- Security and complexity are often inversely
- Security and usability are often inversely
- Security is an investment, not an expense.
- "Good enough" security now, is
better than "perfect" security ...never.
- There is no such thing as “complete
security” in a usable system.
- A false sense of security is worse than a true
sense of insecurity.
- Your absolute security is only as strong as
your weakest link.
- Concentrate on known, probable threats.
- Security is directly related
to the education and ethics of your users.
- Security is not a static end state, it is an interactive
- There are few forces in the universe stronger
than the desire of an individual to get his or her job accomplished.
- Security is a people problem. Corollary: People cause security problems, they
don't just happen. (Submitted by Bret Watson.)
- You only get to pick two: fast, secure, cheap.
- Snyder's Razor: In the absence of other
factors, always use the most secure options available. (You are either
serious about security, or you're just fooling around.) (Dr. Joel Snyder)
Security ultimately relies - and fails - on the degree to which you are thorough. People don't like to be thorough. It gets in the way of being done. (Dave Piscitello)
The cost of security is nothing compared to the cost of exploitation.
Corollary: The cost of an education is nothing compared to the cost of ignorance.
"I give you integers: go forth and multiply! And then expect overflow more than 9 times out of 10."
Build your security policy around the "pain point" of "acceptable loss."
You don't want to lose anything, but what are you willing to lose?
The cost of your security mitigators and measures should be related
to the value of what your are trying to protect.
False Dogma (aka
- Security through obscurity is wrong.
- Security must (should) be 100%.
- Don't use security to fix social problems.
- If you can't trust your own employees, you
have bigger problems than Internet threats. (Implication: What's wrong with your company?)
- We can always add security later. (Dave Piscitello)
- "We have special requirements. We don't have
resources for these security measures." (That's why we are 5-10 years behind the
others to add? Send them to