As part of #CyberSecurityAwarenessMonth, what are Security Design Principles that you know of? In a couple of hours I will proceed to describe the most important ones in a tweet each. Would love to see what you know about them!
1. Minimize Attack Surface:
Your surface should be closed by design. Open ports based on need, not because it's nicer to have multiple ports open. This is production, not testing.
Remove assets that were removed. Keep a checklist (QA - sign off for validation).
Your surface should be closed by design. Open ports based on need, not because it's nicer to have multiple ports open. This is production, not testing.
Remove assets that were removed. Keep a checklist (QA - sign off for validation).
2. Least Privilege:
If A shouldn't do X, they are not *granted* X. Starting with an empty slate and going up is better than the opposite, yet harder. Make sure that the user has the requirements to do their job.
If app needs 60% CPU to be safe, then that is given. Same for users
If A shouldn't do X, they are not *granted* X. Starting with an empty slate and going up is better than the opposite, yet harder. Make sure that the user has the requirements to do their job.
If app needs 60% CPU to be safe, then that is given. Same for users
3. Secure Defaults:
The kick off of the user experience should be secure. If they so wish to opt-out, and that is a business requirement, then let them have it.
Enforce MFA internally, disable where not so critical based on business needs.
Secure start, always. Helps Point #1
The kick off of the user experience should be secure. If they so wish to opt-out, and that is a business requirement, then let them have it.
Enforce MFA internally, disable where not so critical based on business needs.
Secure start, always. Helps Point #1
4. Defense in Depth:
Protect the your services and its users on every possible layer you can, taking into consideration Point #1. Have CSPs for users, WAFs for servers, Firewalls for networks, secure coding for internal services. Make the hacker pay big for the attack.
Protect the your services and its users on every possible layer you can, taking into consideration Point #1. Have CSPs for users, WAFs for servers, Firewalls for networks, secure coding for internal services. Make the hacker pay big for the attack.
5. Fail Securely:
Don't fail safe and have your system compromised. Fail securely, and break the application before it allows the compromise. Fail closed, always, not fail open. Block when a failure happens, don't open up. (block the process, don't continue with a failure msg)
Don't fail safe and have your system compromised. Fail securely, and break the application before it allows the compromise. Fail closed, always, not fail open. Block when a failure happens, don't open up. (block the process, don't continue with a failure msg)
6. Zero Trust:
Start by not trusting external services, close down on the network, then by logic. Use CSP and SRI for client side libraries. Limit access of APIs and validate the reach of machines and services to be as closed as possible.
Start by not trusting external services, close down on the network, then by logic. Use CSP and SRI for client side libraries. Limit access of APIs and validate the reach of machines and services to be as closed as possible.
7. Separation of Duties:
Network segregation. Administrators are not regular users. Checker maker processes. They who commit must be reviewed by another. Can be applied on users, logic, processes, services, and servers. Helps Points #4 and #6
Network segregation. Administrators are not regular users. Checker maker processes. They who commit must be reviewed by another. Can be applied on users, logic, processes, services, and servers. Helps Points #4 and #6
8. Avoid Security by Obscurity
Everything on the internet is public. Having a complex name for a file, or commenting a HTML snippet doesn't make it secure. Keys and passwords in mobile apps that can be reversed is one other example.
Everything on the internet is public. Having a complex name for a file, or commenting a HTML snippet doesn't make it secure. Keys and passwords in mobile apps that can be reversed is one other example.
9. Keep Security Simple
Security is an advanced topic, doesn't mean its application is as hard. Set the right culture, and the right mindset for it. Make developers and IT embrace it and see that with proper guidance, it can be integrated without it being a hindrance.
Security is an advanced topic, doesn't mean its application is as hard. Set the right culture, and the right mindset for it. Make developers and IT embrace it and see that with proper guidance, it can be integrated without it being a hindrance.
10. Off the book principle:
Don't be a blocker for people that don't know enough. Be welcoming and allow them to enter the field slowly. Don't put up gates for developers and IT, as all of the above mentioned points go down the drain. All points😊
Don't be a blocker for people that don't know enough. Be welcoming and allow them to enter the field slowly. Don't put up gates for developers and IT, as all of the above mentioned points go down the drain. All points😊
