A security mindset is one that always takes security implications into account. It’s assuming the worst and then ratcheting back just enough to have a useful application.
- NEVER trust data. Assume it’s always bogus and maliciously crafted. “Data” is an all-encompassing word that includes anything you haven’t hard-coded. For instance, function arguments, GET/POST data, data files, deserialized objects and network packets.
- ASSUME whatever data you are storing is being hacked 24/7 and broadcast live to the entire world. Corollary: be smart about what you actually store and how you store it.
- ASSUME every user of your system is the victim of a man-in-the-middle attack. Assume any data being sent in the clear is once again being broadcast 24/7 to the entire world.
- Authentication mechanisms should ALWAYS be rate limited.
- NEVER reveal privileged information. Corollary: only reveal what you must.
- ASSUME your code and data is always known verbatim with 100% comprehension by every human being on this Earth. Now how strong is your security? Corollary: if you think you’re being sneaky or clever, stop doing it.