Establish secure defaults

Jump to: navigation, search

This is a principle or a set of principles. To view all principles, please see the Principle Category page.

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.

Last revision (mm/dd/yy): 12/19/2014


There are many ways to deliver an “out of the box” experience for users. However, by default, the experience should be secure, and it should be up to the user to reduce their security – if they are allowed. It is imperative for the software environment to have default secure settings which may be opted out of by the user or other options which may be opted into (commonly known as Opt-in and Opt-out).

For example, by default, password aging and complexity should be enabled. Users might be allowed to turn these two features off(Opt-out) to simplify their use of the application and increase their risk.

It is important to understand that by no means does “Secure Defaults” mean turning off all possible network applications or sockets and services. And neither do Secure Defaults mean a 100% secure environment. But, they should ensure the least number of possible loopholes and fewer drawbacks.

Operating Systems

Although OpenBSD claims to be the only fully secure by default operating system, it isn't necessarily the most secure operating system because the definition of an operating system is varied. An operating system which cant interact with other systems may not be connected across a network thereby being more secure than one which is prone to network vulnerabilities. Windows provides User Account Controls whereas Ubuntu which is a Linux OS hides the administrative account by default and gives administrative privileges to the first user for tasks like managing the disk drives. MAC OS X doesn’t hide this account but gives limited privileges.


Short example name

A short example description, small picture, or sample code with links

Short example name

A short example description, small picture, or sample code with links

Related Vulnerabilities

Related Controls