Back to Details

security-auth

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security & Authentication Specialist - Complete Security Engineering Workflow

安全与认证专家 - 完整安全工程工作流

Overview

概述

This skill provides end-to-end security and authentication services by orchestrating security architects, identity specialists, and compliance experts. It transforms security requirements into production-ready authentication and authorization systems with comprehensive threat protection, compliance adherence, and security monitoring.
Key Capabilities:
  • 🔐 Multi-Layer Security Architecture - Authentication, authorization, and threat protection systems
  • 🛡️ Identity & Access Management - User authentication, role-based access, and privilege management
  • 📊 Compliance & Auditing - Regulatory compliance, security auditing, and reporting
  • 🔧 Security Integration - Seamless integration with existing systems and third-party security services
  • 📋 Threat Protection - Proactive threat detection, prevention, and incident response
该技能通过统筹安全架构师、身份管理专家及合规专家,提供端到端的安全与认证服务。它可将安全需求转化为具备全面威胁防护、合规性及安全监控能力的生产级认证与授权系统。
核心能力:
  • 🔐 多层安全架构 - 认证、授权及威胁防护系统
  • 🛡️ 身份与访问管理 - 用户认证、基于角色的访问及权限管理
  • 📊 合规与审计 - 监管合规、安全审计及报告生成
  • 🔧 安全集成 - 与现有系统及第三方安全服务无缝集成
  • 📋 威胁防护 - 主动威胁检测、预防及事件响应

When to Use This Skill

何时使用该技能

Perfect for:
  • Authentication system design and implementation
  • Authorization framework development and RBAC implementation
  • Security compliance and auditing requirements
  • Threat protection and security monitoring setup
  • Identity management system integration
  • Security assessment and vulnerability management
Triggers:
  • "Implement authentication and authorization for [application]"
  • "Design security architecture for [system]"
  • "Set up identity and access management"
  • "Implement compliance and security auditing"
  • "Create threat protection and monitoring system"
适用场景:
  • 认证系统的设计与实现
  • 授权框架开发及RBAC落地
  • 安全合规与审计需求
  • 威胁防护与安全监控搭建
  • 身份管理系统集成
  • 安全评估与漏洞管理
触发指令:
  • "为[应用]实现认证与授权功能"
  • "为[系统]设计安全架构"
  • "搭建身份与访问管理系统"
  • "实现合规与安全审计机制"
  • "创建威胁防护与监控系统"

Security Expert Panel

安全专家团队

Security Architect (System Security Design)

安全架构师(系统安全设计)

  • Focus: Security architecture, threat modeling, security patterns
  • Techniques: Zero-trust architecture, defense-in-depth, security frameworks
  • Considerations: Security by design, attack surface reduction, security controls
  • 专注方向: 安全架构、威胁建模、安全模式
  • 技术方法: 零信任架构、纵深防御、安全框架
  • 考量因素: 设计时内置安全、攻击面缩减、安全控制措施

Identity Specialist (Authentication & Authorization)

身份管理专家(认证与授权)

  • Focus: Authentication systems, identity management, access control
  • Techniques: OAuth 2.0, OpenID Connect, JWT, SAML, RBAC/ABAC
  • Considerations: User experience, security requirements, scalability
  • 专注方向: 认证系统、身份管理、访问控制
  • 技术方法: OAuth 2.0、OpenID Connect、JWT、SAML、RBAC/ABAC
  • 考量因素: 用户体验、安全需求、可扩展性

Compliance Expert (Regulatory & Auditing)

合规专家(监管与审计)

  • Focus: Regulatory compliance, security auditing, risk assessment
  • Techniques: SOC 2, ISO 27001, GDPR, HIPAA, PCI-DSS compliance
  • Considerations: Legal requirements, audit trails, documentation
  • 专注方向: 监管合规、安全审计、风险评估
  • 技术方法: SOC 2、ISO 27001、GDPR、HIPAA、PCI-DSS合规落地
  • 考量因素: 法律要求、审计轨迹、文档记录

Threat Analyst (Security Monitoring & Response)

威胁分析师(安全监控与响应)

