Security Patterns

Essential security patterns for building secure applications with Orchestre. These patterns help you implement defense in depth and follow security best practices.

Security Principles

1. Defense in Depth - Multiple layers of security
2. Least Privilege - Minimal necessary permissions
3. Zero Trust - Verify everything, trust nothing
4. Fail Secure - Secure by default when failures occur
5. Security by Design - Built-in, not bolted-on

---

Authentication Patterns

Pattern: Multi-Factor Authentication (MFA)

Context: Enhancing account security beyond passwords

Implementation:

/execute-task "Implement MFA with:
- TOTP (Time-based One-Time Password)
- Backup codes generation
- Recovery flow
- Remember device option
- Audit logging"

Example:

/execute-task "Add TOTP-based MFA:
1. Generate secret on first setup
2. Provide QR code for authenticator apps
3. Verify TOTP code before enabling
4. Generate 10 backup codes
5. Log all MFA events"

Security Considerations:

• Store secrets encrypted
• Rate limit verification attempts
• Invalidate sessions on MFA changes
• Clear messaging about MFA importance

Pattern: Secure Session Management

Context: Managing user sessions securely

Implementation:

/execute-task "Implement secure session management:
- Cryptographically secure session IDs
- Session rotation on privilege escalation
- Absolute and idle timeouts
- Secure cookie flags
- Session invalidation on logout"

Example:

/execute-task "Create session management with:
- 256-bit random session IDs
- Rotation after login/permission change
- 24h absolute timeout, 30min idle timeout
- httpOnly, secure, sameSite cookie flags
- Redis session store with immediate invalidation"

---

Authorization Patterns

Pattern: Role-Based Access Control (RBAC)

Context: Managing permissions at scale

Implementation:

/execute-task "Implement RBAC system:
- Role hierarchy definition
- Permission assignment
- Dynamic permission checking
- Admin interface
- Audit trail"

Example:

/execute-task "Create RBAC with roles:
- Admin: Full access
- Editor: Create/edit content
- Viewer: Read-only access
With middleware for route protection
and method-level permission checks"

Pattern: Attribute-Based Access Control (ABAC)

Context: Fine-grained, contextual permissions

Implementation:

/execute-task "Implement ABAC with:
- Policy engine
- Attribute definitions
- Context evaluation
- Policy testing tools
- Performance optimization"

Example:

/execute-task "Create ABAC for document access:
Rules like:
- Users can edit their own documents
- Managers can view team documents
- Documents marked 'public' are readable by all
- Time-based access for contractors"

---

Input Security Patterns

Pattern: Input Validation Layer

Context: Preventing injection attacks and data corruption

Implementation:

/execute-task "Create comprehensive input validation:
- Schema-based validation
- Type checking and coercion
- Length and format constraints
- Sanitization rules
- Error messaging"

Example:

/execute-task "Implement input validation for user API:
- Email: RFC 5322 compliant
- Password: Min 12 chars, complexity rules
- Username: Alphanumeric, 3-20 chars
- Bio: Max 500 chars, strip HTML
With clear error messages for each rule"

Pattern: SQL Injection Prevention

Context: Protecting database queries from injection

Implementation:

/execute-task "Implement SQL injection prevention:
- Parameterized queries only
- Stored procedure wrapper
- Query builder validation
- Input sanitization
- Query logging and monitoring"

Best Practices:

// Never do this
const query = `SELECT * FROM users WHERE id = ${userId}`;

// Always use parameterized queries
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);

---

Data Security Patterns

Pattern: Encryption at Rest

Context: Protecting stored sensitive data

Implementation:

/execute-task "Implement encryption at rest:
- Field-level encryption for PII
- Transparent database encryption
- Key rotation strategy
- Secure key storage (HSM/KMS)
- Backup encryption"

Example:

/execute-task "Encrypt sensitive user data:
- SSN: AES-256-GCM encryption
- Credit cards: Tokenization
- Passwords: Argon2id hashing
- Medical records: Full record encryption
Using AWS KMS for key management"

Pattern: Secure Data Transmission

Context: Protecting data in transit

Implementation:

/execute-task "Implement secure data transmission:
- TLS 1.3 enforcement
- Certificate pinning for mobile
- Perfect forward secrecy
- HSTS headers
- API encryption layer"

---

API Security Patterns

Pattern: API Rate Limiting

Context: Preventing abuse and ensuring availability

Implementation:

/execute-task "Implement API rate limiting:
- Per-user rate limits
- Per-IP rate limits
- Endpoint-specific limits
- Sliding window algorithm
- Graceful limit communication"

Example:

/execute-task "Create rate limiting with:
- Authenticated: 1000 req/hour
- Anonymous: 100 req/hour
- Auth endpoints: 5 req/minute
- Upload endpoints: 10 req/hour
Using Redis sliding window"

Pattern: API Key Management

Context: Secure API authentication for services

Implementation:

