vulnerabilities
compliance_checker.py
| Option | Description |
|---|---|
target | Directory to check |
--framework, -f | Framework: soc2, pci-dss, hipaa, gdpr, all |
--verbose, -v | Show checks as they run |
--json | Output results as JSON |
--output, -o | Write results to file |
Exit Codes: 0 = compliant (90%+ score) · 1 = non-compliant (50-69% score) · 2 = critical gaps (<50% score)
Security Standards
See references/security_standards.md for OWASP Top 10 full guidance, secure coding standards, authentication requirements, and API security controls.
Secure Coding Checklist
## Input Validation
- [ ] Validate all input on