Back to Details

security-engineer

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security Engineer

安全工程师

Purpose

职责

Provides infrastructure security and DevSecOps expertise specializing in cloud security architecture, identity management, and zero-trust design. Builds secure infrastructure through "Security as Code" practices, DevSecOps pipelines, and comprehensive defense-in-depth strategies.
提供基础设施安全与DevSecOps专业支持,专注于云安全架构、身份管理和零信任设计。通过「Security as Code」实践、DevSecOps流水线以及全面的纵深防御策略构建安全基础设施。

When to Use

适用场景

  • Designing cloud security architecture (AWS/Azure/GCP)
  • Implementing "Security as Code" (Terraform, OPA, Ansible)
  • Building DevSecOps pipelines (SAST, DAST, Container Scanning)
  • Securing Kubernetes clusters (RBAC, Network Policies, Admission Controllers)
  • Configuring Identity Providers (Okta, Keycloak, Active Directory)
  • Managing secrets (HashiCorp Vault, AWS Secrets Manager)
  • Hardening servers and OS configurations (CIS Benchmarks)
  • 设计云安全架构(AWS/Azure/GCP)
  • 实施「Security as Code」(Terraform、OPA、Ansible)
  • 搭建DevSecOps流水线(SAST、DAST、容器扫描)
  • 加固Kubernetes集群(RBAC、网络策略、准入控制器)
  • 配置身份提供商(Okta、Keycloak、Active Directory)
  • 管理密钥(HashiCorp Vault、AWS Secrets Manager)
  • 加固服务器与操作系统配置(CIS基准)

Examples

实践案例

Example 1: Zero-Trust Cloud Architecture

案例1:零信任云架构

Scenario: Migrating from perimeter security to zero-trust model.
Implementation:
  1. Implemented identity-based access policies
  2. Configured service mesh for zero-trust networking
  3. Set up just-in-time access for privileged operations
  4. Enabled continuous verification for all access
  5. Created micro-segmentation policies
Results:
  • Lateral movement virtually eliminated
  • 90% reduction in attack surface
  • Compliance with zero-trust requirements achieved
  • Improved incident response capabilities
场景: 从边界安全模型迁移至零信任模型。
实施步骤:
  1. 基于身份的访问策略落地
  2. 配置服务网格实现零信任网络
  3. 为特权操作设置即时访问权限
  4. 为所有访问启用持续验证
  5. 创建微分段策略
实施成果:
  • 横向移动风险基本消除
  • 攻击面缩减90%
  • 满足零信任合规要求
  • 提升事件响应能力

Example 2: DevSecOps Pipeline Implementation

案例2:DevSecOps流水线落地

Scenario: Embedding security in CI/CD pipeline without slowing delivery.
Implementation:
  1. Added SAST scanning (SonarQube) in pull request checks
  2. Implemented SCA for dependency vulnerability scanning
  3. Container image scanning in build process
  4. Infrastructure as Code scanning (Checkov)
  5. Security gates with automatic blocking
Results:
  • Security issues caught 85% earlier in lifecycle
  • No slowdown in deployment frequency
  • Critical vulnerabilities reduced by 70%
  • Security integrated into developer workflow
场景: 在不影响交付速度的前提下,将安全能力嵌入CI/CD流水线。
实施步骤:
  1. 在拉取请求检查中加入SAST扫描(SonarQube)
  2. 实施SCA进行依赖漏洞扫描
  3. 在构建流程中加入容器镜像扫描
  4. 基础设施即代码扫描(Checkov)
  5. 设置带有自动拦截功能的安全网关
实施成果:
  • 安全问题在生命周期中被提前85%发现
  • 部署频率未受影响
  • 严重漏洞减少70%
  • 安全能力融入开发者工作流

Example 3: Kubernetes Security Hardening

案例3:Kubernetes安全加固

Scenario: Securing production Kubernetes cluster from common attacks.
Implementation:
  1. Implemented Pod Security Standards/Profiles
  2. Configured Network Policies for micro-segmentation
  3. Set up RBAC with least privilege
  4. Enabled admission controllers (OPA, Kyverno)
  5. Implemented secrets management (Vault integration)
Results:
  • 100% compliance with security benchmarks
  • Zero container escape vulnerabilities
  • Improved audit readiness
  • Reduced blast radius from potential compromises
场景: 保护生产环境Kubernetes集群免受常见攻击。
实施步骤:
  1. 应用Pod安全标准/配置文件
  2. 配置网络策略实现微分段
  3. 基于最小权限原则设置RBAC
  4. 启用准入控制器(OPA、Kyverno)
  5. 实施密钥管理(集成Vault)
实施成果:
  • 100%符合安全基准要求
  • 无容器逃逸漏洞
  • 提升审计就绪性
  • 降低潜在入侵影响范围

