Security Design 101 Rules
David Biggins
David_Biggins at usermgmt.com
Fri Jun 26 17:51:17 BST 2009
> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of Peter Fairbrother
> Sent: 22 June 2009 19:40
> To: UK Cryptography Policy Discussion Group
> Subject: Security Design 101 Rules
>
> I haven't finished writing/compiling the security design 101 rules
yet,
> but so far:
>
Some thoughts:
Understand the value of what you are protecting, be it data, bandwidth,
accessibility, continuity of service or even your reputation.
No target is too worthless for someone to bother attacking; they may not
know it's value until after they've penetrated it, or they may identify
a value you have not expected.
Not really "design" rules - but related:
Expect that at some point the enemies will win a battle - plan for how
the various partial failures can be managed.
When everything is going smoothly, no sign of attacks, no problems, no
issues... it's time to go and inspect the logs to find out what your
automated tools are missing.
Dave.
More information about the ukcrypto
mailing list