I was helping some new security professionals recently and was looking for the best of these lists to provide, and I found them lacking. The Saltzer and Schroeder list is excellent, but it’s a bit abstract and quite dated. And the NIST and IEEE lists have their own issues.
Eric Cole was invaluable for me in conveying these types of concepts when studying for GSEC early in my career.
So I quickly made a list of my own that incorporates the best ideas from all of them and then added several others that I’ve heard from various sources over my 20 years in the industry.
- Security means “without worry”
- Our goal is functional resilience
- Pursue acceptable risk, not the elimination of risk
- Make security either invisible or usable
- Maintain an evergreen inventory of what you’re protecting
- Minimize attack surface
- Reduce components and complexity as much as possible
- Assume compromise and focus on detection, response, and recovery
- Parsers are evil, and more so if they’re listening on a network
- Design for zero trust in all environments
- Don’t trust unfiltered input
- Implement defense in depth
- Don’t write your own cryptographic algorithms
- Protect access and secrets with least privilege
- Filter at each layer
- Use secure defaults
- Secure sensitive data at rest and in transit
- Monitor and enforce secure configuration
- Fail securely
- Do not rely obscurity/OPSEC as the single layer
- Ensure attribution / non-repudiation
- Protect the integrity of transaction evidence
This is a rough pass, and I’m not sure what (if any) form it’ll eventually take, but if you have any ideas on how to improve it, let me know!