  • Focus: Threat detection, incident response, security monitoring
  • Techniques: SIEM systems, threat intelligence, security analytics
  • Considerations: Real-time detection, response procedures, forensic analysis
  • 专注方向: 威胁检测、事件响应、安全监控
  • 技术方法: SIEM系统、威胁情报、安全分析
  • 考量因素: 实时检测、响应流程、取证分析

Cryptographic Specialist (Encryption & Data Protection)

密码学专家(加密与数据防护)

  • Focus: Encryption implementation, key management, data protection
  • Techniques: AES, RSA, TLS/SSL, hash functions, digital signatures
  • Considerations: Key lifecycle management, performance impact, compliance
  • 专注方向: 加密实现、密钥管理、数据防护
  • 技术方法: AES、RSA、TLS/SSL、哈希函数、数字签名
  • 考量因素: 密钥生命周期管理、性能影响、合规性

Security Implementation Workflow

安全实施工作流

Phase 1: Security Requirements Analysis & Threat Modeling

阶段1:安全需求分析与威胁建模

Use when: Starting security implementation or security assessment
Tools Used:
bash
/sc:analyze security-requirements
Security Architect: threat modeling and risk assessment
Compliance Expert: regulatory requirement analysis
Threat Analyst: attack surface analysis
Activities:
  • Analyze security requirements and threat landscape
  • Identify compliance requirements and regulatory constraints
  • Perform threat modeling and attack surface analysis
  • Define security policies and procedures
  • Plan security architecture and control implementation
适用时机: 启动安全实施或安全评估时
使用工具:
bash
/sc:analyze security-requirements
Security Architect: threat modeling and risk assessment
Compliance Expert: regulatory requirement analysis
Threat Analyst: attack surface analysis
工作内容:
  • 分析安全需求与威胁态势
  • 识别合规要求与监管约束
  • 执行威胁建模与攻击面分析
  • 定义安全策略与流程
  • 规划安全架构与控制措施落地

Phase 2: Authentication System Design & Implementation

阶段2:认证系统设计与实现

Use when: Designing and implementing authentication systems
Tools Used:
bash
/sc:design --type authentication auth-system
Identity Specialist: authentication framework design
Cryptographic Specialist: secure credential management
Security Architect: authentication security controls
Activities:
  • Design authentication architecture and user identity flows
  • Implement secure credential storage and management
  • Create multi-factor authentication (MFA) systems
  • Design session management and token-based authentication
  • Implement password policies and secure recovery mechanisms
适用时机: 设计与实现认证系统时
使用工具:
bash
/sc:design --type authentication auth-system
Identity Specialist: authentication framework design
Cryptographic Specialist: secure credential management
Security Architect: authentication security controls
工作内容:
  • 设计认证架构与用户身份流转流程
  • 实现安全凭证存储与管理
  • 创建多因素认证(MFA)系统
  • 设计会话管理与基于令牌的认证机制
  • 实现密码策略与安全恢复机制

Phase 3: Authorization Framework & Access Control

阶段3:授权框架与访问控制

Use when: Implementing authorization and access control systems
Tools Used:
bash
/sc:design --type authorization rbac-system
Identity Specialist: role-based access control implementation
Security Architect: privilege management design
Compliance Expert: access control auditing
Activities:
  • Design role-based access control (RBAC) or attribute-based access control (ABAC)
  • Implement fine-grained permissions and privilege management
  • Create access control policies and enforcement mechanisms
  • Design admin interfaces for user and permission management
  • Implement access request and approval workflows
适用时机: 实现授权与访问控制系统时
使用工具:
bash
/sc:design --type authorization rbac-system
Identity Specialist: role-based access control implementation
Security Architect: privilege management design
Compliance Expert: access control auditing
工作内容:
  • 设计基于角色的访问控制(RBAC)或基于属性的访问控制(ABAC)
  • 实现细粒度权限与权限管理
  • 创建访问控制策略与执行机制
  • 设计用户与权限管理的管理员界面
  • 实现访问请求与审批工作流

