8.1 General Design Principles
ID | Requirement |
---|---|
1 | Minimize Attack Surface: Interfaces, functionality, parameters, services, and protocols |
2 | Don’t Trust User Input: Data that has been received from an untrusted source (e.g. a web |
3 | Defense-in-Depth: Security SHOULD be implemented based on multiple layers to |
4 | Keep Security Settings Adaptable: Security parameterization SHOULD be declared where |
5 | Externalize Security Functions: Security functions SHOULD be externalized (e.g. using an |
6 | Keep Security Consistent: Identical security controls (e.g. one within the web frontend and another within an AJAX interface) SHOULD be implemented with the same security |
7 | Use Mature Security Controls: Security relevant program code SHOULD only be |
9 | Keep Security Testable: Before a new technology (protocol, framework, API, etc.) is being |
9 | Use Secure Defaults: Use secure / safe defaults (e.g. in frameworks) to prevent unintentional security problems. |