After reading Alik Levin's Security Language That Everyone Understands and Michael Howard's Security Analogies are usually Wrong, I reflected on some mantras and metaphors our team found helpful during our various security adventures:
- Know your threats. If you know what you're up against, you can apply more relevant countermeasures as well as make better trade-off decisions.
- Secure the network, host and application - this was our team's attempt to bridge the gap between app + infrastructure, and catch the security issues that fall through the cracks.
- Bake security into your application life cycle - we used this a lot when we met with customers while building Improving Web Application Security: Threats and Countermeasures. I wanted to convey systematic and repeatable as well as to think in terms of life cycle practices. It became our favorite hallway soundbyte.
I've found these helpful too:
- Your only as secure as your weakest link - this always invokes the question, how do you find your weakest link? I think the trick is actually doing a threat model and a fault tree model, then figuring out the weakest links among your paths that matter most.
- Defend your code. Some developers like this one because it's proactive and empowering.
- Design for securability. I see securability described on MSDN, but I think more in terms of baking in the ability to improve the security posture or reduce the attack surface.
As with any verbage or mental models, their usefulness varies and really depends on the context. I like keeping my toolbelt full of options so I can choose what's most useful for the job at hand. I do have some more favorites, but I'll save those for another day.