Skill

security-practices

Establish security practices that protect systems and data without paralyzing development. Use when scaling security or responding to threats.

From engineering-excellence

Install

Run in your terminal

npx claudepluginhub sethdford/claude-skills --plugin tech-lead-engineering-excellence

Tool Access

This skill uses the workspace's default tool permissions.

Skill Content

Similar Skills

skill-lookup

Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.

prompts.chat

157.5k

prompt-lookup

Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.

prompts.chat

157.5k

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

ecc

140.7k

Stats

Parent Repo Stars3

Parent Repo Forks0

Last CommitMar 11, 2026

Actions

View Source View Plugin View on GitHub View README

Domain Context

Shifting left on security — finding vulnerabilities in development (via linters, code review) is faster than finding them in production. Bake security into process.

Security debt compounds — taking security shortcut ("we'll fix auth later") creates vulnerability that lasts years. Fix upfront.

Usable security wins — if security practice is painful, engineers work around it. Make it easy (password manager integrated, secrets in environment vars).

Threat modeling drives priorities — not all security is equal. Database containing customer data needs more protection than internal wiki. Model threats, protect high-risk systems.

Instructions

Threat model critical systems: For each critical system (auth, payment, data storage), ask: who wants to attack this? What are they after? What could go wrong? Prioritize protections by threat likelihood and impact.

Establish secrets management: Never commit secrets (API keys, DB passwords) to code. Use env vars (development) or secrets vault (production). Rotate secrets regularly.

Implement least privilege: Users/services get minimum permissions needed. Database user for API has read-only on necessary tables, not full admin. Reduces blast radius of compromise.

Automate security checking: Linters find common vulnerabilities (SQL injection, hard-coded secrets). Dependency scanners find vulnerable libraries. CI blocks merges on findings. Automated > manual checking.

Incident response plan: If breach happens, who escalates? Who notifies? What data was potentially exposed? Document before crisis. Practice quarterly.

Anti-Patterns

Security theatre: "We require 20-character passwords with special characters." Sounds secure but doesn't actually prevent breaches. Real security is systems-based (2FA, short-lived tokens), not password rules.

All-or-nothing security: "Everything is critical, protect equally." Wastes effort. Threat-model, prioritize. Protect payment system extremely, internal wiki adequately.

Painful security bypassed: "SSH key needed for deploy, takes 10 minutes to setup." Engineers write it down in Slack to avoid setup. Pain defeated security. Make security easy.

Secrets in code: Committed API keys, database passwords in logs. Huge vulnerability. Use secrets vault, never commit secrets.

No incident response plan: Breach happens, panic. "What do we do? Who do we notify?" Chaos. Plan before crisis. Practice quarterly (tabletop exercises).

Domain Context

Shifting left on security — finding vulnerabilities in development (via linters, code review) is faster than finding them in production. Bake security into process.

Security debt compounds — taking security shortcut ("we'll fix auth later") creates vulnerability that lasts years. Fix upfront.

Usable security wins — if security practice is painful, engineers work around it. Make it easy (password manager integrated, secrets in environment vars).

Threat modeling drives priorities — not all security is equal. Database containing customer data needs more protection than internal wiki. Model threats, protect high-risk systems.

Instructions

Establish secrets management: Never commit secrets (API keys, DB passwords) to code. Use env vars (development) or secrets vault (production). Rotate secrets regularly.

Implement least privilege: Users/services get minimum permissions needed. Database user for API has read-only on necessary tables, not full admin. Reduces blast radius of compromise.

Incident response plan: If breach happens, who escalates? Who notifies? What data was potentially exposed? Document before crisis. Practice quarterly.

Anti-Patterns

All-or-nothing security: "Everything is critical, protect equally." Wastes effort. Threat-model, prioritize. Protect payment system extremely, internal wiki adequately.

Painful security bypassed: "SSH key needed for deploy, takes 10 minutes to setup." Engineers write it down in Slack to avoid setup. Pain defeated security. Make security easy.

Secrets in code: Committed API keys, database passwords in logs. Huge vulnerability. Use secrets vault, never commit secrets.

No incident response plan: Breach happens, panic. "What do we do? Who do we notify?" Chaos. Plan before crisis. Practice quarterly (tabletop exercises).

security-practices

security-practices

Security Practices

Context

Domain Context

Instructions

Anti-Patterns

Further Reading

Security Practices

Context

Domain Context

Instructions

Anti-Patterns

Further Reading