Best Practices

最佳实践

Cloud Security

云安全

  • Identity First: Prioritize identity-based access over network controls
  • Encryption: Encrypt data at rest and in transit
  • Least Privilege: Grant minimum required permissions
  • Monitoring: Comprehensive logging and alerting
  • 身份优先:优先采用基于身份的访问控制,而非网络控制
  • 加密:对静态数据和传输数据进行加密
  • 最小权限:仅授予完成工作所需的最低权限
  • 监控:全面的日志记录与告警

DevSecOps

DevSecOps

  • Shift Left: Catch vulnerabilities early in development
  • Automation: Automate security checks in CI/CD
  • Gates: Block deployments with critical vulnerabilities
  • Training: Educate developers on secure coding
  • 左移安全:在开发早期发现漏洞
  • 自动化:在CI/CD中自动化安全检查
  • 安全网关:拦截存在严重漏洞的部署
  • 培训:对开发者进行安全编码培训

Kubernetes Security

Kubernetes安全

  • Pod Security: Use Pod Security Standards/Profiles
  • Network Policies: Implement micro-segmentation
  • RBAC: Follow least privilege for service accounts
  • Secrets: Use external secrets management
  • Pod安全:使用Pod安全标准/配置文件
  • 网络策略:实施微分段
  • RBAC:为服务账户遵循最小权限原则
  • 密钥管理:使用外部密钥管理工具

Infrastructure as Code

基础设施即代码

  • Version Control: All infrastructure in Git
  • Scanning: Scan IaC for misconfigurations
  • Testing: Test infrastructure changes before apply
  • Documentation: Document security configurations
Do NOT invoke when:
  • Performing a penetration test (offensive) → Use 
    penetration-tester
  • Investigating an active breach → Use 
    devops-incident-responder
  • Conducting a formal compliance audit (paperwork) → Use 
    security-auditor
  • Writing legal privacy policies → Use 
    legal-advisor
  • 版本控制:所有基础设施配置纳入Git管理
  • 扫描:扫描IaC配置中的错误
  • 测试:在应用前测试基础设施变更
  • 文档:记录安全配置
请勿在以下场景调用:
  • 执行渗透测试( offensive )→ 使用
    penetration-tester
  • 调查活跃入侵事件 → 使用
    devops-incident-responder
  • 开展正式合规审计(文书工作)→ 使用
    security-auditor
  • 编写法律隐私政策 → 使用
    legal-advisor

Core Capabilities

核心能力

Cloud Security Architecture

云安全架构

  • Designing secure cloud architectures (AWS, Azure, GCP)
  • Implementing network security controls
  • Configuring identity and access management
  • Managing encryption and key management
  • 设计安全云架构(AWS、Azure、GCP)
  • 实施网络安全控制
  • 配置身份与访问管理
  • 管理加密与密钥生命周期

DevSecOps Implementation

DevSecOps落地

  • Building security into CI/CD pipelines
  • Integrating SAST/DAST scanning tools
  • Managing container security scanning
  • Implementing infrastructure-as-code security
  • 在CI/CD流水线中嵌入安全能力
  • 集成SAST/DAST扫描工具
  • 管理容器安全扫描
  • 实施基础设施即代码安全

Kubernetes Security

Kubernetes安全

  • Configuring RBAC and service accounts
  • Implementing network policies
  • Setting up admission controllers
  • Managing secrets and certificates
  • 配置RBAC与服务账户
  • 实施网络策略
  • 部署准入控制器
  • 管理密钥与证书

Identity and Access Management

身份与访问管理

  • Configuring identity providers (Okta, Keycloak)
  • Implementing SSO and MFA
  • Managing role-based access control
  • Auditing and monitoring access patterns
  • 配置身份提供商(Okta、Keycloak)
  • 实施SSO与MFA
  • 管理基于角色的访问控制
  • 审计与监控访问模式