Phase 4: Security Integration & API Protection

阶段4:安全集成与API防护

Use when: Integrating security controls and protecting APIs
Tools Used:
bash
/sc:implement security-integration
Security Architect: API security and integration
Cryptographic Specialist: encryption and data protection
Threat Analyst: input validation and sanitization
Activities:
  • Implement API authentication and authorization middleware
  • Create input validation and output encoding mechanisms
  • Implement rate limiting and DDoS protection
  • Set up CORS policies and secure headers
  • Integrate with third-party security services and tools
适用时机: 集成安全控制措施与保护API时
使用工具:
bash
/sc:implement security-integration
Security Architect: API security and integration
Cryptographic Specialist: encryption and data protection
Threat Analyst: input validation and sanitization
工作内容:
  • 实现API认证与授权中间件
  • 创建输入验证与输出编码机制
  • 实现速率限制与DDoS防护
  • 配置CORS策略与安全头
  • 与第三方安全服务及工具集成

Phase 5: Compliance & Auditing Implementation

阶段5:合规与审计实施

Use when: Ensuring regulatory compliance and security auditing
Tools Used:
bash
/sc:implement compliance-auditing
Compliance Expert: compliance framework implementation
Security Architect: security monitoring and logging
Threat Analyst: audit trail and forensics
Activities:
  • Implement comprehensive audit logging and monitoring
  • Create compliance reporting and documentation
  • Set up security incident tracking and reporting
  • Implement data retention and deletion policies
  • Create security dashboards and compliance metrics
适用时机: 确保监管合规与安全审计时
使用工具:
bash
/sc:implement compliance-auditing
Compliance Expert: compliance framework implementation
Security Architect: security monitoring and logging
Threat Analyst: audit trail and forensics
工作内容:
  • 实现全面的审计日志与监控
  • 创建合规报告与文档记录
  • 搭建安全事件跟踪与报告机制
  • 实现数据留存与删除策略
  • 创建安全仪表盘与合规指标

Phase 6: Threat Protection & Security Monitoring

阶段6:威胁防护与安全监控

Use when: Setting up proactive threat detection and response
Tools Used:
bash
/sc:implement threat-protection
Threat Analyst: security monitoring and detection
Security Architect: incident response procedures
Compliance Expert: security metrics and reporting
Activities:
  • Implement security information and event management (SIEM)
  • Set up real-time threat detection and alerting
  • Create incident response procedures and playbooks
  • Implement security analytics and anomaly detection
  • Design security metrics and KPI tracking
适用时机: 搭建主动威胁检测与响应机制时
使用工具:
bash
/sc:implement threat-protection
Threat Analyst: security monitoring and detection
Security Architect: incident response procedures
Compliance Expert: security metrics and reporting
工作内容:
  • 实现安全信息与事件管理(SIEM)系统
  • 搭建实时威胁检测与告警机制
  • 创建事件响应流程与预案
  • 实现安全分析与异常检测
  • 设计安全指标与KPI跟踪体系

Integration Patterns

集成模式

SuperClaude Command Integration

SuperClaude 命令集成

CommandUse CaseOutput
/sc:design --type authentication
Authentication systemComplete auth architecture
/sc:design --type authorization
Authorization frameworkRBAC/ABAC implementation
/sc:implement security
Security controlsProduction-ready security
/sc:analyze threats
Threat analysisThreat model and mitigation
/sc:implement compliance
ComplianceRegulatory compliance system
命令使用场景输出结果
/sc:design --type authentication
认证系统设计完整的认证架构
/sc:design --type authorization
授权框架设计RBAC/ABAC实现方案
/sc:implement security
安全控制落地生产级安全系统
/sc:analyze threats
威胁分析威胁模型与缓解方案
/sc:implement compliance
合规落地监管合规系统

Security Framework Integration

安全框架集成

FrameworkRoleCapabilities
OWASP Top 10Security standardsComprehensive vulnerability protection
NIST CybersecuritySecurity frameworkComplete security program implementation
ISO 27001Compliance managementInformation security management system
Zero TrustSecurity modelZero-trust architecture implementation
框架作用能力
OWASP Top 10安全标准全面的漏洞防护
NIST Cybersecurity安全框架完整的安全项目落地
ISO 27001合规管理信息安全管理体系
Zero Trust安全模型零信任架构实现

MCP Server Integration

MCP 服务器集成

ServerExpertiseUse Case
SequentialSecurity reasoningComplex security analysis and design
Better AuthAuthenticationModern authentication implementation
Web SearchThreat intelligenceLatest security threats and vulnerabilities
服务器专业领域使用场景
Sequential安全推理复杂安全分析与设计
Better Auth认证服务现代认证系统实现
Web Search威胁情报最新安全威胁与漏洞信息

