Minimize Attack Surface: Interfaces, functionality, parameters, services, and protocols
that are not required MUST be disabled on external and SHOULD be disabled on
Don’t Trust User Input: Data that has been received from an untrusted source (e.g. a web
browser) MUST generally be mistrusted and therefore strongly validated.
Defense-in-Depth: Security SHOULD be implemented based on multiple layers to
compensate for ineffective security controls.
Keep Security Settings Adaptable: Security parameterization SHOULD be declared where
possible (= with configuration statements or annotations) instead of programmable (= with program code) where possible.
Externalize Security Functions: Security functions SHOULD be externalized (e.g. using an
external authentication system).
Keep Security Consistent: Identical security controls (e.g. one within the web frontend and another within an AJAX interface) SHOULD be implemented with the same security
function (= program code) and policy.
Use Mature Security Controls: Security relevant program code SHOULD only be
implemented with mature and tested technologies, algorithms and implementations (APIs,
Keep Security Testable: Before a new technology (protocol, framework, API, etc.) is being
used in production, it SHOULD be ensured that proper testing procedures and tools exist
for performing security tests on them.
Use Secure Defaults: Use secure / safe defaults (e.g. in frameworks) to prevent unintentional security problems.