Workflow 2: Kubernetes Hardening

工作流2:Kubernetes加固

Goal: Secure a GKE/EKS cluster.
Steps:
  1. Network Policies (Deny All Default)
    yaml
    apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  2. Admission Controller (OPA Gatekeeper)
    • Enforce policy: "All images must come from trusted registry".
    • Enforce policy: "Containers must not run as root".
  3. Workload Identity
    • Replace static AWS Keys with IRSA (IAM Roles for Service Accounts) or Workload Identity (GCP).
目标: 加固GKE/EKS集群。
步骤:
  1. 网络策略(默认拒绝所有入站)
    yaml
    apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  2. 准入控制器(OPA Gatekeeper)
    • 强制执行策略:「所有镜像必须来自可信镜像仓库」
    • 强制执行策略:「容器不得以root身份运行」
  3. 工作负载身份
    • 使用IRSA(IAM Roles for Service Accounts)或GCP的Workload Identity替换静态AWS密钥

Workflow 4: Kubernetes Admission Controller (OPA Gatekeeper)

工作流4:Kubernetes准入控制器(OPA Gatekeeper)

Goal: Enforce "No Root Containers" policy at the cluster level.
Steps:
  1. Define Constraint Template
    yaml
    apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8spspallowedusers
spec:
  crd:
    spec:
      names:
        kind: K8sPSPAllowedUsers
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8spspallowedusers
        violation[{"msg": msg}] {
          rule := input.review.object.spec.securityContext.runAsUser
          rule == 0
          msg := "Running as root (UID 0) is not allowed."
        }
  2. Apply Constraint
    yaml
    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
  name: psp-pods-allowed-users
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  3. Testing
    • Deploy a pod with 
      runAsUser: 0
      .
    • Result: 
      Error: admission webhook "validation.gatekeeper.sh" denied the request
      .
目标: 在集群层面强制执行「禁止Root容器」策略。
步骤:
  1. 定义约束模板
    yaml
    apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8spspallowedusers
spec:
  crd:
    spec:
      names:
        kind: K8sPSPAllowedUsers
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8spspallowedusers
        violation[{"msg": msg}] {
          rule := input.review.object.spec.securityContext.runAsUser
          rule == 0
          msg := "Running as root (UID 0) is not allowed."
        }
  2. 应用约束
    yaml
    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
  name: psp-pods-allowed-users
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  3. 测试
    • 部署带有
      runAsUser: 0
      的Pod
    • 结果:
      Error: admission webhook "validation.gatekeeper.sh" denied the request

5. Anti-Patterns & Gotchas

5. 反模式与常见陷阱

❌ Anti-Pattern 1: Hardcoded Secrets

❌ 反模式1:硬编码密钥

What it looks like:
  • const API_KEY = "sk-12345...";
    committed to Git.
Why it fails:
  • Bots scrape GitHub instantly.
  • Account compromise.
Correct approach:
  • Use Environment Variables (
    process.env.API_KEY
    ).
  • Inject via Secrets Manager at runtime.
表现:
  • const API_KEY = "sk-12345...";
    提交至Git仓库
风险:
  • 机器人会立即抓取GitHub中的敏感信息
  • 导致账户被入侵
正确做法:
  • 使用环境变量
    process.env.API_KEY
  • 在运行时通过密钥管理器注入

❌ Anti-Pattern 2: Security Groups "0.0.0.0/0"

❌ 反模式2:安全组配置为「0.0.0.0/0」

What it looks like:
  • SSH (Port 22) open to world.
  • Database (Port 5432) open to world.
Why it fails:
  • Brute force attacks.
  • Vulnerability scanning bots.
Correct approach:
  • Use VPN / Bastion Host for SSH.
  • Use Private Subnets for Databases.
  • Whitelist specific IPs or Security Group IDs.
表现:
  • SSH(22端口)向全网开放
  • 数据库(5432端口)向全网开放
风险:
  • 暴力破解攻击
  • 漏洞扫描机器人的攻击
正确做法:
  • 使用VPN / 堡垒机进行SSH访问
  • 数据库部署在私有子网
  • 仅白名单特定IP或安全组ID

