Principles of Secure by Design

Each (human) user and program should operate using the fewest privileges possible. This principle limits damage from accidents, errors, or attacks. It also reduces the number of potential interactions among privileged programs, decreasing the likelihood of unintentional, unwanted, or improper uses of privilege.

Ways of implementation of Least Privilege

1. • Granular Access Control: Implement granular access control to restrict both system and data access, granting only the absolute minimum privileges necessary for a program to function correctly.

   • Privilege Dropping: Drop extra privileges early in execution to limit potential exploitation. Provide language/framework specific examples.

   • Temporary Privilege Elevation: If permanent privilege dropping is not feasible, minimize the time the privilege is active. Implement Just-in-Time (JIT) access where possible.

   • Modular Design and Privilege Separation: Break the program into distinct modules, granting special privileges only where required. Employ a mutually suspicious design where privileged components do not fully trust others.

   • Attack Surface Reduction: Minimize the attack surface by limiting accessible operations and disabling unnecessary debug features in production environments.

   • Input Validation: Enforce strict input validation to prevent attackers from injecting malicious data.

   • Sandboxing and Isolation: Restrict application capabilities by running programs in controlled, isolated environments with limited permissions (e.g., containers, virtual machines).

   • Resource Access Control: Apply least privilege to file system and other resource access, preventing unauthorized access by restricting read, write, and execute permissions.

   • Role and Attribute-Based Access Control: Implement RBAC or ABAC to manage permissions based on user roles or attributes, respectively.

   • Secrets Management: Utilize secure secrets management tools to protect sensitive credentials and grant access only when required.  

   • Logging and Auditing: Implement comprehensive logging and auditing to monitor privilege usage and detect anomalies.

   • Regular Privilege Reviews: Conduct periodic reviews of assigned privileges to identify and remove unnecessary permissions.

Complete mediation ensures that authority is not bypassed when a subject requests access to an object. Authorization (rights and privileges) must be verified on every request, preventing unauthorized escalation of access or privilege retention after permissions change.

Key Considerations:

• Non-bypassability: The security enforcement mechanism must be placed in a manner that makes it impossible for an attacker to evade access controls.

• Performance vs. Security: While caching access decisions can enhance performance, it introduces risks if permissions change and cached decisions are not invalidated.

• Trust Boundaries: Security checks should always be performed in an environment that the system owner fully controls. Running checks in an untrusted environment increases the risk of bypassing security measures.

Some common warning signs of an insecure implementation includes

• Performing security-relevant input validation on a client-side system without rechecking on a trusted server.

• Storing sensitive data in a location an attacker can modify (e.g., relying on client-side authentication tokens without proper expiration and verification).

• Implementing access control via obfuscation instead of robust security enforcement mechanisms.

• Relying on weak network protocols or not enforcing encryption for sensitive communications.

Best Practices

By strictly enforcing complete mediation, organizations can prevent unauthorized access and mitigate the risk of security breaches resulting from circumvented security mechanisms.

• Enforce Access Control on the Server-Side: Ensure all access checks are executed in a controlled, secure environment.

• Invalidate Cached Permissions When Changes Occur: Implement mechanisms to refresh access control decisions dynamically.

• Secure Communication Channels: Use end-to-end encryption to prevent interception and tampering.

• Minimize Trust in Untrusted Systems: Assume client-side security can be bypassed and validate all security-sensitive actions on a trusted platform.

• Adopt Defense-in-Depth: Layer multiple security controls to mitigate the risk of bypassing a single security measure.

This principle states that the security mechanisms should be as simple as possible while still being effective. Complex systems increase the likelihood of errors, misconfigurations, and vulnerabilities, making security harder to manage and verify. 

While modern software requires extensive functionality, security-critical elements should remain minimal and straightforward. Simplicity enhances security by reducing attack surfaces, improving maintainability, and facilitating thorough security reviews. A well-designed security system should be easy to understand, implement, and audit.

Implementation best practices

• Keep It Simple: Design security controls that are easy to understand, implement, and maintain.

• Reduce Dependencies: Minimize reliance on third-party libraries, complex integrations, or unnecessary frameworks.

• Use Secure Defaults: Provide straightforward, secure configurations out of the box to prevent misconfigurations.

• Conduct Regular Security Reviews: Ensure that security mechanisms remain simple, effective, and aligned with best practices.

• Automate Where Possible: Reduce human error by automating security controls and monitoring.

Security should not rely on secrecy of design or implementation. Instead, systems should be built on well-vetted, publicly reviewed security principles and mechanisms. Security by obscurity is not a reliable defense.