Usage Examples

使用示例

Example 1: Complete Authentication System

示例1:完整认证系统搭建

User: "Implement a secure authentication system for our SaaS application with MFA and SSO support"

Workflow:
1. Phase 1: Analyze security requirements and compliance needs
2. Phase 2: Design OAuth 2.0/OpenID Connect authentication system
3. Phase 3: Implement RBAC with fine-grained permissions
4. Phase 4: Integrate with SSO providers and MFA services
5. Phase 5: Set up audit logging and compliance reporting
6. Phase 6: Implement threat detection and security monitoring

Output: Production-ready authentication system with enterprise-grade security
用户: "为我们的SaaS应用实现支持MFA和SSO的安全认证系统"

工作流:
1. 阶段1:分析安全需求与合规要求
2. 阶段2:设计基于OAuth 2.0/OpenID Connect的认证系统
3. 阶段3:实现带细粒度权限的RBAC
4. 阶段4:与SSO提供商及MFA服务集成
5. 阶段5:搭建审计日志与合规报告机制
6. 阶段6:实现威胁检测与安全监控

输出结果:具备企业级安全能力的生产就绪认证系统

Example 2: Security Compliance Implementation

示例2:安全合规落地

User: "Implement SOC 2 compliance for our financial services platform"

Workflow:
1. Phase 1: Analyze SOC 2 requirements and current security posture
2. Phase 2: Design security controls to meet SOC 2 criteria
3. Phase 3: Implement access controls and audit trails
4. Phase 4: Set up security monitoring and incident response
5. Phase 5: Create compliance documentation and reporting
6. Phase 6: Implement continuous compliance monitoring

Output: SOC 2 compliant security framework with comprehensive audit capabilities
用户: "为我们的金融服务平台实现SOC 2合规"

工作流:
1. 阶段1:分析SOC 2要求与当前安全态势
2. 阶段2:设计满足SOC 2标准的安全控制措施
3. 阶段3:实现访问控制与审计轨迹
4. 阶段4:搭建安全监控与事件响应机制
5. 阶段5:创建合规文档与报告
6. 阶段6:实现持续合规监控

输出结果:具备全面审计能力的SOC 2合规安全框架

Example 3: API Security Implementation

示例3:API安全实现

User: "Secure our REST API with proper authentication, authorization, and threat protection"

Workflow:
1. Phase 1: Analyze API security requirements and threat model
2. Phase 2: Design JWT-based authentication and authorization
3. Phase 3: Implement API gateway with security controls
4. Phase 4: Add rate limiting, input validation, and encryption
5. Phase 5: Set up API security monitoring and logging
6. Phase 6: Implement API security testing and validation

Output: Secure API with comprehensive protection against common attacks
用户: "为我们的REST API添加完善的认证、授权及威胁防护"

工作流:
1. 阶段1:分析API安全需求与威胁模型
2. 阶段2:设计基于JWT的认证与授权机制
3. 阶段3:实现带安全控制的API网关
4. 阶段4:添加速率限制、输入验证与加密
5. 阶段5:搭建API安全监控与日志
6. 阶段6:实现API安全测试与验证

输出结果:具备全面防护能力的安全API,可抵御常见攻击

Quality Assurance Mechanisms

质量保障机制

Multi-Layer Security Validation

多层安全验证

  • Security Architecture Review: Comprehensive security design validation
  • Penetration Testing: Automated and manual security testing
  • Compliance Validation: Regulatory compliance verification
  • Threat Assessment: Ongoing threat analysis and mitigation
  • 安全架构评审: 全面的安全设计验证
  • 渗透测试: 自动化与人工安全测试
  • 合规验证: 监管合规性核查
  • 威胁评估: 持续的威胁分析与缓解

Automated Security Checks

自动化安全检查

  • Vulnerability Scanning: Automated security vulnerability detection
  • Compliance Monitoring: Continuous compliance checking and reporting
  • Security Testing: Automated security test execution and validation
  • Access Control Validation: Permission and access right verification
  • 漏洞扫描: 自动化安全漏洞检测
  • 合规监控: 持续合规检查与报告
  • 安全测试: 自动化安全测试执行与验证
  • 访问控制验证: 权限与访问权限核查

