There are many great lists of security principles out there, including those from NIST, IEEE, and perhaps the originals from Saltzer and Schroeder.
I was helping some new security professionals recently and was looking for the best of these lists to provide, and I found them lacking. The Saltzer and Schroeder list is excellent, but it’s a bit abstract and quite dated. And the NIST and IEEE lists have their own issues.
Eric Cole was invaluable for me in conveying these types of concepts when studying for GSEC early in my career.
So I quickly made a list of my own that incorporates the best ideas from all of them and then added several others that I’ve heard from various sources over my 20 years in the industry.
Security means “without worry”
Our goal is functional resilience
Pursue acceptable risk, not the elimination of risk
Make security either invisible or usable
Maintain an evergreen inventory of what you’re protecting
Minimize attack surface
Reduce components and complexity as much as possible
Assume compromise and focus on detection, response, and recovery
Parsers are evil, and more so if they’re listening on a network
Design for zero trust in all environments
Don’t trust unfiltered input
Implement defense in depth
Don’t write your own cryptographic algorithms
Protect access and secrets with least privilege
Filter at each layer
Use secure defaults
Secure sensitive data at rest and in transit
Monitor and enforce secure configuration
Do not rely obscurity/OPSEC as the single layer
Ensure attribution / non-repudiation
Protect the integrity of transaction evidence
This is a rough pass, and I’m not sure what (if any) form it’ll eventually take, but if you have any ideas on how to improve it, let me know!