An open security design assumes that attackers have full knowledge of the system’s architecture and implementation. True security comes from strong cryptographic algorithms, robust access controls, and well-implemented security policies—not from hiding the system's inner workings. Transparency allows for peer review, continuous improvement, and trust in the system’s integrity.

Implementation best practices

• Follow Established Security Standards: Use open, well-tested security models and algorithms.

• Encourage Security Audits: Allow independent security professionals to review and test security mechanisms.

• Use Open Security Protocols: Rely on widely accepted cryptographic and communication security protocols.

• Separate Security from Confidentiality: Design security mechanisms to remain effective even if an attacker understands their inner workings.

• Promote Responsible Disclosure: Have a process for reporting and fixing security vulnerabilities transparently.

Fail-safe defaults ensure that security is maintained even when unexpected failures occur. If a system component fails, it should not automatically permit access or assume trust. Instead, it should restrict access until the issue is resolved. This principle minimizes the risk of unauthorized access due to system errors, misconfigurations, or outages.

Implementation best practices

• Explicitly Deny Access by Default: Ensure that all access control mechanisms enforce the deny-by-default model.

• Secure Authentication Failures: If authentication fails or the service is unavailable, do not allow access.

• Handle Errors Securely: If an unexpected failure occurs, do not assume security checks have passed—treat them as failed and restrict access.

• Ensure Secure System Recovery: When recovering from failures, verify security configurations before restoring full operations.

• Regularly Test Failure Scenarios: Conduct security testing and incident response drills to confirm that failures do not introduce vulnerabilities.

Separation of privilege reduces the risk of unauthorized access and privilege escalation by requiring multiple independent conditions for high-impact actions. Instead of relying on a single decision point, access should depend on multiple factors, such as different user roles, multi-party approval, or multi-factor authentication (MFA).

Implementation best practices

• Enforce Multi-Factor Authentication (MFA): Protect privileged accounts with strong authentication measures.

• Implement Dual Control for Critical Actions: Require approvals from multiple authorized users for high-risk operations.

• Use Role-Based or Attribute-Based Access Control (RBAC/ABAC): Assign access based on user roles, job functions, and contextual attributes.

• Apply Separation of Duties (SoD): Ensure that different individuals handle request, approval, and execution processes.

• Audit and Monitor Privileged Access: Log and regularly review privileged actions to detect anomalies and enforce accountability.

The Least Common Mechanism principle states that system components should avoid sharing state, memory, or resources unless absolutely necessary. Shared mechanisms can become attack surfaces, allowing one compromised user or process to affect others. By reducing shared dependencies, security risks such as privilege escalation, data leakage, and side-channel attacks are minimized.

So, systems should be designed to minimize shared resources between users, processes, or components to reduce the risk of unauthorized access, unintended interactions, and security breaches.

Implementation best practices

• Isolate Processes and Services: Ensure that different applications or services run in isolated execution environments.

• Enforce Individual User Sessions: Users should not share active sessions or temporary credentials.

• Reduce Dependence on Shared Resources: Minimize common mechanisms that process requests for multiple users.

• Restrict Privileges on Shared Services: Ensure that any shared components operate with least privilege to limit risk exposure.

• Regularly Review Shared Infrastructure Risks: Continuously evaluate and mitigate security risks associated with shared mechanisms.

This principle emphasizes that security controls should be easy to understand, use, and comply with. If security measures are too complex, users may attempt to bypass them, leading to weaker overall security. A balance must be maintained between security and usability to ensure user cooperation and adherence to security policies.

So, security mechanisms should be designed to be as seamless and non-intrusive as possible, ensuring they do not create unnecessary burdens for users.

Implementation best practices

• Design Security for Usability: Security should be intuitive and not require excessive effort from users.

• Use Risk-Based Authentication: Reduce unnecessary MFA challenges while maintaining security integrity.

• Balance Security and Productivity: Avoid forcing security mechanisms that disrupt normal work processes.

• Educate Users Without Overwhelming Them: Provide just-in-time security education rather than excessive, lengthy training sessions.

• Implement Security by Default: Where possible, security should be built-in and automatic rather than optional or user-dependent.

Never trust, always verify—Zero Trust is a security model that assumes no implicit trust for any user, device, or system, whether inside or outside the organization's network. Access is granted based on continuous verification, least privilege, and strict segmentation.

Zero Trust eliminates the outdated notion of a secure perimeter by enforcing identity verification, access controls, and continuous monitoring for every request, regardless of the request's origin. Security decisions are made based on real-time risk assessments rather than assumed trust.

Implementation best practices

• Enforce Identity-Centric Security: Implement MFA, conditional access policies, and strong authentication methods.

• Minimize Trust Levels: Adopt least privilege and role-based access control (RBAC) for users and workloads.

• Segment and Isolate Sensitive Systems: Prevent unrestricted lateral movement by micro-segmenting critical assets.

