Practical Security Principles

There are many great lists of security principles out there, including those from NIST, IEEE, and perhaps the originals from Saltzer and Schroeder.

I was helping some new security professionals recently and was looking for the best of these lists to provide, and I found them lacking. The Saltzer and Schroeder list is excellent, but it’s a bit abstract and quite dated. And the NIST and IEEE lists have their own issues.

Eric Cole was invaluable for me in conveying these types of concepts when studying for GSEC early in my career.

So I quickly made a list of my own that incorporates the best ideas from all of them and then added several others that I’ve heard from various sources over my 20 years in the industry.

1. Security means “without worry”

2. Our goal is functional resilience

3. Pursue acceptable risk, not the elimination of risk

4. Make security either invisible or usable

5. Maintain an evergreen inventory of what you’re protecting

6. Minimize attack surface

7. Reduce components and complexity as much as possible

8. Assume compromise and focus on detection, response, and recovery

9. Parsers are evil, and more so if they’re listening on a network

10. Design for zero trust in all environments

11. Don’t trust unfiltered input

12. Implement defense in depth

13. Don’t write your own cryptographic algorithms

14. Protect access and secrets with least privilege

15. Filter at each layer

16. Use secure defaults

17. Secure sensitive data at rest and in transit

18. Monitor and enforce secure configuration

19. Fail securely

20. Do not rely obscurity/OPSEC as the single layer

21. Ensure attribution / non-repudiation

22. Protect the integrity of transaction evidence

This is a rough pass, and I’m not sure what (if any) form it’ll eventually take, but if you have any ideas on how to improve it, let me know!

Related posts:

1. An Information Security Glossary of Terms

2. Cybersecurity

3. Information Security