Today I’d like to recommend reading, or at least scanning, Security Maxims by Roger G. Johnston, Ph.D., CPP. It appears on the website for the Argonne National Laboratory and was brought to my attention by the Security Now podcast.
As noted by the author, they were written with physical security in mind but are certainly applicable to computer security as well.
A few highlights:
Infinity Maxim: There are an unlimited number of security vulnerabilities for a given security device, system, or program, most of which will never be discovered (by the good guys or bad guys).
Thanks for Nothin’ Maxim: A vulnerability assessment that finds no vulnerabilities or only a few is worthless and wrong.
Be Afraid, Be Very Afraid Maxim: If you’re not running scared, you have bad security or a bad security product.
Weakest Link Maxim: The efficacy of security is determined more by what is done wrong than by what is done right.
I Just Work Here Maxim: No salesperson, engineer, or executive of a company that sells or designs security products or services is prepared to answer a significant question about vulnerabilities, and few potential customers will ever ask them one.
There are a lot more. Read the rest.