ESA Playbook
Engineering

Security Engineering (The Stack)

Moving from "Gatekeeper" to "Guardrails". The full technical stack: Infrastructure, Application, and Data.

1. Infrastructure →

Cloud, Network, IaC (Terraform)

Jump to Section

2. Application →

SDLC, DevSecOps, Bot Defense

Jump to Section

3. Data & Privacy →

Cryptography, Privacy Computing

View Deep Dive

The Security Engineering Pipeline

A living visualization of the "Shift Left" philosophy. Click on each stage to see the contrast between textbook theory ("Focus") and operational reality ("Insights").

The Science (Focus)

  • Methodology: Use STRIDE for threat modeling and DREAD for risk ranking.
  • Architecture Review: Analyze data flow, dependencies, and network boundaries.
  • Output: Security requirements and 'Abuse Case Analysis'.

The Art (Insights)

  • The Reality Gap: Diagrams often miss hidden dependencies (e.g., untagged data stores).
  • Platform Capability: Don't use forms with 20+ checkboxes; visualize data flows automatically.
  • War Story: If architecture review is just a formality, it becomes 'Paper Compliance', not risk reduction.
Download DREAD Checklist

Infrastructure as Code (IaC)

Module: Terraform Security

Don't configure clouds via the Console. Use Terraform to enforce policies (Encryption, Logging) as code.

Terraform: S3 Bucket
resource "aws_s3_bucket" "example" {
  bucket = "my-insecure-bucket"
  acl    = "public-read" # ❌ Public Access

  # ❌ No Encryption
  # ❌ No Versioning
  # ❌ No Logging
}

Security Analysis

  • Data Leak Risk: `public-read` ACL makes all data visible to the world.
  • Compliance Fail: Missing encryption violates GDPR/PCI-DSS.
  • Fragile: No versioning means 'rm' is forever.

Recommended Directory Structure

/terraform
├── /global       # IAM, Route53 (Shared Resources)
├── /modules      # Reusable Modules (S3, VPC, EKS)
└── /live         # Environments
├── /prod
└── /stage

Zero Trust & Network Segmentation

Old World: Perimeter Security

Firewall (Hard Shell)
Everything inside is trusted (Soft Center)

New World: Zero Trust

User
-- mTLS -->
App
Identity is the new Perimeter

Anti-Spider & Bot Defense

The Bot Kill Chain

  1. 1. CollectionJS SDK collects Canvas fingerprint, Battery API, and Mouse movements.
  2. 2. Analysis (Stream)Flink job calculates velocity (e.g., "5 logins in 1s").
  3. 3. DecisionRule Engine outputs: Allow, Block, or Captcha.

Browser Fingerprinting

Did you know? Bots often use headless browsers that render fonts and 3D graphics differently than real users.