What Are Application Security Principles?

What Are Application Security Principles?

Application security principles are a set of ideal attributes, behaviors, design and implementation practices for software, aimed at reducing the likelihood of threat realization and limiting impact when threats occur. These language‑agnostic, architecture‑neutral primitives can be used in most software development methods to design and build applications.

Principles are important because they help make consistent security decisions in new situations; by considering each principle we can derive security requirements, shape architecture and implementation decisions, and identify potential defects in the system.

An important point to remember is that for a principle to be useful it must be evaluated, interpreted, and applied to solve specific problems. While principles provide general guidance, merely telling developers that their software must “fail securely” or adopt “defense in depth” does not convey much.

Some Mature Application Security Principles

Depth of application defense (complete mediation)

Use of a proactive security model (fail‑secure defaults, minimize attack surface)

Secure failure

Run with least privilege

Avoid security through obscurity (open design)

Keep security simple (verifiable, mechanism‑economy)

Detect intrusion (compromise recording)

Do not trust the infrastructure

Do not trust the service

Establish secure defaults (psychological acceptability)

Application Security Principles

Consider designing a simple web application that allows users to send e‑mail to friends. By evaluating and interpreting each principle we can enumerate many threats for this app and ultimately derive a comprehensive set of protection requirements, providing a complete list of what is needed to secure the service.

References

Saltzer and Schroeder (see section 3)

The Six Dumbest Ideas in Computer Security

Gary McGraw's 10 steps to secure software

OWASP Development Guide Project

Engineering Principles for Information Technology Security (EP‑ITS) by Gary Stoneburner, Clark Hayden, and Alexis, NIST Special Publication 800‑27

Secure Design Principles from “Foundations of Security: What Every Programmer Needs To Know” by Neil Daswani, Christoph Kern, and Anita Kesavan (ISBN 1590597842)

High‑Assurance Design by Cliff Berg, 2005, Addison‑Wesley. Foreword by Peter G. Neumann. Design principles and patterns for secure and reliable design.

Original source: http://pub.intelligentx.net/application-security-principle-0

For deeper discussion, join the Knowledge Planet “Chief Architect Circle” or the minor account “jiagoushi_pro”.

Promotional: Follow the WeChat public account “Chief Architect Think Tank” for detailed architecture methodology, practice, technical principles, and trends; join the WeChat groups, video channel, and other platforms for ongoing discussions and resources.