This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Category:Principle
From OWASP
Revision as of 22:13, 10 April 2006 by Jeff Williams (talk | contribs)
Links
A. http://web.mit.edu/Saltzer/www/publications/protection/Basic.html (Saltzer and Schroeder)(see Section 3)
B. http://news.com.com/2008-1082-276319.html (McGraw)
C. OWASP Guide
- Fail safely
- Run with least privilege (least privilege)
- Avoid security by obscurity (open design)
- Use a positive security model (fail safe defaults)(minimize attack surface)
- Apply defense in depth (complete mediation)
- Keep security simple (verifiable)(economy of mechanism)
- Detect intrusions (compromise recording)
- Don’t trust infrastructure
- Don’t trust services
- Establish secure defaults (psychological acceptability)(secure defaults)
Some of the security mechanisms help when you’re implementing these principles. This is just a rough pass that needs some more work. It can’t be done with just a bullet list, you really need more like a paragraph on each of these.
- Fail safely
- Error handling
- Good logic
- Run with least privilege
- Access control
- Avoid security by obscurity
- Secure configuration files
- Use a positive security model
- Input validation
- Output encoding
- Access control
- Apply defense in depth
- Boundary validation
- Keep security simple
- Centralized security mechanisms
- Detect intrusions(compromise recording)
- Input validation
- Authentication
- Logging
- Availability protection
- Don’t trust infrastructure
- SSL
- Encrypt sensitive data
- Prevent injection
- Don’t trust services
- SSL, Authentication, Access control, Input validation, error handling, logging, output validation
- Establish secure defaults (psychological acceptability)(secure defaults)
- Notify users
- Secure “out of the box”
Pages in category "Principle"
The following 24 pages are in this category, out of 24 total.
D
- Defense in depth
- Defense in depth (code modification prevention)
- Detect integrity violation incidents (code modification prevention)
- Detect intrusions
- Don't trust user input
- Don’t trust infrastructure
- Don’t trust local resources (code modification prevention)
- Don’t trust mobile OS infrastructure (code modification prevention)
- Don’t trust services