Immutable Laws of Security#
The 10 Immutable Laws of Security
was first published by the Microsoft TechNet in 2000.
At that time, there is a screen saver releasedi (in 2001) for it:
Law #1
: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymoreLaw #2
: If a bad guy can alter the operating system on your computer, it’s not your computer anymoreLaw #3
: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymoreLaw #4
: If you allow a bad guy to upload programs to your website, it’s not your website any moreLaw #5
: Weak passwords trump strong securityLaw #6
: A computer is only as secure as the administrator is trustworthyLaw #7
: Encrypted data is only as secure as the decryption keyLaw #8
: An out of date virus scanner is only marginally better than no virus scanner at allLaw #9
: Absolute anonymity isn’t practical, in real life or on the WebLaw #10
: Technology is not a panacea
Below is the version 2.0 (released in Aug 2, 2017) and it is maintained by Microsoft Security Response Center:
Law #1
: If a bad actor can persuade you to run their program on your computer, it’s not solely your computer anymore.Law #2
: If a bad actor can alter the operating system on your computer, it’s not your computer anymore.Law #3
: If a bad actor has unrestricted physical access to your computer, it’s not your computer anymore.Law #4
: If you allow a bad actor to run active content in your website, it’s not your website anymore.Law #5
: Weak passwords trump strong security.Law #6
: A computer is only as secure as the administrator is trustworthy.Law #7
: Encrypted data is only as secure as its decryption key.Law #8
: An out-of-date antimalware scanner is only marginally better than no scanner at all.Law #9
: Absolute anonymity isn’t practically achievable, online or offline.Law #10
: Technology isn’t a panacea.
Links#
- The immutable laws of security (ver 2.0)
- 10 Immutable Laws of Security (ver 1.0)