Continuous Security Improvement

持续安全改进

  • Security Metrics: Ongoing security performance tracking
  • Threat Intelligence: Continuous threat monitoring and adaptation
  • Security Training: Security awareness and best practices
  • Incident Learning: Post-incident analysis and improvement
  • 安全指标: 持续的安全性能跟踪
  • 威胁情报: 持续的威胁监控与适配
  • 安全培训: 安全意识与最佳实践培训
  • 事件复盘: 事后事件分析与改进

Output Deliverables

输出交付物

Primary Deliverable: Complete Security System

核心交付物:完整安全系统

security-system/
├── authentication/
│   ├── providers/               # Authentication provider implementations
│   ├── middleware/              # Auth middleware and guards
│   ├── tokens/                  # Token generation and validation
│   └── sessions/                # Session management
├── authorization/
│   ├── rbac/                    # Role-based access control
│   ├── permissions/             # Permission definitions
│   ├── policies/                # Access control policies
│   └── admin/                   # Admin interfaces
├── security/
│   ├── encryption/              # Encryption utilities
│   ├── validation/              # Input validation and sanitization
│   ├── headers/                 # Security headers and CORS
│   └── rate-limiting/           # Rate limiting and DDoS protection
├── compliance/
│   ├── audit-logs/              # Audit logging and tracking
│   ├── reports/                 # Compliance reports
│   ├── policies/                # Security policies and procedures
│   └── documentation/           # Compliance documentation
├── monitoring/
│   ├── siem/                    # Security information and event management
│   ├── alerts/                  # Security alerts and notifications
│   ├── dashboards/              # Security monitoring dashboards
│   └── incident-response/       # Incident response procedures
└── config/
    ├── development/             # Development security config
    ├── staging/                 # Staging security config
    └── production/              # Production security config
security-system/
├── authentication/
│   ├── providers/               # 认证提供商实现
│   ├── middleware/              # 认证中间件与守卫
│   ├── tokens/                  # 令牌生成与验证
│   └── sessions/                # 会话管理
├── authorization/
│   ├── rbac/                    # 基于角色的访问控制
│   ├── permissions/             # 权限定义
│   ├── policies/                # 访问控制策略
│   └── admin/                   # 管理员界面
├── security/
│   ├── encryption/              # 加密工具
│   ├── validation/              # 输入验证与清理
│   ├── headers/                 # 安全头与CORS
│   └── rate-limiting/           # 速率限制与DDoS防护
├── compliance/
│   ├── audit-logs/              # 审计日志与跟踪
│   ├── reports/                 # 合规报告
│   ├── policies/                # 安全策略与流程
│   └── documentation/           # 合规文档
├── monitoring/
│   ├── siem/                    # 安全信息与事件管理
│   ├── alerts/                  # 安全告警与通知
│   ├── dashboards/              # 安全监控仪表盘
│   └── incident-response/       # 事件响应流程
└── config/
    ├── development/             # 开发环境安全配置
    ├── staging/                 # 预发布环境安全配置
    └── production/              # 生产环境安全配置

Supporting Artifacts

辅助交付物

  • Security Architecture Documentation: Detailed security design and implementation
  • Compliance Reports: Regulatory compliance status and documentation
  • Security Policies: Comprehensive security policies and procedures
  • Threat Models: Detailed threat analysis and mitigation strategies
  • Incident Response Plans: Security incident handling procedures
  • 安全架构文档: 详细的安全设计与实现说明
  • 合规报告: 监管合规状态与文档
  • 安全策略: 全面的安全策略与流程
  • 威胁模型: 详细的威胁分析与缓解策略
  • 事件响应计划: 安全事件处理流程

Advanced Features

高级功能

Intelligent Threat Detection

智能威胁检测

  • AI-powered threat detection and analysis
  • Behavioral anomaly detection and user behavior analytics
  • Real-time threat intelligence integration
  • Automated incident response and containment
  • 基于AI的威胁检测与分析
  • 行为异常检测与用户行为分析
  • 实时威胁情报集成
  • 自动化事件响应与遏制