/execute-task "Create API key system:
- Key generation and rotation
- Scope-based permissions
- Usage tracking
- Revocation mechanism
- Key encryption at rest"

---

Security Monitoring Patterns

Pattern: Security Event Logging

Context: Detecting and investigating security incidents

Implementation:

/execute-task "Implement security logging:
- Authentication events
- Authorization failures
- Data access patterns
- System changes
- Anomaly detection"

Example:

/execute-task "Create security event log with:
- Failed login attempts
- Permission escalation
- Sensitive data access
- Configuration changes
- API key usage
Storing in append-only log with alerting"

Pattern: Intrusion Detection

Context: Identifying potential security breaches

Implementation:

/execute-task "Implement intrusion detection:
- Behavior baselines
- Anomaly detection rules
- Real-time alerting
- Automated responses
- Forensic data collection"

---

Secure Development Patterns

Pattern: Security Testing Pipeline

Context: Automated security validation

Implementation:

/execute-task "Create security testing pipeline:
- Static code analysis (SAST)
- Dependency vulnerability scanning
- Dynamic testing (DAST)
- Security unit tests
- Penetration test hooks"

Example:

/execute-task "Set up security pipeline with:
- SonarQube for code analysis
- OWASP dependency check
- ZAP for dynamic testing
- Security test suite
- Weekly penetration test runs"

Pattern: Secure Configuration Management

Context: Managing secrets and configuration securely

Implementation:

/execute-task "Implement secure configuration:
- Environment-based configs
- Encrypted secrets storage
- Runtime secret injection
- Configuration validation
- Audit trail"

---

Common Vulnerability Patterns

Pattern: XSS Prevention

Context: Preventing cross-site scripting attacks

Implementation:

/execute-task "Implement XSS prevention:
- Content Security Policy headers
- Input sanitization
- Output encoding
- Template auto-escaping
- DOM purification"

Pattern: CSRF Protection

Context: Preventing cross-site request forgery

Implementation:

/execute-task "Implement CSRF protection:
- Synchronizer tokens
- Double submit cookies
- SameSite cookie attribute
- Origin header validation
- Custom headers for APIs"

---

Incident Response Patterns

Pattern: Security Incident Response

Context: Handling security breaches effectively

Implementation:

/orchestrate "Create incident response plan:
- Detection mechanisms
- Escalation procedures
- Containment strategies
- Evidence preservation
- Communication templates"

Pattern: Data Breach Response

Context: Managing data breach scenarios

Implementation:

/orchestrate "Implement data breach response:
- Automated detection
- User notification system
- Password reset enforcement
- Audit log preservation
- Regulatory compliance"

---

Security Checklist

For every feature, consider:

• [ ] Authentication: Who can access this?
• [ ] Authorization: What can they do?
• [ ] Validation: Is input safe?
• [ ] Encryption: Is data protected?
• [ ] Logging: Can we detect abuse?
• [ ] Error Handling: Do errors leak info?
• [ ] Rate Limiting: Can it be abused?
• [ ] Dependencies: Are libraries secure?

---

Security Anti-Patterns

Anti-Pattern: Security Through Obscurity

❌ Avoid:

// "Hidden" admin endpoint
app.get('/secret-admin-panel', adminController);

✅ Better:

// Proper authentication and authorization
app.get('/admin', authenticate, authorize('admin'), adminController);

Anti-Pattern: Trusting Client Data

❌ Avoid:

// Trusting client-provided role
const role = req.body.role;
if (role === 'admin') { /* admin access */ }

✅ Better:

// Server-side role verification
const role = await getUserRole(req.user.id);
if (role === 'admin') { /* admin access */ }

Anti-Pattern: Weak Crypto

❌ Avoid:

// MD5 for passwords
const hash = md5(password);

✅ Better:

// Modern password hashing
const hash = await argon2.hash(password);

---

Quick Security Wins

Immediate improvements you can make:

# 1. Add security headers
/execute-task "Add security headers: CSP, HSTS, X-Frame-Options"

# 2. Enable rate limiting
/execute-task "Add rate limiting to all API endpoints"

# 3. Implement logging
/execute-task "Add security event logging for auth events"

# 4. Update dependencies
/security-audit --fix-vulnerable

# 5. Add input validation
/execute-task "Add validation to all API inputs"

---

Compliance Patterns

GDPR Compliance

/orchestrate "Implement GDPR compliance:
- Privacy by design
- Data minimization
- Right to erasure
- Data portability
- Consent management"

PCI DSS Compliance

/orchestrate "Implement PCI compliance:
- Network segmentation
- Encryption requirements
- Access controls
- Vulnerability management
- Security testing"

---

Resources

• OWASP Top 10
• Security Command Reference
• Encryption Utilities
• Security Examples

---

Next Steps

• Run /security-audit on your project
• Review Testing Patterns
• Implement Monitoring Patterns
• Study OWASP Guidelines