1. Earn or give, but never assume, trust.
2. Use an authentication mechanism that cannot be bypassed or tampered with. 3. Authorize after you authenticate. 4. Strictly separate data and control instructions, and never process control instructions received from untrusted sources. 5. Define an approach that ensures all data are explicitly validated. 6. Use cryptography correctly. 7. Identify sensitive data and how it should be handled. 8. Always consider the users. 9. Understand how integrating external components changes your attack surface. 10. Be flexible when considering future changes to objects and actors. |