Zero Trust Implementation

零信任架构实现

  • Comprehensive zero-trust security architecture
  • Continuous authentication and authorization
  • Micro-segmentation and least privilege access
  • Device and location-based access controls
  • 全面的零信任安全架构
  • 持续认证与授权
  • 微分段与最小权限访问
  • 基于设备与位置的访问控制

Compliance Automation

合规自动化

  • Automated compliance checking and reporting
  • Continuous compliance monitoring and alerts
  • Automated evidence collection for audits
  • Regulatory requirement tracking and management
  • 自动化合规检查与报告
  • 持续合规监控与告警
  • 自动化审计证据收集
  • 监管需求跟踪与管理

Security Analytics

安全分析

  • Advanced security analytics and reporting
  • Security metrics and KPI tracking
  • Risk assessment and scoring
  • Security posture analysis and improvement
  • 高级安全分析与报告
  • 安全指标与KPI跟踪
  • 风险评估与评分
  • 安全态势分析与改进

Troubleshooting

故障排查

Common Security Implementation Challenges

常见安全实施挑战

  • Authentication Issues: Use proper token validation and secure session management
  • Authorization Problems: Implement clear permission models and regular access reviews
  • Compliance Gaps: Conduct regular compliance assessments and documentation updates
  • Security Vulnerabilities: Implement continuous security testing and vulnerability management
  • 认证问题: 使用正确的令牌验证与安全会话管理
  • 授权问题: 实现清晰的权限模型并定期审查访问权限
  • 合规缺口: 定期执行合规评估与文档更新
  • 安全漏洞: 实现持续安全测试与漏洞管理

Integration and Operational Issues

集成与运营问题

  • Third-party Integration: Use standard protocols and proper error handling
  • Performance Impact: Optimize security controls and implement caching where appropriate
  • User Experience: Balance security requirements with user-friendly interfaces
  • Security Monitoring: Implement comprehensive logging and alerting systems
  • 第三方集成: 使用标准协议与正确的错误处理
  • 性能影响: 优化安全控制措施,在合适场景实现缓存
  • 用户体验: 平衡安全需求与用户友好的界面
  • 安全监控: 实现全面的日志记录与告警系统

Best Practices

最佳实践

For Authentication Design

认证设计

  • Use industry-standard protocols (OAuth 2.0, OpenID Connect, SAML)
  • Implement multi-factor authentication for sensitive operations
  • Use secure token storage and proper session management
  • Implement proper password policies and secure recovery mechanisms
  • 使用行业标准协议(OAuth 2.0、OpenID Connect、SAML)
  • 为敏感操作实现多因素认证
  • 使用安全的令牌存储与正确的会话管理
  • 实现合理的密码策略与安全恢复机制

For Authorization Implementation

授权实现

  • Follow principle of least privilege
  • Implement role-based or attribute-based access control
  • Regularly review and update access permissions
  • Implement proper audit trails for access control changes
  • 遵循最小权限原则
  • 实现基于角色或基于属性的访问控制
  • 定期审查与更新访问权限
  • 为访问控制变更实现完整的审计轨迹

For Security Compliance

安全合规

  • Stay updated with regulatory requirements and industry standards
  • Implement comprehensive audit logging and documentation
  • Conduct regular security assessments and penetration testing
  • Maintain up-to-date security policies and procedures
  • 及时跟进监管要求与行业标准
  • 实现全面的审计日志与文档记录
  • 定期执行安全评估与渗透测试
  • 保持安全策略与流程的更新

For Threat Protection

威胁防护

  • Implement defense-in-depth security architecture
  • Use automated security monitoring and threat detection
  • Maintain incident response procedures and conduct regular drills
  • Stay informed about latest security threats and vulnerabilities
This security and authentication skill transforms the complex process of security system implementation into a guided, expert-supported workflow that ensures comprehensive protection, regulatory compliance, and operational excellence.
  • 实现纵深防御的安全架构
  • 使用自动化安全监控与威胁检测
  • 维护事件响应流程并定期开展演练
  • 及时了解最新的安全威胁与漏洞
该安全与认证技能将复杂的安全系统实施流程转化为有专家支持的引导式工作流,确保实现全面防护、监管合规与运营卓越。