Laws of Security

SECURITY PRINCIPLES

1. UNDERSTAND THE ENVIRONMENT

Know what you need to protect. Reduce a problem to its lowest abstraction, and understand the risk and threat landscapes. Have one single source of truth.

2. PEOPLE, PROCESS, AND TECHNOLOGY

Security begins with people. Technology and process complement the people, not replace them. Educate people, create processes, then implement technology. Pick the right people. Quality is better than quantity.

3. DEFENSE IN-DEPTH

Security is built around layers, with each layer being more difficult to penetrate. Make the invisible, visible, and always try your best to engage a threat at the outermost layer.

4. DON’T TRUST, ALWAYS VERIFY

Never trust input. Make sure you authenticate the source. Be wary of unknown output as well.

5. PREPARE FOR THE CRISIS YOU HAVE, NOT THE ONE YOU WANT

Consider what you need for the circumstances you are most likely to face, not the ones that are the easiest or most exciting to plan for. Plan ahead, and red team it. Remember: it’s too late to start planning once the crisis occurs.

6. KEEP IT SIMPLE

Have clear priorities and communicate them in a simple way. Strive for procedures and automation that are easy to follow and are repeatable. Security supports a larger objective, don’t develop in a vacuum.

7. ASK: WHAT CAN GO WRONG?

Search for the things that can go wrong, even if they appear as an impossibility. Understand the issues and proactively address them.



Original source of the principles.