Security Design Principles

- J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan

Auditing and Logging

• Audit and log access across application tiers.
• Consider identity flow.
• Log key events.
• Protect log files.
• Back up and analyze log files regularly.

Authentication

• Separate public and restricted areas.
• Use account lockout policies for end-user accounts.
• Support password expiration periods.
• Be able to disable accounts.
• Do not store passwords in user stores.
• Require strong passwords.
• Do not send passwords over the wire in plaintext.
• Protect authentication cookies.

Authorization

• Use multiple gatekeepers.
• Restrict user access to system-level resources.
• Consider authorization granularity.

Configuration Management

• Protect your administration interfaces.
• Protect your configuration store.
• Maintain separate administration privileges.
• Use least privileged process and service accounts.

Cryptography

• Do not develop your own cryptography.
• Keep unencrypted data close to the algorithm.
• Use the correct algorithm and correct key size.
• Protect your encryption keys.

Exception Management

• Do not leak information to the client.
• Log detailed error messages.
• Catch exceptions.

Input/Data Validation

• Assume all input is malicious.
• Centralize your approach.
• Do not rely on client-side validation.
• Be careful with canonicalization issues.
• Constrain, reject, and sanitize your input.
• Encrypt sensitive cookie state.
• Make sure that users do not bypass your checks.
• Validate all values sent from the client.
• Do not trust HTTP header information.

Sensitive Data

• Do not store secrets if you can avoid it.
• Do not store secrets in code.
• Do not store database connections, passwords, or keys in plaintext.
• Avoid storing secrets in the Local Security Authority (LSA).
• Use Data Protection API (DPAPI) for encrypting secrets.
• Retrieve sensitive data on demand.
• Encrypt the data or secure the communication channel.
• Do not store sensitive data in persistent cookies.
• Do not pass sensitive data using the HTTP-GET protocol.

Session Management

• Use SSL to protect session authentication cookies.
• Encrypt the contents of the authentication cookies.
• Limit session lifetime.
• Protect session state from unauthorized access.

See Also

• Security Principles