The Principles Of Security 2.0

Feb 2024

I wrote the original security principles back in 2017. They have served me well. However, technology has changed, and adversaries have as well. With almost a decade of lessons learned, I felt a new version was needed.

I give you now Version 2.0 of the Security Principles. A more modern, practical, and approachable collection of ways to think about security. Nothing really new, but a collection of common sense dictums.

Remember: it all starts by thinking like a bad guy. If you can't be malicious and always think of ways of exploiting vulnerabilities and how things can break, then you are already failing. You have to be paranoid and borderline psychopathic about security. Again, apply common sense - yes, here's that again...

Still a work in progress...

1. GOOD SECURITY IS RECOGNITION OF RISK

Security begins by assessing and communicating risks. Focus on identifying vulnerabilities and developing a mitigation plan.

2. GOOD SECURITY IS SIMPLE

Prioritize simplicity by establishing repeatable processes and basic automation, so that security becomes an effortless consideration. Simplifying security enables more effective ways to apply the fundamentals.

3. GOOD SECURITY HAS COMMON SENSE

Common sense will point to the right solutions, helping you find the patterns and indicators that current models don’t work. Adapt and keep processes light, changing them when needed, but remember: there are proven ways of doing things, don’t reinvent the wheel.

4. GOOD SECURITY NEEDS TO FAIL VERY LOUDLY

Always fail close and loud. When controls don’t work or something deviates from the baseline, alerts should be everywhere, even if they are false-positives.

5. GOOD SECURITY TEACHES TO STOP RELYING ON THIRD PARTY EVERYTHING

Modern technology pulls in an impossibly big number of dependencies. These in turn have more dependencies, making it virtually impossible to secure modern technology. Shrink the tech. Focus on simpler, proven, and tested solutions. Avoid the trap of the SBOMs.

6. GOOD SECURITY WORKS TO MINIMIZE ATTACK SURFACE

Create secure-by-default standards, helping prevent exploitable vulnerabilities, insecure products, and open networks from proliferating. Automate hardening, and simplify application security.

7. GOOD SECURITY TRUSTS NO ONE AND ALWAYS VERIFIES

Never trust input, connections, or identity. Make sure you authenticate everything across each layer. Be wary of unknown output as well.

8. GOOD SECURITY IS BUILT AROUND LAYERS

Make the invisible, visible, creating supporting preventive, detective, and reactive controls, always engaging a threat at the outermost layer.

9. GOOD SECURITY ALWAYS ASSUMES COMPROMISE

You are always being attacked. Understand the ways in. What do you need to protect now? What are the immediate risks? Red team it.

10. GOOD SECURITY HELPS SHRINK THE OODA LOOP

The shorter you make your OODA loop, the faster you can observe your environment, orient security, decide what to change or do, and act on it. The more you do this, the better you can bring the fight to the bad guys by making it less enticing to attack you.



Note: This is part of The Laws Of Security website.