Open Web Applications Security Project (OWASP) Security Principles
Don't Trust Services
An orgnization shouldn't explicitly trust that their partners' systems are secure.
Minimize Attack Surface Area
Attack surface refers to all the potential vulnerabilities a threat actor could exploit.
Keep Security Simple
Avoid unnecessarily complicated solutions. Complexity makes security difficult.
Separation of Duties
Critical actions should rely on multiple people, each of whom follow the principle of least privilege.
Defense in Depth
Organization should have varying security controls that mitigate risks and threats.
Avoid Security by Obsurity
The security of key systems should not rely on keeping details hidden https://owasp.org/www-project-mobile-top-10/2016-risks/ The security of an application should not rely on keeping the source code secret. Its security should rely upon many other factors, including reasonable password policies, defense in depth, business transaction limits, solid network architecture, and fraud and audit controls.
Establish Secure Defaults
This principle means that the optimal security state of an application is also its default state for users; it should take extra work to make the application insecure
Principle of Least Privilege
Users have the least amount of access required to perform their everyday tasks.
Fail Securely
When a control fails or stops, it should do so by defaulting to its most secure option. For example, when a firewall fails it should simply close all connections and vlock all new ones, rather than start accepting everything.
Fix Security Issues Correctly
When security incidents occur, identify the root cause, contain the impact, identify vulnerabilities, and conduct tests to ensure that remediation is successful.