Difference between revisions of "Category:Principle"

From OWASP
Jump to: navigation, search
(References)
m (References)
Line 27: Line 27:
 
==References==
 
==References==
 
* [http://web.mit.edu/Saltzer/www/publications/protection/Basic.html Saltzer and Schroeder] (see section 3)
 
* [http://web.mit.edu/Saltzer/www/publications/protection/Basic.html Saltzer and Schroeder] (see section 3)
* [http://www.emergentchaos.com/archives/cat_star_wars_-_security_principles.html Saltzer and Schroeder Applied to ''Star Wars'']
 
 
* [http://www.ranum.com/security/computer_security/editorials/dumb/index.html The Six Dumbest Ideas in Computer Security]
 
* [http://www.ranum.com/security/computer_security/editorials/dumb/index.html The Six Dumbest Ideas in Computer Security]
 
* [http://news.com.com/2008-1082-276319.html Gary McGraw's 10 steps to secure software]
 
* [http://news.com.com/2008-1082-276319.html Gary McGraw's 10 steps to secure software]

Revision as of 19:50, 25 March 2011

This category is for tagging articles related to application security principles.

Contents

What is an application security principle?

Application security principles are collections of desirable application properties, behaviors, designs and implementation practices that attempt to reduce the likelihood of threat realization and impact should that threat be realized. Security principles are language-independent, architecturally-neutral primitives that can be leveraged within most software development methodologies to design and construct applications.

Principles are important because they help us make security decisions in new situations with the same basic ideas. By considering each of these principles, we can derive security requirements, make architecture and implementation decisions, and identify possible weaknesses in systems.

The important thing to remember is that in order to be useful, principles must be evaluated, interpreted and applied to address a specific problem. Although principles can serve as general guidelines, simply telling a software developer that their software must "fail securely" or that they should do "defense in depth" won't mean that much.

Some proven application security principles

Applying security principles

Consider the exercise of designing a simple web application that allows one to send email to a friend. By evaluating and interpreting each principle, we can arrive at many of the threats to this application and ultimately derive a set of protection requirements. We want to end up with a complete list of what is required to offer this service securely.


References

How to add a new Principle article

You can follow the instructions to make a new Principle article. Please use the appropriate structure and follow the Tutorial. Be sure to paste the following at the end of your article to make it show up in the Principle category:

[[Category:Principle]]