[
{
"text": "GDPR (General Data Protection Regulation) applies to any service handling EU user data. Key requirements: data encryption at rest and in transit, right to erasure, data portability, consent management, breach notification within 72 hours, Data Protection Officer for large operations. Technical implementation: encryption (AES-256), audit logs, data anonymization, geographic data restrictions. Violations can result in fines up to 4% of annual revenue.",
"metadata": {
"category": "security",
"compliance": "gdpr",
"type": "compliance_framework",
"source": "compliance_docs"
}
},
{
"text": "HIPAA (Health Insurance Portability and Accountability Act) protects healthcare data in the US. Requirements: PHI encryption, access controls, audit trails, Business Associate Agreements with cloud providers, risk assessments, incident response plans. Technical controls: field-level encryption for PHI, role-based access control, comprehensive audit logging, encrypted backups. AWS, GCP, and Azure offer HIPAA-compliant services with BAAs.",
"metadata": {
"category": "security",
"compliance": "hipaa",
"type": "compliance_framework",
"source": "compliance_docs"
}
},
{
"text": "PCI-DSS (Payment Card Industry Data Security Standard) applies to applications handling credit card data. 12 requirements include: firewalls, no default passwords, cardholder data protection, encryption in transit, access restrictions, monitoring, regular testing. Best practice: use tokenization (Stripe, Square) to avoid storing card data. Reduces PCI scope significantly. Self-assessment annually, quarterly vulnerability scans required.",
"metadata": {
"category": "security",
"compliance": "pci_dss",
"type": "compliance_framework",
"source": "compliance_docs"
}
},
{
"text": "SOC 2 (Service Organization Control 2) demonstrates security, availability, and confidentiality controls. Five trust principles: security, availability, processing integrity, confidentiality, privacy. Requirements: risk assessments, access controls, encryption, monitoring, incident response, vendor management. Annual audit by third-party. Essential for B2B SaaS companies. Typically takes 6-12 months to achieve.",
"metadata": {
"category": "security",
"compliance": "soc2",
"type": "compliance_framework",
"source": "compliance_docs"
}
},
{
"text": "Authentication best practices: implement MFA (multi-factor authentication), use OAuth 2.0/OpenID Connect for third-party auth, enforce strong passwords (min 12 chars, complexity), implement rate limiting on auth endpoints (5 attempts/minute), use secure session management (httpOnly, secure, SameSite cookies). Consider passwordless authentication (WebAuthn) for better security. Monitor for suspicious login patterns.",
"metadata": {
"category": "security",
"topic": "authentication",
"type": "best_practice",
"source": "security_guides"
}
},
{
"text": "Data protection essentials: encrypt data at rest (AES-256), encrypt in transit (TLS 1.3), implement database encryption, use secrets manager (AWS Secrets Manager, Vault) for API keys, enable automated encrypted backups, implement field-level encryption for sensitive PII. Key rotation every 90 days. Use HSM for critical keys. Never commit secrets to git repositories.",
"metadata": {
"category": "security",
"topic": "data_protection",
"type": "best_practice",
"source": "security_guides"
}
},
{
"text": "Web Application Firewall (WAF) protects against common attacks: SQL injection, XSS, CSRF, DDoS. AWS WAF, CloudFlare WAF, or Akamai. Configure rules for: OWASP Top 10 protection, rate limiting, geo-blocking, bot detection. Essential for public-facing applications. Costs: $5-50/month for basic protection. Reduces attack surface by 90%+. Monitor logs for attack patterns.",
"metadata": {
"category": "security",
"technology": "waf",
"type": "security_tool",
"source": "security_tools"
}
},
{
"text": "Application security: input validation and sanitization, parameterized queries (prevent SQL injection), output encoding (prevent XSS), CSRF tokens, secure HTTP headers (CSP, HSTS, X-Frame-Options), dependency scanning (Snyk, Dependabot), regular security updates. Implement security headers: Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options: nosniff.",
"metadata": {
"category": "security",
"topic": "application_security",
"type": "best_practice",
"source": "security_guides"
}
},
{
"text": "Monolithic architectures have centralized security concerns but single point of failure. Key threats: lateral movement after breach, single security boundary, deployment risk. Mitigations: defense in depth, network segmentation, strict access controls, comprehensive monitoring. Easier to secure than microservices due to simpler attack surface.",
"metadata": {
"category": "security",
"architecture": "monolith",
"type": "threat_model",
"source": "security_guides"
}
},
{
"text": "Microservices increase attack surface with multiple entry points. Key threats: service-to-service authentication complexity, API gateway as single point of failure, inter-service communication vulnerabilities, distributed tracing of security events. Mitigations: service mesh (Istio), mTLS for inter-service communication, API gateway security, centralized logging (ELK). Requires mature security practices.",
"metadata": {
"category": "security",
"architecture": "microservices",
"type": "threat_model",
"source": "security_guides"
}
},
{
"text": "For critical data sensitivity (healthcare, financial), implement: field-level encryption, HSM for key management, comprehensive audit logging, data masking for non-production environments, regular penetration testing, SOC 2 Type II certification. Use dedicated security team. Budget 15-20% of infrastructure costs for security. Compliance audits annually.",
"metadata": {
"category": "security",
"data_sensitivity": "critical",
"type": "security_strategy",
"source": "security_guides"
}
},
{
"text": "Security monitoring essentials: centralized logging (CloudWatch, Datadog, Splunk), SIEM for threat detection, failed authentication monitoring, anomaly detection, real-time alerting for security events. Set up alerts for: multiple failed logins, unusual access patterns, privilege escalation attempts, data exfiltration. Response time SLA: critical alerts within 15 minutes.",
"metadata": {
"category": "security",
"topic": "monitoring",
"type": "best_practice",
"source": "security_guides"
}
}
]