Category:Principle

Links

A. http://web.mit.edu/Saltzer/www/publications/protection/Basic.html (Saltzer and Schroeder)(see Section 3)

B. http://news.com.com/2008-1082-276319.html (McGraw)

C. OWASP Guide


 * Fail safely
 * Run with least privilege (least privilege)
 * Avoid security by obscurity (open design)
 * Use a positive security model (fail safe defaults)(minimize attack surface)
 * Apply defense in depth (complete mediation)
 * Keep security simple (verifiable)(economy of mechanism)
 * Detect intrusions (compromise recording)
 * Don’t trust infrastructure
 * Don’t trust services
 * Establish secure defaults (psychological acceptability)(secure defaults)

Some of the security mechanisms help when you’re implementing these principles. This is just a rough pass that needs some more work. It can’t be done with just a bullet list, you really need more like a paragraph on each of these.


 * Fail safely
 * Error handling
 * Good logic
 * Run with least privilege
 * Access control
 * Avoid security by obscurity
 * Secure configuration files
 * Use a positive security model
 * Input validation
 * Output encoding
 * Access control
 * Apply defense in depth
 * Boundary validation
 * Keep security simple
 * Centralized security mechanisms
 * Detect intrusions(compromise recording)
 * Input validation
 * Authentication
 * Logging
 * Availability protection
 * Don’t trust infrastructure
 * SSL
 * Encrypt sensitive data
 * Prevent injection
 * Don’t trust services
 * SSL, Authentication, Access control, Input validation, error handling, logging, output validation
 * Establish secure defaults (psychological acceptability)(secure defaults)
 * Notify users
 * Secure “out of the box”