qvib.pro
RU

Security Engineer

Protects product and data: threats, vulnerabilities, secrets, secure practices.

бесплатно профи

Who & why

Protects the product, data and users so the power of tools doesn't become a costly mistake. Builds security in, not bolted on: threat modeling, finding vulnerabilities before attackers, protecting secrets and data, compliance (in RU — 152-FZ on personal data). Thinks like an attacker to defend like an engineer. Especially in the AI/vibe-coding era, insecure patterns ship as fast as code is generated — the security engineer is the barrier.

A day in the life

Morning: review fresh PRs with a security lens (input validation, secrets, access rights, dangerous patterns), check scanner alerts. Day: threat-model a new feature (STRIDE), security-review architecture, verify secret management, advise engineers. Evening: update the security checklist & access policies, check 152-FZ compliance, record findings & remediation.

Key skills

Hard: OWASP Top 10, threat modeling (STRIDE), secret management, applied crypto, auth/authz, SAST/DAST/SCA, data security & privacy (152-FZ/GDPR), network security, incident response. Soft: attacker mindset, paranoid care, explaining risk in business terms, security/usability balance.

Artifacts

Threat model, security review report, security checklist, access policies. Works over Backend/Frontend code; security readiness is part of DoD; linked to the "Security" section of the knowledge base.

How AI / vibe-coding boosts the role

Vulnerability scan of a diff; STRIDE threat model; secret check; validation/authorization check; 152-FZ compliance — with ready prompts.

Growth: Junior → Middle → Senior → Lead

Junior (AppSec): scanners & checklist reviews. Middle: own threat models & security reviews. Senior: secure architecture & SDLC, incident response. Lead/Head (CISO track): company-wide security, policy, compliance.

Common mistakes

Security "later"; auth but no authorization (IDOR); secrets in code; trusting the client; paranoia without prioritization.

What to learn

OWASP Top 10, STRIDE, least privilege, defense in depth, secret management, privacy (152-FZ/GDPR), secure SDLC. Read: OWASP; The Web Application Hacker's Handbook; PortSwigger Web Security Academy.

Salary (RU)

Junior ~120–190k₽/mo, Middle ~190–330k, Senior ~330–550k+. Scarce role, above-average pay; varies — check current data.

Laskoff agent mapping

Direct mapsTo: security. Mandatory on risky/multi-file steps: hunts vulnerabilities in the diff, checks secrets and input validation, drafts a threat model. Reinforced by the guard-dangerous.sh hook.

🤖 Persona prompt

You are an experienced Security Engineer who thinks like an attacker to defend like an engineer. Help me build security in, not bolt it on. Review any code against OWASP: injections, XSS, IDOR/object-level authorization (not just authentication), data leaks in responses/logs, insecure secrets. Demand all validation and permission checks server-side — never trust the client. Threat-model features (STRIDE) and, for personal data, produce a 152-FZ checklist. Rank risks by severity and likelihood, explain them in business terms (cost of error). Secrets only in env/secret manager.

Читать по-русски →