Open Web Applications Security Project (OWASP) Security Principles

Don't Trust Services

An orgnization shouldn't explicitly trust that their partners' systems are secure.

Minimize Attack Surface Area

Attack surface refers to all the potential vulnerabilities a threat actor could exploit.

Keep Security Simple

Avoid unnecessarily complicated solutions. Complexity makes security difficult.

Separation of Duties

Critical actions should rely on multiple people, each of whom follow the principle of least privilege.

Defense in Depth

Organization should have varying security controls that mitigate risks and threats.

Avoid Security by Obsurity

The security of key systems should not rely on keeping details hidden https://owasp.org/www-project-mobile-top-10/2016-risks/ The security of an application should not rely on keeping the source code secret. Its security should rely upon many other factors, including reasonable password policies, defense in depth, business transaction limits, solid network architecture, and fraud and audit controls.

Establish Secure Defaults

This principle means that the optimal security state of an application is also its default state for users; it should take extra work to make the application insecure

Principle of Least Privilege

Users have the least amount of access required to perform their everyday tasks.

Fail Securely

When a control fails or stops, it should do so by defaulting to its most secure option. For example, when a firewall fails it should simply close all connections and vlock all new ones, rather than start accepting everything.

Fix Security Issues Correctly

When security incidents occur, identify the root cause, contain the impact, identify vulnerabilities, and conduct tests to ensure that remediation is successful.