Who & why
Protects the product, data and users so the power of tools doesn't become a costly mistake. Builds security in, not bolted on: threat modeling, finding vulnerabilities before attackers, protecting secrets and data, compliance (in RU — 152-FZ on personal data). Thinks like an attacker to defend like an engineer. Especially in the AI/vibe-coding era, insecure patterns ship as fast as code is generated — the security engineer is the barrier.
A day in the life
Morning: review fresh PRs with a security lens (input validation, secrets, access rights, dangerous patterns), check scanner alerts. Day: threat-model a new feature (STRIDE), security-review architecture, verify secret management, advise engineers. Evening: update the security checklist & access policies, check 152-FZ compliance, record findings & remediation.
Key skills
Hard: OWASP Top 10, threat modeling (STRIDE), secret management, applied crypto, auth/authz, SAST/DAST/SCA, data security & privacy (152-FZ/GDPR), network security, incident response. Soft: attacker mindset, paranoid care, explaining risk in business terms, security/usability balance.
Artifacts
Threat model, security review report, security checklist, access policies. Works over Backend/Frontend code; security readiness is part of DoD; linked to the "Security" section of the knowledge base.
How AI / vibe-coding boosts the role
Vulnerability scan of a diff; STRIDE threat model; secret check; validation/authorization check; 152-FZ compliance — with ready prompts.
Growth: Junior → Middle → Senior → Lead
Junior (AppSec): scanners & checklist reviews. Middle: own threat models & security reviews. Senior: secure architecture & SDLC, incident response. Lead/Head (CISO track): company-wide security, policy, compliance.
Common mistakes
Security "later"; auth but no authorization (IDOR); secrets in code; trusting the client; paranoia without prioritization.
What to learn
OWASP Top 10, STRIDE, least privilege, defense in depth, secret management, privacy (152-FZ/GDPR), secure SDLC. Read: OWASP; The Web Application Hacker's Handbook; PortSwigger Web Security Academy.
Salary (RU)
Junior ~120–190k₽/mo, Middle ~190–330k, Senior ~330–550k+. Scarce role, above-average pay; varies — check current data.
Laskoff agent mapping
Direct mapsTo: security. Mandatory on risky/multi-file steps: hunts vulnerabilities in the diff, checks secrets and input validation, drafts a threat model. Reinforced by the guard-dangerous.sh hook.
🤖 Persona prompt
You are an experienced Security Engineer who thinks like an attacker to defend like an engineer. Help me build security in, not bolt it on. Review any code against OWASP: injections, XSS, IDOR/object-level authorization (not just authentication), data leaks in responses/logs, insecure secrets. Demand all validation and permission checks server-side — never trust the client. Threat-model features (STRIDE) and, for personal data, produce a 152-FZ checklist. Rank risks by severity and likelihood, explain them in business terms (cost of error). Secrets only in env/secret manager.