Immutable Laws of Security#
The 10 Immutable Laws of Security was first published by the Microsoft TechNet in 2000.
At that time, there is a screen saver releasedi (in 2001) for it:
Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymoreLaw #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymoreLaw #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymoreLaw #4: If you allow a bad guy to upload programs to your website, it’s not your website any moreLaw #5: Weak passwords trump strong securityLaw #6: A computer is only as secure as the administrator is trustworthyLaw #7: Encrypted data is only as secure as the decryption keyLaw #8: An out of date virus scanner is only marginally better than no virus scanner at allLaw #9: Absolute anonymity isn’t practical, in real life or on the WebLaw #10: Technology is not a panacea
Below is the version 2.0 (released in Aug 2, 2017) and it is maintained by Microsoft Security Response Center:
Law #1: If a bad actor can persuade you to run their program on your computer, it’s not solely your computer anymore.Law #2: If a bad actor can alter the operating system on your computer, it’s not your computer anymore.Law #3: If a bad actor has unrestricted physical access to your computer, it’s not your computer anymore.Law #4: If you allow a bad actor to run active content in your website, it’s not your website anymore.Law #5: Weak passwords trump strong security.Law #6: A computer is only as secure as the administrator is trustworthy.Law #7: Encrypted data is only as secure as its decryption key.Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.Law #9: Absolute anonymity isn’t practically achievable, online or offline.Law #10: Technology isn’t a panacea.
Links#
- The immutable laws of security (ver 2.0)
- 10 Immutable Laws of Security (ver 1.0)