• Monitor and Analyze Security Events in Real-Time: Use SIEM, UEBA, and XDR solutions for proactive threat detection.

• Automate Security Policies: Use policy-based access enforcement that adapts dynamically to user behavior and risk levels.

The attack surface is the sum of all points where an attacker can try to gain access to a system. Minimizing this surface reduces the potential entry points for malicious actors, thereby reducing the likelihood of successful attacks.

Minimizing the attack surface involves identifying and eliminating unnecessary components, services, or permissions within a system or network. By reducing the number of accessible points, organizations can limit the vectors through which an attack can occur. The goal is to ensure that only the essential parts of a system are exposed to users, while all unnecessary or vulnerable components are tightly controlled or removed.

Implementation best practices

• Perform Regular Security Audits: Continuously review and assess the system to identify and eliminate unnecessary open ports, services, and permissions.

• Implement Network Segmentation: Divide the network into smaller, isolated zones to restrict access and reduce the spread of attacks.

• Limit External Interfaces: Reduce the number of exposed external-facing components, such as public-facing APIs or unnecessary services, by implementing firewalls and reverse proxies.

• Use Configuration Management Tools: Leverage tools like Ansible, Chef, or Puppet to automate and enforce configurations that reduce the attack surface.

• Ensure Proper Patch Management: Apply security patches promptly to known vulnerabilities in all components of the system, including operating systems, applications, and third-party software.

Security by obscurity refers to relying on the secrecy of design, code, or implementation as the primary method of securing a system. This practice is inadequate because once the obscurity is discovered, the system can be easily exploited. True security is achieved through robust and transparent security mechanisms, not by hiding or masking details.

Avoiding security by obscurity means that security should not depend on keeping the details of a system secret. Instead, security should be based on well-established, publicly reviewed, and proven mechanisms that withstand adversarial examination. While hiding certain information can sometimes help reduce immediate risks, it should not be considered a primary defense strategy. Security mechanisms should be strong enough to function effectively even when their internal workings are fully known.

Implementation best practices

• Use Open Standards and Protocols: Ensure your security mechanisms, such as encryption, authentication, and access controls, are based on open, tested, and widely adopted standards.

• Conduct Regular Security Audits and Penetration Testing: Continuously test and validate your security defenses against adversaries and industry standards.

• Educate and Train Staff on Transparent Security Practices: Ensure all stakeholders are aware of the importance of security mechanisms being robust, transparent, and resilient.

• Focus on Robust Defense Mechanisms: Emphasize secure design principles such as defense-in-depth, least privilege, and continuous monitoring over hiding system details.

• Encourage Peer Reviews and Community Collaboration: Involve the broader security community in reviewing your security design, protocols, and mechanisms to identify weaknesses and improvements.

Security issues should be addressed comprehensively and correctly, rather than implementing temporary, quick fixes that might leave systems vulnerable or incomplete.

Fixing security issues correctly means addressing the root cause of vulnerabilities, applying appropriate patches or configurations, and ensuring that fixes do not introduce new problems. Security fixes should be part of a holistic approach, where each vulnerability is thoroughly understood, and the solution is integrated into the broader security posture of the organization. Quick fixes may seem like a fast solution, but they often fail to address underlying weaknesses and can create additional risks.

Implementation best practices

• Perform Root Cause Analysis: Investigate and resolve the underlying cause of the vulnerability, rather than implementing surface-level fixes.

• Test Fixes Before Deployment: Ensure all patches and fixes are tested in a controlled environment to ensure they work correctly and do not introduce new problems.

• Validate Fixes and Monitor Systems: After fixing security issues, validate that the issue has been fully resolved and monitor the system for any signs of recurrence.

• Implement Automated Security Patching: Use automated patch management tools to streamline the process of patching known vulnerabilities, while maintaining a manual review process for critical systems.

• Update and Document Changes: Maintain detailed records of all security fixes, including who applied them, when, and why, so that all team members can stay informed and systems can be properly maintained.

Defense in depth ensures that an attacker must bypass multiple independent security controls to achieve their objective, thereby reducing the likelihood of a full breach. Each layer of defense compensates for potential weaknesses in other layers.

Implementation best practices

• Implement Multiple Layers of Security: Use firewalls, intrusion detection systems, endpoint protection, and behavioral analytics.

• Segment and Restrict Access: Reduce attack surfaces by implementing zero-trust principles and least privilege access.

• Ensure Security Redundancy: Have backup security controls to mitigate failures in primary mechanisms.

• Monitor and Adapt: Continuously review and refine security layers to address emerging threats.

• Educate and Train Personnel: Ensure that staff understands layered defense principles and adheres to security policies.