SECURITY PRINCIPLES 2.0
1. GOOD SECURITY IS RECOGNITION OF RISK
Security begins by assessing and communicating risks. Focus on identifying vulnerabilities and developing a mitigation plan.
2. GOOD SECURITY IS SIMPLE
Prioritize simplicity by establishing repeatable processes and basic automation, so that security becomes an effortless consideration. Simplifying security enables more effective ways to apply the fundamentals.
3. GOOD SECURITY HAS COMMON SENSE
Common sense will point to the right solutions, helping you find the patterns and indicators that current models don’t work. Adapt and keep processes light, changing them when needed, but remember: there are proven ways of doing things, don’t reinvent the wheel.
4. GOOD SECURITY NEEDS TO FAIL VERY LOUDLY
Always fail close and loud. When controls don’t work or something deviates from the baseline, alerts should be everywhere, even if they are false-positives.
5. GOOD SECURITY TEACHES TO STOP RELYING ON THIRD PARTY EVERYTHING
Modern technology pulls in an impossibly big number of dependencies. These in turn have more dependencies, making it virtually impossible to secure modern technology. Shrink the tech. Focus on simpler, proven, and tested solutions. Avoid the trap of the SBOMs.
6. GOOD SECURITY WORKS TO MINIMIZE ATTACK SURFACE
Create secure-by-default standards, helping prevent exploitable vulnerabilities, insecure products, and open networks from proliferating. Automate hardening, and simplify application security.
7. GOOD SECURITY TRUSTS NO ONE AND ALWAYS VERIFIES
Never trust input, connections, or identity. Make sure you authenticate everything across each layer. Be wary of unknown output as well.
8. GOOD SECURITY IS BUILT AROUND LAYERS
Make the invisible, visible, creating supporting preventive, detective, and reactive controls, always engaging a threat at the outermost layer.
9. GOOD SECURITY ALWAYS ASSUMES COMPROMISE
You are always being attacked. Understand the ways in. What do you need to protect now? What are the immediate risks? Red team it.
10. GOOD SECURITY HELPS SHRINK THE OODA LOOP
The shorter you make your OODA loop, the faster you can observe your environment, orient security, decide what to change or do, and act on it. The more you do this, the better you can bring the fight to the bad guys by making it less enticing to attack you.
Original source of the principles 2.0.