Ten Immutable Laws Of Security (Version 2.0)


You might have known the 10 Immutable Laws Of Security since quite a while. It is kind of the “collected non-technical wisdom” of what we see in security respeonse being it in Microsoft Security Response Center or in our Security Product Support.

There is now a version 2, which is still as important as version 1 was. The 10 Laws are:

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.
Law #4: If you allow a bad guy to run active content in your website, it’s not your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its decryption key.
Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.
Law #9: Absolute anonymity isn’t practically achievable, online or offline.
Law #10: Technology is not a panacea.

Just make sure that you keep them in mind – there is no “patch” for them Smile. The whole set of explanations can be found here: Ten Immutable Laws Of Security (Version 2.0)

Roger

Comments (5)

  1. Anonymous says:

    thank you

  2. Ajedi32 says:

    1. So what about sandboxed code, or code running in a VM?
    4. Same as 1, this may not necessarily apply to sandboxed content.

  3. Gene says:

    @ajedi32, Running inside a VM isn’t the same as #1. it’s not really ‘your computer’ but a ‘guest’ computer.

  4. Anonymous says:

    Recently I came across a cute hack to reset windows 7 password, someone shared that to me and saying

  5. Ajedi32 says:

    @Gene So "if a bad guy can persuade you to run his program on your VM, then it’s not solely your VM anymore"? 😉 Makes sense.