Security Principles:
There is various principle of computer security which helps to ensure the security. Details with principles with their concepts are given below:
1.Use least privilege:
By running processes using accounts with minimal privileges and access
rights, you significantly reduce the capabilities of an attacker if the attacker
manages to compromise security and run code.
2.Apply defence in depth:
Use multiple gatekeepers to keep attackers at bay. Defence in depth means
you do not rely on a single layer of security, or you consider that one of
your layers may be bypassed or compromised.
3.Do not trust user input:
Your application's user input is the attacker's primary weapon when
targeting your application. Assume all input is malicious until proven
otherwise, and apply a defence in depth strategy to input validation, taking
particular precautions to make sure that input is validated whenever a trust
boundary in your application is crossed.
4.Check at the gate:
Authenticate and authorize callers early at the first gate.
5.Fail securely:
If an application fails, do not leave sensitive data accessible. Return friendly
errors to end users that do not expose internal system details. Do not
include details that may help attacker exploit vulnerabilities in your
application.
6.Secure the weakest link:
Is there vulnerability at the network layer that an attacker can exploit?
What about the host? Is your application secure? Any weak link in the
chain is an opportunity for breached security.
7.Create secure defaults:
Is the default account set up with least privilege? Is the default account
disabled by default and then explicitly enabled when required? Does the
configuration use a password in plaintext? When an error occurs, does
sensitive information leak back to the client to be used potentially against
the system?
8.Reduce your attack surface:
If you do not use it, remove it or disable it. Reduce the surface area of
attack by disabling or removing unused services, protocols, and
functionality. Does your server need all those services and ports? Does
your application need all those features?
There is various principle of computer security which helps to ensure the security. Details with principles with their concepts are given below:
1.Use least privilege:
By running processes using accounts with minimal privileges and access
rights, you significantly reduce the capabilities of an attacker if the attacker
manages to compromise security and run code.
2.Apply defence in depth:
Use multiple gatekeepers to keep attackers at bay. Defence in depth means
you do not rely on a single layer of security, or you consider that one of
your layers may be bypassed or compromised.
3.Do not trust user input:
Your application's user input is the attacker's primary weapon when
targeting your application. Assume all input is malicious until proven
otherwise, and apply a defence in depth strategy to input validation, taking
particular precautions to make sure that input is validated whenever a trust
boundary in your application is crossed.
4.Check at the gate:
Authenticate and authorize callers early at the first gate.
5.Fail securely:
If an application fails, do not leave sensitive data accessible. Return friendly
errors to end users that do not expose internal system details. Do not
include details that may help attacker exploit vulnerabilities in your
application.
6.Secure the weakest link:
Is there vulnerability at the network layer that an attacker can exploit?
What about the host? Is your application secure? Any weak link in the
chain is an opportunity for breached security.
7.Create secure defaults:
Is the default account set up with least privilege? Is the default account
disabled by default and then explicitly enabled when required? Does the
configuration use a password in plaintext? When an error occurs, does
sensitive information leak back to the client to be used potentially against
the system?
8.Reduce your attack surface:
If you do not use it, remove it or disable it. Reduce the surface area of
attack by disabling or removing unused services, protocols, and
functionality. Does your server need all those services and ports? Does
your application need all those features?
0 comments:
Post a Comment