Difference between revisions of "Laws of Security"
From MgmtWiki
(→Full Title and Meme) |
(→References) |
||
| (13 intermediate revisions by the same user not shown) | |||
| Line 2: | Line 2: | ||
Ten Immutable Laws Of Security | Ten Immutable Laws Of Security | ||
| − | + | ==Source== | |
| + | The first known publication of the laws is in the book "Writing Security Code" Michael Howard and Dave LeBlanc <ref>Michael Howard and Dave LeBlanc, ''Writing Secure Code, Second Edition (Developer Best Practices) 2nd Edition'' (2003) Microsoft ISBN ISBN 978-0735617223</ref> in 2001. | ||
| − | # | + | [https://technet.microsoft.com/en-us/library/hh278941.aspx Ten Immutable Laws Of Security (Version 2.0)] is a recent version, now rebranded as "Microsoft laws" with no reference to Michael Howard at all. Their are other references to different Microsoft personnel as authors to various versions. The following list is from the anonymous Microsoft version 2.0. |
| − | # | + | |
| − | # | + | # If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore. |
| − | # | + | # If a bad guy can alter the operating system on your computer, it's not your computer anymore. |
| − | # | + | # If a bad guy has unrestricted physical access to your computer, it's not your computer anymore. |
| − | # | + | # If you allow a bad guy to run active content in your website, it's not your website any more. |
| − | # | + | # Weak passwords trump strong security. |
| − | # | + | # A computer is only as secure as the administrator is trustworthy. |
| − | # | + | # Encrypted data is only as secure as its decryption key. |
| − | # | + | # An out-of-date antimalware scanner is only marginally better than no scanner at all. |
| + | # Absolute anonymity isn't practically achievable, online or offline. | ||
| + | # Technology is not a panacea. | ||
| + | |||
| + | ==References== | ||
| + | |||
| + | [[Category:Glossary]] | ||
| + | [[Category:Security]] | ||
Latest revision as of 12:32, 24 March 2019
Full Title and Meme
Ten Immutable Laws Of Security
Source
The first known publication of the laws is in the book "Writing Security Code" Michael Howard and Dave LeBlanc [1] in 2001.
Ten Immutable Laws Of Security (Version 2.0) is a recent version, now rebranded as "Microsoft laws" with no reference to Michael Howard at all. Their are other references to different Microsoft personnel as authors to various versions. The following list is from the anonymous Microsoft version 2.0.
- If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.
- If a bad guy can alter the operating system on your computer, it's not your computer anymore.
- If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
- If you allow a bad guy to run active content in your website, it's not your website any more.
- Weak passwords trump strong security.
- A computer is only as secure as the administrator is trustworthy.
- Encrypted data is only as secure as its decryption key.
- An out-of-date antimalware scanner is only marginally better than no scanner at all.
- Absolute anonymity isn't practically achievable, online or offline.
- Technology is not a panacea.
References
- ↑ Michael Howard and Dave LeBlanc, Writing Secure Code, Second Edition (Developer Best Practices) 2nd Edition (2003) Microsoft ISBN ISBN 978-0735617223
