Secure Design Principles

Sitting here on a cold, snowy day thinking about secure design principles. These are key to think about during the design phase of a feature/project?

Total Mediation – every access to every resource must be validated every time

Economy of Mechanism – keep it as simple as possible

Fail-Safe – in case of failure, default to a secure state

Defense in Depth – layer security

Open Design – the security of a system should not be dependent on secrecy of its design or implementation

Psychological Acceptability – security mechanisms must not make resources more difficult to access then if they weren’t there

Least Privilege – limit access to a system/feature to only those that *need* to access it for the shortest duration possible

Minimize attack surface – reduce risk by reducing the attack surface area

Secure Defaults – default to a secure state

Any others you can think of?

Carl Sampson avatar
I am an application security guy living in Indiana. I also started and lead the OWASP Indianapolis Chapter.
comments powered by Disqus