[August 2016] Principle of Least Privilege

Only the minimum necessary rights should be assigned to a subject that requests access to a resource, and these rights should be in effect for the shortest duration necessary. If a subject does not need an access right, the subject should not have that right. This is analogue of the "need-to-know" rule, in that if a subject does not need access to an object to perform its task, it should not have the right to access that object. If a subject needs to append to an object but not alter existing information contained in the object, it should be given append rights and not write rights.

[August 2016] Maintain Defense in Depth

Security defenses for an application should be layered in a series of redundant security mechanisms. As such an attacker would have to circumvent each mechanism to gain access to a digital asset. For example, a corporate firewall should be used to prevent outside access to the internal company network. In case this firewall is breached, internal firewalls should segregate portions of the network from each other. If one of these firewalls is breached, the data on servers and communications between servers should also be encrypted so that they cannot be read unless the encryption is broken.

[August 2016] Fail Securely

In code for security mechanisms, there are three possible outcomes of an error - allow the operation, disallow the operation, or throw an exception. In general, the security mechanism should be designed so that a failure will follow the same execution path as disallowing the operation. If security controls can throw exceptions, they must be very clear about exactly what the condition means. For code that is not part of a security mechanism, they are security-relevant if they affect whether the application properly invokes a security control or affects the initialization of variables used in the security control.

[August 2016] Utilize a Whitelist ('Positive' Security Model)

A security model that defines what is allowed and rejects everything else should be used, in contrast to a Blacklist which defines what is disallowed while implicitly allowing everything else. The benefit of using a positive model is that new attacks not anticipated by the developer will be more likely prevented.

[August 2016] Establish Secure Defaults

The default settings for any application should be secure, and must require the user to opt out or opt in to certain settings which increase risk. For example, password aging and complexity requirements should be enabled by default.

[August 2016] Don't Trust Infrastructure

Even if using market standard web servers, application servers, or databases, don't rely solely on the security mechanisms provided by those servers. If a container is compromised, then all applications deployed on the container are affected. Every application should authenticate and authorize every action from surrounding systems.

[August 2016] Don't Trust Services

All services from third parties, even those from large and reputable companies, could be compromised. As such, implicit trust of any external system is not warranted.

[August 2016] Don't Trust Input

All input from all users could be compromised or result in adverse consequences either unintentionally or maliciously. User input should never be trusted.

[August 2016] Keep Security Simple

Overly complex approaches to security or attempts to provide security through obfuscation increase code complexity and tend to increase the attack surface area of an application. For example, it is more secure and faster to simply use global variables with an appropriate mutex mechanism to protect against race conditions rather than having a slew of singleton beans running on a separate middleware server.

[August 2016] Detect Intrusions

Logging security-relevant events, having procedures to monitor the logs regularly, and properly responding to an intrusion once detected are critical components of an effective intrusion detection strategy. Not detecting intrusions allows the attacker an unlimited time to perfect an attack.