- Least Privilege “Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.” — Jerome Saltzer
- Least Privilege Benefits:
- Code stability
- Controlled data access
- System security
- Vulnerabilities are limited and localized
- Easier to test actions and interactions
- Simple Is More Secure
- Use clearly named functions and variables
- Write code comments
- Break up long sections of code into small, more manageable functions
- Don’t repeat yourself
- Legacy code is a security concern
- Try to use built-in functions whenever possible
- Disable all unused features when possible
- Never Trust Your Users
- People are prone to mistakes
- Don’t trust even admins
- Identity can be stolen
- Use cation with contractors
- Establish the process that allows to revoke user access instantaneously
- Remember that hacks happen offline as well(Phone, printouts…)
- Defense In Depth
- You should have a number of layers of defense
- Over time attacks lose momentum
- Redundant Security
- People (security policy, best practices implementation …)
- Technology (IDS, SIEM, system administration, encryption, access controls…)
- Operations(periodic security reviews, data handling procedures, threads handling…)
- Security Through Obscurity
- More info benefits hackers
- Limit exposed information
- Limit feedback
- Obscurity doesn’t mean misdirection
- Whitelisting Is Much More Secure Than Blacklisting
- Whitelisting means restricting by default which is much more secure approach
- Map Exposure Points
- Incoming Exposure Points
- URLs
- Forms
- Cookies
- Sessions
- Database reads
- Public APIs
- Outgoing Exposure Points
- HTML
- JavaScrip/JSON/XML/RSS
- Cookies
- Sessions
- Database writes
- Third-party APIs
- Incoming Exposure Points
- Map Data Passageways
- What paths does data takes?
- Know your site topography and your environment architectural landscape
- Ideally you should have a graphical representation of all of your access points
Tag: Security Principles