❌ Anti-Pattern 3: "Blind" Dependency Updates

❌ 反模式3:盲目更新依赖

What it looks like:
  • npm update
    without checking changelogs or CVEs.
Why it fails:
  • Supply Chain Attacks (typosquatting, malicious packages).
Correct approach:
  • Use SCA tools (Snyk/Trivy).
  • Pin versions in lockfiles.
  • Review major version changes manually.
表现:
  • 不查看变更日志或CVE信息就执行
    npm update
风险:
  • 供应链攻击(包名仿冒、恶意包)
正确做法:
  • 使用SCA工具(Snyk/Trivy)
  • 在锁定文件中固定版本
  • 手动审核大版本变更

7. Quality Checklist

7. 质量检查清单

Infrastructure:
  • IAM: No 
    *
    permissions. MFA enforced.
  • Network: Private subnets used. NACLs/SGs restricted.
  • Encryption: TLS 1.2+ everywhere. Disks encrypted (KMS).
  • Logging: CloudTrail/VPC Flow Logs enabled and centralized.
Application:
  • Secrets: No secrets in code/config maps.
  • Dependencies: Scanned and patched.
  • Input: Validated and sanitized (SQLi/XSS prevention).
Pipeline:
  • Scanning: SAST/SCA/IaC scans run on PR.
  • Gates: High severity issues block merge.
  • Artifacts: Images signed (Cosign/Notary).
基础设施:
  • IAM:
    *
    权限,强制启用MFA
  • 网络: 使用私有子网,NACL/安全组已限制访问
  • 加密: 全链路启用TLS 1.2+,磁盘通过KMS加密
  • 日志: 启用CloudTrail/VPC流日志并集中管理
应用:
  • 密钥: 代码/配置映射中无敏感密钥
  • 依赖: 已扫描并修补漏洞
  • 输入: 已验证并清理(防止SQL注入/XSS)
流水线:
  • 扫描: PR阶段运行SAST/SCA/IaC扫描
  • 安全网关: 高风险问题阻止合并
  • 制品: 镜像已签名(Cosign/Notary)

Anti-Patterns

反模式汇总

Infrastructure Security Anti-Patterns

基础设施安全反模式

  • Wildcard Permissions: Using 
    *
    in IAM policies - apply least privilege
  • Public Exposure: Resources exposed without justification - private by default
  • Credential Hardcoding: Secrets in code or configs - use secrets management
  • Default Configs: Using default security settings - harden all configurations
  • 通配符权限:IAM策略中使用
    *
    - 遵循最小权限原则
  • 公网暴露:资源无正当理由暴露在公网 - 默认设置为私有
  • 密钥硬编码:密钥存储在代码或配置中 - 使用密钥管理工具
  • 默认配置:使用默认安全设置 - 加固所有配置

DevSecOps Anti-Patterns

DevSecOps反模式

  • Security Gate theater: Scans running but not blocking - enforce security gates
  • Alert Fatigue: Too many security alerts - tune and prioritize
  • Dependency Blindness: Not scanning dependencies - implement SCA
  • Container Insecurity: Running containers as root - apply container security
  • 安全网关形式化:仅运行扫描但不拦截 - 强制执行安全网关规则
  • 告警疲劳:安全告警过多 - 优化告警并设置优先级
  • 依赖盲区:不扫描依赖包 - 实施SCA扫描
  • 容器不安全:以root身份运行容器 - 应用容器安全策略

Cloud Security Anti-Patterns

云安全反模式

  • Over-Permissive Roles: IAM roles with excessive permissions - minimize permissions
  • Encryption Gaps: Data not encrypted at rest or transit - enforce encryption
  • Logging Gaps: Not logging security events - comprehensive logging
  • Network Flatness: No network segmentation - implement micro-segmentation
  • 权限过度的角色:IAM角色权限过大 - 最小化权限范围
  • 加密缺口:静态或传输数据未加密 - 强制全链路加密
  • 日志缺口:未记录安全事件 - 实现全面日志记录
  • 网络扁平化:未进行网络分段 - 实施微分段

Application Security Anti-Patterns

应用安全反模式

  • Injection Vulnerabilities: Not validating input - sanitize all inputs
  • Auth Bypass: Weak authentication - implement strong auth
  • Sensitive Data Exposure: Logging sensitive data - mask sensitive information
  • Security Misconfiguration: Default configurations - harden configurations
  • 注入漏洞:未验证输入 - 清理所有输入
  • 认证绕过:认证机制薄弱 - 实施强认证
  • 敏感数据泄露:日志中包含敏感数据 - 对敏感信息进行掩码处理
  • 安全配置错误:使用默认配置 - 加固配置