Challenging the 10 Immutable Laws of Security

  • Article

You probably know them: The 10 Immutable Laws of Security, we published I think around 2000 and they were often cited. They are:

  • Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
  • Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore
  • Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore
  • Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more
  • Law #5: Weak passwords trump strong security
  • Law #6: A computer is only as secure as the administrator is trustworthy
  • Law #7: Encrypted data is only as secure as the decryption key
  • Law #8: An out of date virus scanner is only marginally better than no virus scanner at all
  • Law #9: Absolute anonymity isn't practical, in real life or on the Web
  • Law #10: Technology is not a panacea

Now Jesper Johansson (who formerly worked for Microsoft) started to look into them and is wondering how the changed landscape as well as the changed technology impacts these laws. He started with the first 3 and it is definitely worth to have a look at his essay:

Security Watch Revisiting the 10 Immutable Laws of Security, Part 1

Roger